Not Going to Header?

boboreo · January 12, 2011, 7:20pm

I have a login page, and when they click login, it goes to verify login, which is below:


&lt;?php
include('loginConfig.php');
// making the usernames from the form a variable
$username = $_POST['username'];
$password = $_POST['password'];
$password = md5($password);

// To not get injected....
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

//SQL!
$sql = "SELECT * FROM `members` WHERE username = '$username' and password = '$password'";
$result = mysql_query($sql);
$count = mysql_num_rows($result);

if($Success == 1){
	session_start();
	$_SESSION['loggedin'] = 'true';
	$_SESSION['username'] = '$username';
	header("Location: ../member.php");
	include('../include/blank.php'); 
}
//Incorrect Loggin !
else {
	Global $Title; $Title = "Failed Loggin"

	Global $Content; $Content="Incorrect Username or Password.  Please check your credentials, and try again later.";
	include('../include/blank.php'); 
}

?&gt;

In my database connect file, if Success=1, it establishes the link ID. So, in my code, if Success=1, it should set the sessions, and the usernames, and then redirect to …/member.php. However, its not. Can you look at it and see if you can figure it out?


&lt;?php

$host = "localhost"; // host, usually localhost
$username = "***"; // database username
$password = "*******"; // database password
$default_dbname = "*****";


	function db_connect() {
		global $Success ;
				$Success = 0;
		global $dbhost, $dbuser, $dbpassword;

		
		$link_id = mysql_connect($host, $username, $password);
		if(!$link_id) {print("&lt;p id='error'&gt;Connection failed to the host $dbhost.&lt;/p&gt;");"";
		}
		else $Success = 1;
		return $link_id;
		
	}
mysql_query($con);
$con = mysql_connect("$host", "$username", "$password") or die("cannot connect to MySQL"); // connecting to MySQL

if($con) {
echo 'it works';
} else {
echo 'wtf?!';
}

mysql_select_db("$default_dbname") or die ("cannot select database, please check your mysql settings"); // selecting the MySQL database

?&gt;

I tested my connection, and I know I am connected…

furicane · January 12, 2011, 8:36pm

Just out of curiosity, what do you think should happen once you redirect someone’s browser and after the person is redirected, in the previous page you attempt to include something?

To cut the story short: header(‘Location:’) redirects people to specified URL. You specified some odd path, either specify fully valid URL or at least absolute path (http://localhost/member.php or /member.php).

Your session won’t store the value of variable $username, it will store exactly what you typed within single quotes - $username, which most likely isn’t what you want.

And in the end, after the header(‘Location’) fails (I assume it fails, you are probably getting some sort of a message which you didn’t post) - you attempt to include a file.

Test your SQL, and after you’re done testing - maybe you should also consider of dropping all those “global” keywords, not only is it bad practice - it’s extremely hard to debug having global variables all over the place.

leelong · January 14, 2011, 12:24am

the portion

if($Success == 1){

    session_start();

    $_SESSION['loggedin'] = 'true';

    $_SESSION['username'] = '$username';

    header("Location: ../member.php");

    include('../include/blank.php'); 

}

will NEVER be executed because u merely define the function db_connect(), and not calling it anywhere.

and if it is called, anyone clicked the login link will go to member area.

to solve it, discard the function definition db_connect() and instead simply

$sql = "SELECT * FROM `members` WHERE username = '$username' and password = '$password'";

$result = mysql_query($sql);

$count = mysql_num_rows($result);

if($count === 1){

    session_start();

    $_SESSION['loggedin'] = 'true';

    $_SESSION['username'] = '$username';

    header("Location: ../member.php");

    include('../include/blank.php'); 

}...................

also u don’t need

..........
$password = stripslashes($password);

..........

$password = mysql_real_escape_string($password);

as MD5 will convert any string to alphanumeric.