I have my HTML form's action attribute set to auth/login.php, which does exist. What it does is basically check if the fields are empty. If not, it checks against the SQL database for a username that was inputted into the field, finds the row, and verifies the password hash to make sure that it's the right password. It then redirects to home.php, but since it is in a different folder, must be ../home.php.
Expected: Redirects to home.php
Reality: Upon form submission, does nothing but check if the fields are empty.
Any help is appreciated, here is the code:
<?php
# Authenticator
include("../server/conn.php");
$required = array('username', 'password');
if(isset($_POST['submit'])){
$error = false;
foreach($required as $field) {
if (empty($_POST[$field])) {
$error = true;
}
}
if ($error) {
header("Location: ../login.php");
} else {
$getuserpassword = $conn->prepare('SELECT * FROM users WHERE username = ?');
$getuserpassword->bind_param("s", $_POST['username']);
$getuserpassword->execute();
$getres1 = $getuserpassword->get_result();
if ($getres1->num_rows > 0) {
while ($row = $getres1->fetch_assoc()) {
$db_password = $row['password'];
if (password_verify($_POST['password'], $db_password)) {
$_SESSION['loggedin'] = true;
$_SESSION['username'] = $_POST['username'];
$_SESSION['userid'] = $row['id'];
header("Location: ../home.php");
} else {
header("Location: ../login.php");
}
}
}
}
}
?>
CodePudding user response:
TL;DR; Add this code below header function call:
exit('<meta httpd-equiv="Refresh" content="0;url=../login.php"/>');
Description
Sometimes, there are some outputs those are already sent to client's browser and because of that, you cannot modify response headers anymore and you will receive a warning that says Cannot modify headers. Headers already sent. which may be invisible due to server display_errors and error_reporting configuration in php.ini.
This is generally a bug in server configuration but sometimes, it may be a problem in your script files. For example, if you have saved your files with Windows Notepad, it will add BOM (Byte Order Marks) to the beginning of your UTF-8 files. So you have better to use some other good text editors or IDE's (e.g. Notepad , phpStorm, VSCode, etc.)
However, there are several workarounds for this problem:
- You can enable output buffering on your server (php.ini):
output_buffering = onoroutput_buffering = 16384 - You can surround your code with
ob_startandob_end_flush:
ob_start();
// your code goes here
ob_end_flush();
- In case you have used
headerjust to redirect user to another page, add anexitcall with ametarefresh tag and add delay and URL of target page:exit('<meta httpd-equiv="Refresh" content="0;url=../login.php"/>');
This way, if for any reason,headerfunction cannot be executed, then your script will be stopped byexitcall and then,metatag which is sent to the browser will redirect user to your intended URL.
CodePudding user response:
you should add session_start() at the top when you are going to use the session.
<?php
# Authenticator
session_start();
include("../server/conn.php");
$required = array('username', 'password');
if(isset($_POST['submit'])){
$error = false;
foreach($required as $field) {
if (empty($_POST[$field])) {
$error = true;
}
}
if ($error) {
header("Location: ../login.php");
exit();
} else {
$userName = $_POST['username'];
$userNameSelectQuery = "SELECT * FROM users where username='$userName'";
$queryExecute = $conn->query($userNameSelectQuery );
if($queryExecute){
if(mysqli_num_rows($queryExecute)>0){
foreach($queryExecute as $key=>$value){
$db_password = $value['password'];
if (password_verify($_POST['password'], $db_password)) {
$_SESSION['loggedin'] = true;
$_SESSION['username'] = $_POST['username'];
$_SESSION['userid'] = $row['id'];
header("Location: ../home.php");
exit();
} else {
header("Location: ../login.php");
exit();
}
}
}
}
}
}
?>