redirecting back to login page after the login button is clicked in PHP

Question

I have a login page for admin panel in PHP. After authenticating username and password I should be redirected to index.php page, but it is not working, the URL changes for a sec to index.php and then again it redirects back to login.php

There is no issue with the username and password, it was working perfectly on my local host, and now it is not working on my web host

here is my login.php code

<?php
/////////////////////////////////////////
//    Powered By : WindForce Studios   // 
/////////////////////////////////////////
@session_start();

include('../config.php');
include('../secureFunction.php');
$MSG = '' ;

if(@$_GET["check"]){
$checkmail = mysql_query("SELECT * FROM admins WHERE username='".make_safe($_POST["username"])."' AND password='".make_safe($_POST["password"])."'");

$getInfo = mysql_fetch_array($checkmail);
$getNumAccount = mysql_num_rows($checkmail);

if($getNumAccount > 0 ){

 $_SESSION["loginGASADMIN"] = $_POST["username"];
 echo "<meta http-equiv=\"refresh\" content=\"0;url=index.php\"></p>";
}else{
$MSG = 'Wrong username or password' ;
 include('style/loginform.html');

}
}else{
 include('style/loginform.html');

}






?>

code for index.php is here

<?php
/////////////////////////////////////////
//    Powered By : WindForce Studios   // 
/////////////////////////////////////////
@session_start();

include('../config.php');
include('../secureFunction.php');


if(@$_SESSION["loginGASADMIN"]){
 if(@$_GET["banned"]){
  $getuser = mysql_query("SELECT * from users where id='".$_GET["banned"]."'");
  $fetchUSER = mysql_fetch_array($getuser);
  $getAllusersinDevice = mysql_query("SELECT * FROM USERS WHERE macAddresses='".make_safe($fetchUSER["macAddresses"])."'");
  while($bannedUser = mysql_fetch_array($getAllusersinDevice)){
  $banUser = mysql_query("UPDATE users SET banned=1 WHERE id='".make_safe($bannedUser["id"])."'");
  }
   
 echo "<meta http-equiv=\"refresh\" content=\"0;url=index.php\"></p>";

  
 }else if(@$_GET["unbanned"]){
    $getuser = mysql_query("SELECT * from users where id='".$_GET["unbanned"]."'");
  $fetchUSER = mysql_fetch_array($getuser);
  $getAllusersinDevice = mysql_query("SELECT * FROM USERS WHERE macAddresses='".make_safe($fetchUSER["macAddresses"])."'");
    while($unbannedUser = mysql_fetch_array($getAllusersinDevice)){

  $unbanUser = mysql_query("UPDATE users SET banned=0 WHERE id='".make_safe($unbannedUser["id"])."'");
  }
   
 echo "<meta http-equiv=\"refresh\" content=\"0;url=index.php\"></p>";

  
 
 
 
 }elseif(@$_GET["BannedFromIP"]){
    $getuser = mysql_query("SELECT * from users where id='".$_GET["BannedFromIP"]."'");
  $fetchUSER = mysql_fetch_array($getuser);
  $getAllusersinDevice = mysql_query("SELECT * FROM USERS WHERE ip='".make_safe($fetchUSER["ip"])."'");
  while($bannedUser = mysql_fetch_array($getAllusersinDevice)){
  $banUser = mysql_query("UPDATE users SET banned=1 WHERE id='".make_safe($bannedUser["id"])."'");
  }
   
 echo "<meta http-equiv=\"refresh\" content=\"0;url=index.php\"></p>";
  
  
 }else if(@$_GET["unBannedFromIP"]){
    $getuser = mysql_query("SELECT * from users where id='".$_GET["unBannedFromIP"]."'");
  $fetchUSER = mysql_fetch_array($getuser);
  $getAllusersinDevice = mysql_query("SELECT * FROM USERS WHERE ip='".make_safe($fetchUSER["ip"])."'");
    while($unbannedUser = mysql_fetch_array($getAllusersinDevice)){

  $unbanUser = mysql_query("UPDATE users SET banned=0 WHERE id='".make_safe($unbannedUser["id"])."'");
  }
   
 echo "<meta http-equiv=\"refresh\" content=\"0;url=index.php\"></p>";

  
 
 
 
 }
 
 elseif(@$_GET["delete"]){
  $DeleteUser = mysql_query("DELETE from users WHERE id='".make_safe($_GET["delete"])."'");
  if($DeleteUser){
    echo "<meta http-equiv=\"refresh\" content=\"0;url=index.php\"></p>";

   
  }
  
 }elseif(@$_GET['logout']){
unset($_SESSION['loginGASADMIN']);

if(!isset($_SESSION['loginGASADMIN'])){
 echo "<meta http-equiv=\"refresh\" content=\"0;url=index.php\"></p>";  
}
}
 
 else{
 $getRecords = mysql_query("SELECT * FROM users WHERE id");
  include('style/main.html');
}

}else{
 echo "<meta http-equiv=\"refresh\" content=\"0;url=login.php\"></p>";

}






?>

Thanks!

***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, Aug 21 '17 at 14:30
**Never store plain text passwords!** Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Aug 21 '17 at 14:30
the `mysql_` DB library is obsolete, deprecated many years ago due to security issues, and removed entirely in PHP7. You absolutely should **not** be using this library in new code. Use mysqli or PDO, and use prepared statements and parameterised queries to protect your application from SQL Injection attacks, which it's currently entirely vulnerable to. — ADyson, Aug 21 '17 at 14:30
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, Aug 21 '17 at 14:31
and...`echo "";` Yuk. Why not just set a redirect header? The index.php code is almost entirely repeated within the two if blocks, apart from a couple of small variables. You could condense it into half the amount of code by just setting those particular variables before running the query. Also it's not clear why there are more meta refresh tags in index.php which also points to index php, surely that will create a potentially infinite refresh loop. — ADyson, Aug 21 '17 at 14:32
Also there's a potential security hole. Seems simple enough for a user to unban themselves by visiting the index.php page and setting a "unbanned" variable in the query string. This should be a process controlled by the site admin — ADyson, Aug 21 '17 at 14:38
As far as the session issue goes, I think `if(@$_SESSION["loginGASADMIN"]){` should be `if(isset($_SESSION["loginGASADMIN"])){`. Putting an @ there will just suppress any problems that occur reading the variable. — ADyson, Aug 21 '17 at 14:39

redirecting back to login page after the login button is clicked in PHP

0 Answers0