Redirect to login page if user is not logged in - PHP

Question

I am working on a PHP task. I have two pages. On e is for login and after successfully login, user will redirect to next page. But if someone enters URL of page2 in URL bar without going to page to through login page. They can, I want to restrict this. But have no idea, how... here's my code of login page.

<html>
<body>
<div id="content">
<h3>Login to AdminUpdate</h3>
<form id="login" action="" method="post">
<p>
<label for="userid">UserID:</label>
<input type="text" name="Name" id="UserID"/>
</p>
<p>
<label for="PIN">PIN:</label>
<input type="password" name="password" id="PIN" />
</p>

<p>
<input type="submit" name="btnSend" value="Login" class="submit_button" />

</p>
</form>
<td>&nbsp;</td>


<div id="wrap">
<!-- start PHP code -->
<?php

$conn = mysqli_connect("localhost", "root", "", "tnz");
if($conn === false){
die("ERROR: Could not connect. " . mysqli_connect_error());
}

if(!empty($_POST['Name']) && (!empty($_POST['password']))){
$UserName = $_POST['Name'];
$PIN = $_POST['password'];

$search = mysqli_query($conn,"SELECT * FROM login WHERE Name='".$UserName."' AND password='".$PIN."'") or die(mysql_error()); 
$match  = mysqli_num_rows($search);

if($match > 0){
header('Location: AdminUpdates.php');
}else{
echo 'LogIn  Failed';
header('Location: AdminCheck.php');
}
}
        

?>
       

</div>
</div>
</body>
</html>

On login, save user data in session. On page 2, check for that session data. If not present, error/die/404. — Mitya, Sep 19 '20 at 13:52
Does this answer your question? [How to fix "Headers already sent" error in PHP](https://stackoverflow.com/questions/8028957/how-to-fix-headers-already-sent-error-in-php) — Alon Eitan, Sep 19 '20 at 13:53
**Warning:** You are wide open to [SQL Injections](https://stackoverflow.com/a/60496/1839439) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) — Dharman, Sep 20 '20 at 00:35
**Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) — Dharman, Sep 20 '20 at 00:35

score -2 · Answer 1 · answered Sep 19 '20 at 14:17

Start by reading more about this topic: Sessions

This little sample of code may help as well.

On the login page try this:

<?php
session_start();

$conn = mysqli_connect("localhost", "root", "", "tnz");
if($conn === false){
  die("ERROR: Could not connect. " . mysqli_connect_error());
}

if(!empty($_POST['Name']) && (!empty($_POST['password']))){
  $UserName = $_POST['Name'];
  $PIN = $_POST['password'];

  $search = mysqli_query($conn,"SELECT * FROM login WHERE Name='".$UserName."' AND password='".$PIN."'") or die(mysql_error()); 
  $match  = mysqli_num_rows($search);

  if($match > 0){
    $_SESSION['loggedin'] = true;
    header('Location: AdminUpdates.php');
  }
  else{
    echo 'LogIn  Failed';
    header('Location: AdminCheck.php');
  }
}
        

?>

Then, on the page two add the following code at the top of the script:

<?php
session_start();
if(empty($_SESSION['loggedin'])){
  //redirect to login page
  header('Location: AdminCheck.php');
  die;
}

I have replaced the code with yours, but still when i write AdminUpdates in URL. it get me there. and redirect to AdminCheck is not working. — jhon_123, Sep 19 '20 at 15:17
This code has a SQL injection vulnerability, and encourages the storage of passwords in plain text, both of which are fundamental security problems. Login systems are pretty hard to get right, unfortunately! (I appreciate this is the OP's code, but it is worth at least pointing these things out when you see them). — halfer, Sep 19 '20 at 16:38

Redirect to login page if user is not logged in - PHP

1 Answers1