Clicking on submit in login form redirects to index.php and doesn't login

Question

I'm making my first dynamic website with html5/php/mysql. I don't get why this doesn't work. The index.php file at the root basically puts everything together. It's at example.com/ (or example.com/index.php):

<!doctype html>
<html>
<?php
include("layout/header.php");
include("layout/layout.html");

/*content BEGIN*/
if (!empty($_SERVER['QUERY_STRING'])) {
    $page = $_SERVER['QUERY_STRING'];
    if(substr($page, -1) == '/') {
    $page = substr($page, 0, -1);
    }
    /*$page = basename($page);*/
    if (!file_exists("page/$page.php")){
        include("layout/404.html");
        }
    else{
        include("page/$page.php");
        }
}
else {
    include("page/home.php");
}
/*content END*/
include("layout/footer.html");
?>
</html>

The .htaccess has this:

RewriteRule ^(.*)$ index.php?/$1 [L]

So basically example.com/foo/bar displays the content of example.com/page/foo/bar.php inside the site's layout.

This post.php (located at example.com/page/admin/post.php and accessed with the layout at example.com/admin/post) works perfectly fine:

<div class="text">
<?php
session_start();
if (!isset($_SESSION['login'])){
    header("Location: /admin/login");
    }
if(isset($_POST['submit']) && ($_POST['submit'])=="Post"){
    if (!isset($_POST["title"]) || (trim($_POST["title"])=="")){
        echo "Insert a title.";
        }
    elseif(!isset($_POST["post"]) || (trim($_POST["post"])=="")){
        echo "You forgot the post";
        }
    elseif(!isset($_POST["author"]) || (trim($_POST["author"])=="")){
        echo "Write your name";
        }
    else{
        $postTitle = $_POST["title"];
        $post = $_POST["post"];
        $postAuthor = $_POST["author"];
        include "mysql.php";
        $sql = new mysql();
        $sql->connect();
        $sql->insert("post",array($postTitle, $post, $postAuthor),"title,post,author");
        echo "Great Success!";
        $sql->disc();
        }
}
else{
?>
<form action="<?php $_SERVER["PHP_SELF"];?>" method="post">
<h2>New Post:</h2>
Title:
<br />
<input name="title" type="text" size="64" />
<br />
Text:
<br />
<textarea name="post" cols="80" rows="20"></textarea>
<br />
Author:
<br />
<input name="author" type="text" size="32"  />
<br />
<input name="submit" type="submit" value="Post" />
</form>
<?php
}
?>
</div>

So as I said this works fine. But my login panel (example.com/page/admin/login.php OR example.com/admin/login) only works if I access it directly (example.com/page/admin/login.php), so without the layout around it. If I access it the "right way" through example.com/admin/login it loads but ALWAYS redirects me to example.com/index.php (this EXACT URL, not example.com/) upon clicking submit, and doesn't actually log me in. Here's the code for login.php:

<div class="text">
<?php
session_start();
if(isset($_SESSION['login'])){
    header("Location: /admin/panel");
    }
if(isset($_POST["submit"]) && (trim($_POST["submit"])=="Login")){
    if (!isset($_POST["password"]) || (trim($_POST["password"])=="")){
        echo "Insert password";
        }
    elseif (!isset($_POST["username"]) || (trim($_POST["username"])=="")){
        echo "Insert your username";
        }
    $username = trim(filter_var($_POST['username'], FILTER_SANITIZE_STRING));
    $password = trim(filter_var($_POST['password'], FILTER_SANITIZE_STRING));
    $password = sha1($password);
    include "mysql.php";
    $sql = new mysql();
    $sql->connect();
    $loginlist = $sql->query("SELECT user_id FROM users WHERE username = '$username' AND password = '$password'");
    if(mysql_num_rows($loginlist)==0){
        echo "Username/password wrong";
        }
    else{
        $userdata = $sql->extract($loginlist);
        $_SESSION["login"] = $userdata->user_id;
        $sql->disc();
        header("Location: /admin/panel");
        }
    }
    else{
?>
<h2>Admin panel login</h2>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
Username:
<br>
<input name="username" type="text" size="16">
<br>
Password:
<br>
<input name="password" type="password" size="64">
<br>
<input name="submit" type="submit" value="Login">
<br>
</form>
<?php 
} 
?>
</div>

Also the apache log says:

"POST /index.php HTTP/1.1" 200 2906

For every time this happens.

Answer 1

I found the solution myself. I had lost hope at this point and didn't expect to actually fix this. Basically, in the form for post.php (the one that worked from the beginning) I put

<form action="<?php $_SERVER['PHP_SELF']; ?>" method="post">

BUT in the one that didn't work, login.php it was

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">

See the difference? It's that unnecessary echo in the php part that screwed up everything. Removing it solved my problem. The reason I didn't spot it right away is because I actually thought that was the correct way of doing it. Also I copy-pasted the form part between my various php files, so I thought it was the same in all pages, and since it worked in one I assumed it was correct in all documents. So I tried to find the error in the php part outside the form, because it changes in all documents. But I finally noticed it after comparing post.php and login.php one last time. So happy end I guess.