PHP Redirecting to BASE URL after login rather than previous page

Question

Beginner here wondering what I did wrong. After going to profile.php and getting redirected to login.php, and then logging in, user is always redirected to BASE URL. I want the user to be redirected to profile.php.

profile.php

if (!isset($_SESSION['id'])) {
    $_SESSION['redirect'] = $_SERVER['REQUEST_URI'];
    $url = BASE_URL . 'login.php';
    ob_end_clean();
    header("Location: $url");
    exit();

} else {
   echo 'Logged in' 
}

login.php

$q = "SELECT * FROM users WHERE (username='$username' AND password=SHA1('$password'))";
$r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\n<br>MySQL Error: " . mysqli_error($dbc));

if (@mysqli_num_rows($r) == 1) {
    $_SESSION = mysqli_fetch_array ($r, MYSQLI_ASSOC);
    mysqli_free_result($r);
    mysqli_close($dbc);

    $url = BASE_URL . $_SESSION['redirect'];
    ob_end_clean();
    header("Location: $url");
    exit();
} else {
    echo 'Message';
}

Also tried using $_GET variable but the same issue occurs. Very confused with what is wrong.

Your `$url` (used in `header()`) is set to `BASE_URL . $_SESSION['redirect']`. If you're trying to redirect them to `profile.php`, shouldn't it be set to `profile.php`? — Obsidian Age, Oct 10 '17 at 20:37
@Obsidian Age I want the login form to work for multiple pages of redirect not just the profile.php page. So if I had another page where login was needed, it would redirect to said page rather than profile.php — Qwerty, Oct 10 '17 at 20:39
What if [Little Bobby](http://bobby-tables.com/)'s password is `pwn')) OR 1=1; --` in which case [your script is at risk for SQL Injection Attacks](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jeff Puckett, Oct 10 '17 at 20:51
@Jett I have a password restriction that only allows certain special characters, which isn't shown here.Not sure how secure my script is, but thanks for the reminder. — Qwerty, Oct 10 '17 at 20:56

score 0 · Answer 1 · answered Oct 11 '17 at 02:13

0

$_SESSION = mysqli_fetch_array ($r, MYSQLI_ASSOC);

was destroying previous stored session variables.

answered Oct 11 '17 at 02:13

Qwerty

75
8

PHP Redirecting to BASE URL after login rather than previous page

1 Answers1