Unable to navigate to another page using PHP, MySQL

Question

I have some data in the database. As i give the email and password it should fetch the database and login. The problem is, from loginform.php file it is navigating to the loginvalidate.php file, but after that it doesn't navigate to another page which I have mentioned in the header() function. As soon as i give the email and password, and hit the login button, it just stops at loginvalidate.php and doesn't proceed to profile.php file. I hope you get it.I donno where the error is, it is neither throwing an error. I'm using WAMP and when I run this code in the browser, the url should display ../../profile.php after hitting the login button, but it shows ../../loginvalidate.php in the URL and the page has nothing to show ie blank. I have used the md5 function to store passwords in the database. So here also first I have applied the md5 function on the user entered password and then used the password_verify. Is it the password verifying problem or is it anything else ?

loginform.php

<html>
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <link rel="stylesheet" type="text/css" href="css/style.css">
    <script type="text/javascript" src="js/jquery.validate.min.js"></script>
</head>
<body>

    <form action="includes/loginvalidate.php" method="post">
        <div style="margin-top:17%;">
         <!--Text box to enter email-id-->
            <input id="email" type="email" name="eid" placeholder="E-mail" required/>
            <hr style="position:relative; color:white;">
        </div>
        <div style="margin-top:3%">
         <!--Text box to enter password-->
            <input id="pwd" type="password" name="password" placeholder="Password" required/>
        </div>  
            <div style="margin-top:15%">
                <input type="image" class="mclass" name="loginbt" id="login"  src="images/login.png">
            </div>
    </form>
</body>

includes/loginvalidate.php

<?php
session_start();
try
{
    $db = new PDO("mysql:host=localhost;dbname=xxx","yyy","zzz");
    $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    if(isset($_POST['loginbt']))
    {
        $errmsg='';
        $email =$_POST['eid'];
        $pass = md5($_POST['password']);

        if($errmsg == '')
        {
            $sql = $db->prepare('SELECT id, email, password from users WHERE email = :email');
            $sql->bindParam(':email',$email);
            $sql->execute();
            $result = $sql->fetch(PDO::FETCH_ASSOC);
            if(count($result)>0 && password_verify($pass,$result['password']))
            {
                header('location: ../profile.php');
                exit();
            }
            else
            {
                echo '<script language="javascript">';
                echo 'alert("Username/Password is incorrect")';
                echo '</script>';
            }
        }
    }
}
catch(PDOException $e)
{
    echo $e->getMessage();
}       

?>

Answer 1

Problem is you are using an image type to submit but testing it as if it was a submit type...

<input type="image" class="mclass" name="loginbt" id="login"  src="images/login.png">

This won't bring

$_GET['loginbt'] 

as you expect

So it is failing the test here:

if(isset($_POST['loginbt']))

The image as a button work in the sense that it submits the form. But if you need to test for a value coming from that form you could test any other element or create a hidden element with the name/value that you want to test.

<input type="hidden" name="loginbt" value="loginbt">
<input type="image" class="mclass" id="login" src="images/login.png">

For instance. This way the info won't show on your form but will be sent to the server

You should also always use a "secret", never repeated value in a hidden field to check if the POST is comming from a real form (google XSS protection).

Answer 2

Using your form code, then using

var_dump($_POST);

Shows

["loginbt_x"]=> string(1) "0" ["loginbt_y"]=> string(1) "0"

So, you can test for either of those values like so

if (isset($_POST['loginbt_x']))

and it should work.

When an image input is used to submit a form, the input names sent to the server, are an _x and _y, which refer to the position of the cursor on the image when it was clicked.

Answer 3

That's all folks, I've found the solution myself. I usually thought that the code I have written was a bit complex. Then after some 99 failed attempts and for 100th attempt, I found the solution myself. This is how loginvalidate.php file should be

includes/loginvalidate.php

    $db = new PDO("mysql:host=localhost;dbname=xxxx","yyyy","zzzzz");
    $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);


        $email =$_POST['eid'];
        $pass = md5($_POST['password']);            
        $sql = $db->prepare('SELECT id, email, password from users WHERE email = :email AND password = :password');
        $sql->bindParam(':email',$email);
        $sql -> bindParam(':password',$pass);
        $sql->execute();
        $result = $sql->fetchColumn();
        if($result == true)
        {
            header("Location: ../profile.php");
            exit();
        }
        else {
            echo '<script type=text/javascript>';
            echo 'alert("Username/Password is incorrect")';
            echo '</script>';
        }

ob_end_flush();

I would like to thank each and everyone here who have helped me to find the solution but the main credit finally goes to myself. :P.