php login script not redirecting to next page

Question

My login.php is as given below, It is not able to take me to welcome.php. Neither it is giving login error. It simply give 500 error page.

<?php
include("db.php");
session_start();
if($_SERVER["REQUEST_METHOD"] == "POST")
{
// username and password sent from Form
$username=mysqli_real_escape_string($db,$_POST['username']);
$password=mysqli_real_escape_string($db,$_POST['password']);
$password=md5($password); // Encrypted Password
$sql="SELECT id FROM admin WHERE username='$username' and passcode='$password'";
$result=mysqli_query($db,$sql);
$count=mysqli_num_rows($db,$result);

// If result matched $username and $password, table row must be 1 row
if($count==1)
{
header("location: welcome.php");
}
else
{
$error="Your Login Name or Password is invalid";
}
}
?>
  <div class="wrapper">
    <form class="form-signin" action="login.php" method="post">       
      <h2 class="form-signin-heading">Please login</h2>
      <input type="text" class="form-control" name="username" placeholder="User Name" required="" autofocus="" />
</br> 
      <input type="password" class="form-control" name="password" placeholder="Password" required=""/>    
      <label class="checkbox">
        <input type="checkbox" value="remember-me" id="rememberMe" name="rememberMe"> Remember me
      </label>
      <button class="btn btn-lg btn-primary btn-block" type="submit">Login</button>   
    </form>
  </div>

It gives 500 error after I submit usename and password and not able to take me to welcome.php.

FYI, MD5 is *not encrypting the password. It's hashing it. Also, it's obsolete and not what you should be doing to store that password safely. You are also wide open to SQL injections. And you should turn on error reporting to see what PHP is reporting the error as. — John Conde, Jul 17 '16 at 18:35
How to show errors: http://stackoverflow.com/questions/1053424/how-do-i-get-php-errors-to-display — rjdown, Jul 17 '16 at 18:43
You really shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure) and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Jul 18 '16 at 13:48
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) — Jay Blanchard, Jul 18 '16 at 13:49

score 1 · Answer 1 · answered Jul 17 '16 at 18:46

1

If you are using header(Location: something.php), you should load it as first output in php. Or else it will not work.

session_start() will change the HTTP Header.

Instead try below one,

echo "<script>window.location.href='welcome.php';</script>";

answered Jul 17 '16 at 18:46

Kalaivanan

459
2
8
17

php login script not redirecting to next page

1 Answers1