In my paid server, login.php does not redirect to index.php even though user is in database already

Alchemist21 · December 27, 2019, 5:53pm

I am in a bit of a quandry here. My login.php does not redirect to index.php even though the user is added into the database in register.php The thing thats a little weird is that it works perfectly well in the localhost but when I placed it in the web server it didnt work. I already edited the msql connect to reflect the server database and password and I can add new users so I know that the connection is good. It’s just that when I log in using the registered user, it wont redirect to the index.php page. This is my code for server.php

<?php
session_start();
// initializing variables
$username = "";
$email    = "";
$errors = array(); 
// connect to the database
$db = mysqli_connect('ipage.com', 'loginname', 'password', 'dbname');
// REGISTER USER
if (isset($_POST['reg_user'])) {

  // receive all input values from the form
  $username = mysqli_real_escape_string($db, $_POST['username']);
  $email = mysqli_real_escape_string($db, $_POST['email']);
  $password_1 = mysqli_real_escape_string($db, $_POST['password_1']);
  $password_2 = mysqli_real_escape_string($db, $_POST['password_2']);
  // form validation: ensure that the form is correctly filled ...
  // by adding (array_push()) corresponding error unto $errors array
  if (empty($username)) { array_push($errors, "Username is required"); }
  if (empty($email)) { array_push($errors, "Email is required"); }
  if (empty($password_1)) { array_push($errors, "Password is required"); }
  if ($password_1 != $password_2) {
  array_push($errors, "The two passwords do not match");

  }
  // first check the database to make sure 
  // a user does not already exist with the same username and/or email
  $user_check_query = "SELECT * FROM users WHERE username='$username' OR email='$email' LIMIT 1";
  $result = mysqli_query($db, $user_check_query);
  $user = mysqli_fetch_assoc($result);
  if ($user) { // if user exists
    if ($user['username'] === $username) {
      array_push($errors, "Username already exists");
    }
    if ($user['email'] === $email) {
      array_push($errors, "email already exists");
    }
  }
  // Finally, register user if there are no errors in the form
  if (count($errors) == 0) {
    $password = md5($password_1);//encrypt the password before saving in the database
    $query = "INSERT INTO users (username, email, password) 
          VALUES('$username', '$email', '$password')";
    mysqli_query($db, $query);
    $_SESSION['username'] = $username;
    $_SESSION['success'] = "";
    header('location: index.php');
  }
}
// LOGIN USER
if (isset($_POST['login_user'])) {
    $username = mysqli_real_escape_string($db, $_POST['username']);
    $password = mysqli_real_escape_string($db, $_POST['password']);
    if (empty($username)) {
        array_push($errors, "Username is required");
    }
    if (empty($password)) {
        array_push($errors, "Password is required");
    }
    if (count($errors) == 0) {
        $password = md5($password);
        $query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
        $results = mysqli_query($db, $query);
        if (mysqli_num_rows($results) == 1) {
          $_SESSION['username'] = $username;
          $_SESSION['success'] = "";
          header('location: index.php');
        }else {
            array_push($errors, "Wrong username/password combination");
     }   
    }
  }
  ?>

this is my login.php

<?php include('server.php') ?>
<!DOCTYPE html>
<html>
<head>
  <title>Login</title>
  <link rel="stylesheet" type="text/css" href="style.css">
</head>
<body>
  <div class="header">
      <h2>Titke</h2>
      <p>LogIn</p>
  </div>
  <form method="post" action="login.php">
    <?php include('errors.php'); ?>
    <div class="input-group">
      <label>Username</label>
      <input type="text" name="username" >
    </div>
    <div class="input-group">
      <label>Password</label>
      <input type="password" name="password">
    </div>
    <div class="input-group">
      <button type="submit" class="btn" name="login_user">Login</button>
    </div>
    <p>
      Not yet a member? <a href="register.php">Sign up</a>
    </p>
  </form>
  </div>
  </div>
</body>
</html>

this is my index.php

<?php 
  session_start(); 
  if (!isset($_SESSION['username'])) {
    $_SESSION['msg'] = "You must log in first";
    header('location: login.php');
  }
  if (isset($_GET['logout'])) {
    session_destroy();
    unset($_SESSION['username']);
    header("location: login.php");
  }
?>
<!DOCTYPE html>
<html>
<head>
  <title>Home</title>
  <link rel="stylesheet" type="text/css" href="index.css">
    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.css">
    <link rel="stylesheet" href="https://www.w3schools.com/w3css/4/w3.css">
</head>
<body>
<div class="content">
    <!-- notification message -->
    <?php if (isset($_SESSION['success'])) : ?>
      <div class="error success" >
        <h3>
          <?php 
            echo $_SESSION['success']; 
            unset($_SESSION['success']);
          ?>
        </h3>
      </div>
    <?php endif ?>
<!-- logged in user information -->

    <?php  if (isset($_SESSION['username'])) : ?>

      <p> Goodbye <strong><?php echo $_SESSION['username']; ?></strong></p>            

       <button class="w3-button w3-red"> <h5><a href="index.php?logout='1'">Sign Out</a></h5> </p></button>  
    <?php endif ?>   
    </div>
</body>
</html>

ADMIN EDIT: Added Code Tags

phdr · December 27, 2019, 11:30pm

Until you or a kindly mod/admin edits your post above and adds bbcode [code]...[/code] tags or markdown so the code is readable, its hard to tell what the relevant code is.

Also, you didn’t state if the redirect upon successful registration worked and what if any of the login validation error messages are getting displayed. Is the code even displaying the contents of the $errors array?

Some points that are apparent in the code -

Don’t use md5() for password hashing. Use php’s password_hash() and password_verify().
Each header() redirect needs an exit; statement to stop program execution.
The LIMIT 1 in the SELECT query would only find the first of two possible rows, so you can get an inaccurate reporting of duplicates. However, you shouldn’t try to select data to find if it already exists. The column(s) in your database table should be defined as unique index(es) (to enforce uniqueness at the database level), then just insert the data and detect if a duplicate index error occurred. If you have more than one unique index, it would be at this point where you would use a SELECT query to find which column(s) contain duplicate values.

ErnieAlex · December 28, 2019, 2:33am

AND, do not start a session and then check if it is started… Does not make sense at all !
AND, you destroy the session if they log out and then check to see if they are logged in and then say goodbye. Does not make sense either !

Alchemist21 · December 28, 2019, 5:46pm

Oh sorry bout that. I placed the signout in the bottom of the page after a long h4 Statement /h4 in between
Ill fix it. But the problem I have of redirect still exists

ErnieAlex · December 28, 2019, 7:05pm

On the login problem, how have you debugged this issue? I am that the inputs to the query are not correct. In most of my code, I use double-quotes in the header line. I looked at some samples and they also all used double-quotes. Try header(“Location: index.php”); Instead of the single-quotes. See if it works instead for you. This is because the header first argument needs to be a string and the double-quote forces it to a string. Although, I tested it and single-quotes worked on my server. But, try that first.

Remember, md5() functions are no longer used as they are not as secure as the new password_hash().
Also, this funciton is not really used nowadays.

Instead, you can use filter_input() function which is supposed to be better security-wise.

phdr · December 28, 2019, 7:22pm

Answering this would narrow down the problem -

Alchemist21 · December 28, 2019, 7:31pm

Did it. Still didn’t work. I also tried “Location: https:somewebsite.com” and it was able to send me to the website. I also did https:myownwebiste/index.php but by then i couldnt access my website anymore.

ErnieAlex · December 28, 2019, 8:18pm

Well, so the site does do redirect’s. That is a good thing. We know it is not the command itself.
How are you debugging this site? First, when you enter a user name and password, have it display the
actual live data and see if it is getting the info.
Next, if that is working, create the md5 of the password and display it. Then, run a manual query using your mysql control panel and see if it gets results.
You can also break the pages at various points to see what the data is in the code. Just use die($data variable); and it will kill the page and display what is in the variable. Then, you can force it to stop and tell you what is in the variables. Not the best way, but it works when testing pages. Something like:
die(" name=" . $username . "
password=" . $password); would kill the page and display the data.
Might help you to trace down where it is failing… Good luck!