Php Redirects?

[scm22ri]

Hi Everyone,

 

I have a question regarding php redirects. If you visit the below URL and if your not logged in - your presented with a statement saying you have to be logged in (which is what I want) but after the person clicks on "Click Here" they are taken to the login page where they can login. My question is, how would I redirect visitors back to the car-search page they originally wanted to visit?

 

http://whatsmyowncar.../car-search.php

 

This is my php session syntax on the car-search.php page.

 

 

<?php
session_start();

if (!isset($_SESSION['myusername'])) {
echo "Hello, you must have an account to view this page. <a href=\"http://whatsmyowncarworth.com/class-work/sign2/main_login.php\">Click Here</a>!<br>";
exit();
}
?>

[JonnoTheDev]

You could use this simple bit of code on your login file. This will store the referring url.

<?php
$my_url = 'http://www.yourwebsiteurl.com';
$goto_index = FALSE;
if(!isset($_SESSION['loginredirect']))
{
 if(!strstr($_SERVER['HTTP_REFERER'], $my_url))
 {
  $goto_index = TRUE;
 }
 else
 {
  // do not redirect to any of these pages (add as you need)
  $noredirect = array('login.php', 'logout.php');
  foreach($noredirect as $file)
  {
   if(strstr($_SERVER['HTTP_REFERER'], $file))
   {
 $goto_index = TRUE;
   }
  }
 }
 $_SESSION['loginredirect'] = ($goto_index) ? $my_url : $_SERVER['HTTP_REFERER'];
}
?>

 

After login is successful you can redirect the user using

 

<?php
header('Location:' . $_SESSION['loginredirect']);
exit();
?>

[scm22ri]

Hi Neil,

 

Thanks for the reply and help but I'm a little confused. On my car-search.php my syntax is below for the referring URL.

 

 

 

<?php

$curl = $_SERVER['REQUEST_URI']; // <--- This will get that page's url.
$_SESSION['crurl']= "$curl"; // <---  now storing it in a variable for later usage

?>

 

Where on my checklogin.php page (where all of my users are checked before they are logged) should I put the syntax you've provided me?

 

My syntax as it stands now.

 

<?php

// ob_start();
include_once "connect_to_mysql.php";

// Define $myusername and $mypassword 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM users WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){

// Register $myusername, $mypassword and redirect to file "login_success.php"
// session_register has been depreciated. Must figure use another function?
session_register("myusername");
session_register("mypassword"); 

// $_SESSION["myusername"];
// $_SESSION["mypassword"];
header("location:bo.php");
}

else {
  echo "Wrong Username and Password";
} 

// ob_end_flush();
?>

[Christian F.]

The easiest way is not to redirect at all, but just include the login page instead of the normal page.

Quick pseudo-code example:

if (!logged_in ()) {
   return include ("login.php");
}

include ($page.".php");

[JonnoTheDev]

<?php
// ob_start();
include_once "connect_to_mysql.php";
$my_url = 'http://www.yourwebsiteurl.com';
$goto_index = FALSE;
if(!isset($_SESSION['loginredirect']))
{
 if(!strstr($_SERVER['HTTP_REFERER'], $my_url))
 {
  $goto_index = TRUE;
 }
 else
 {
  // do not redirect to any of these pages (add as you need)
  $noredirect = array('login.php', 'logout.php');
  foreach($noredirect as $file)
  {
    if(strstr($_SERVER['HTTP_REFERER'], $file))
    {
	 $goto_index = TRUE;
    }
  }
 }
 $_SESSION['loginredirect'] = ($goto_index) ? $my_url : $_SERVER['HTTP_REFERER'];
}

// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM users WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
// session_register has been depreciated. Must figure use another function?
session_register("myusername");
session_register("mypassword");
// $_SESSION["myusername"];
// $_SESSION["mypassword"];
//header("location:bo.php");
header('Location:' . $_SESSION['loginredirect']);
exit()
}
else {
  echo "Wrong Username and Password";
}
// ob_end_flush();
?>

 

Why are you storing the users password in a session. You should never do this. You should store something that can tie them up to the database such as their ID.

[scm22ri]

Thanks niel,

 

Why are you storing the users password in a session. You should never do this. You should store something that can tie them up to the database such as their ID. 

 

I'm not sure. I tried the code this way and it worked so I stuck with it.

 

Should I change session_register("mypassword"); to session_register("id"); ?

 

Also, thanks Christain!

 

Thanks!

Edited October 26, 2012 by scm22ri

[Pikachu2000]

Please don't use phpeasystep.com as a learning resource. The code on that site is about ten years out of date.

[Christian F.]

You're most welcome.

 

As you noted session_register () is old and deprecated, which means it is removed in PHP from 5.4 and out. You should use the $_SESSION superglobal instead, which you've used above in the same code.

 

There are also a few other issues with your code, such as lacking validation of the username, missing hashing of the password (including salt), no error checking, and the extraneous use of strip_slashes ().

Thus I recommend that you research the following:

• "Input validation" to cover the username issue.
  
• Secure login systems to handle the password issue.
  
• Jessica's article, to handle the MySQL errors.
  
• And, lastly, remove the strip_slashes () calls from your code. Or at least wrap them in a check for get_magic_quotes_gpc ().

 

Also, using the inclusion method instead of the redirect, you can safely remove everything above where you set the username. Except the mysql connection, that is.

[scm22ri]

Thanks again Christian. I know my code has a lot of bugs but as I get better at coding I'm sure they'll disappear.

 

Christian, regarding the sessions when I comment out // the session_register() and use $_SESSION['mypassword']; and $_SESSION['myusername']; it's not allowing me to login. I'm not sure why it's doing that. Any pointers? Thanks!

[Christian F.]

The $_SESSION array is just that, a regular array. So if you've used the code from above, and simply removed the comments, then you're missing the part where you set the value of the index.

Perhaps a read of the PHP manual would help to shine a light on this?

 

Just keep at it, and read all of the resources people have linked to here (both this thread and the forum in general). Especially the badged members, as they know what they're talking about. Then I'm sure you'll be producing high quality code before long.

Good luck!