After the user logs in, I want to go to a new page of course. So I have header("location:page.php");, but it's not working. Please help!

<?php
function page($page) {
 header("location:$page");
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
 <head>
  <title>Enter your username and password:</title>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  <script language="JavaScript" type="text/JavaScript">
  <!--
  function validation(form) {
   if ((form.username.value == "") || (form.password.value == "")) {
    alert("Please enter your username or password.");
   }
   else {
    form.submit();
   }
  }
  //-->
  </script>
 </head>
 <body>
  <form action="login.php" method="POST" onsubmit="validation(this);return false;">
   <input type="text" name="username">
   <br>
   <input type="password" name="password">
   <br>
   <input type="submit" value="Login">
  </form>
  <p>
  <?php
  function login($username, $password) {
   $page = "index.php";
   $user = "username";
   $pass = "password";
   if (($username == $user) && ($password == $pass)) {
    print ("Login Success! Please wait...");
    page($page);
   }
   elseif (($username != $user && $username != "") || ($password != $pass && $password != "")) {
    print ("Login Failure! Either the username or password you entered are incorrect.<br>Please try again.");
   }
   else {
    print ("Login...");
   }
  }
  login($username, $password);
  ?>
  </p>
 </body>
</html>

Also, is there a way with PHP to keep someone from just typing in the URL of the secret page? I want a thing that checks to see if they came from the login screen and that they entered a valid username and password.

    a header must be sent before anything else - so you cant send a load of html to the page and then send it a header - it wont wash.

    You've got to send the header before anything else is sent to the browser (one space is enough to stop it from working). If you get rid of everything like the "Login success" etc so that if they enter a valid password they get taken straight to the header bit with nothing else being echoed before it, then it will work.

    as for the secret page bit, when they've logged in successfully then do a session_register("valid_user"). then on every page that's secret, have at the top:

    session_start();
if(!session_is_registered("valid_user"))
   header("Location:login.php");
else
{

    and then have the content for the page. That way, if they go to the page and the session variable "valid_user" hasnt been set (ie they havent gone through the form) then they'll get sent back to the login page.

      6 days later

      Hello syst3m,

       I can answer both your questions. First not saything that what you have is bad or anything, you might want to reconsider mabey using something like what I'm going to give you. It's a way easier code to use.

      This is how you use it if you wanted just one set username and password. You can either make it go to a new page after login with this script: This would be your whole page right here.

      <?php

      // sample #1 redirect after success

      if ( ( !isset( $PHP_AUTH_USER )) || (!isset($PHP_AUTH_PW))

      || ( $PHP_AUTH_USER != 'user' ) || ( $PHP_AUTH_PW != 'open' ) ) {

      header( 'WWW-Authenticate: Basic realm="Private"' ); 
header( 'HTTP/1.0 401 Unauthorized' ); 
echo 'Authorization Required.'; 
exit;

      } else {

      header( 'Location: [url]http://www.yourserver.com/new_page.html[/url]' );

      }
      ?>

      Or, to make it real secure like you were saying about making it to where people just couldn't enter the url of the safe page, you can do this: Note when you enter html whenever there is a " you must put a \ in front of it. e.g.( <font color=\"red\" size=\"2\"> ). USE THIS:

      <?php

      // sample #2 print HTML after success

      if ( ( !isset( $PHP_AUTH_USER )) || (!isset($PHP_AUTH_PW))

      || ( $PHP_AUTH_USER != 'user' ) || ( $PHP_AUTH_PW != 'open' ) ) {

      header( 'WWW-Authenticate: Basic realm="Private"' ); 
header( 'HTTP/1.0 401 Unauthorized' ); 
echo 'Authorization Required.'; 
exit;

      } else {

      echo ' 

<HTML> 
<HEAD> 
<TITLE>Secret Stuff</TITLE> 
</HEAD> 
<BODY> 
<H1>SECRET!</H1> 
<P>This is a secret message.</P> 
</BODY> 
</HTML> 

';

      }
      ?>

      Now if your wanting to make it to where people can make accounts, you can do it two ways. You can make a register form and pass the variables to a text file on your server using this:

      <?php

      $auth = false; // Assume user is not authenticated

      if (isset( $PHP_AUTH_USER ) && isset($PHP_AUTH_PW)) {

      // Read the entire file into the variable $file_contents 

$filename = '/path/to/file.txt'; 
$fp = fopen( $filename, 'r' ); 
$file_contents = fread( $fp, filesize( $filename ) ); 
fclose( $fp ); 

// Place the individual lines from the file contents into an array. 

$lines = explode ( "\n", $file_contents ); 

// Split each of the lines into a username and a password pair 
// and attempt to match them to $PHP_AUTH_USER and $PHP_AUTH_PW. 

foreach ( $lines as $line ) { 

    list( $username, $password ) = explode( ':', $line ); 

    if ( ( $username == "$PHP_AUTH_USER" ) && 
         ( $password == "$PHP_AUTH_PW" ) ) { 

        // A match is found, meaning the user is authenticated. 
        // Stop the search. 

        $auth = true; 
        break; 

    } 
}

      }

      if ( ! $auth ) {

      header( 'WWW-Authenticate: Basic realm="Private"' ); 
header( 'HTTP/1.0 401 Unauthorized' ); 
echo 'Authorization Required.'; 
exit;

      } else {

      echo '<P>You are authorized!</P>';

      }

      ?>

      Or you can send it to a database with this:

      <?php

      $auth = false; // Assume user is not authenticated

      if (isset( $PHP_AUTH_USER ) && isset($PHP_AUTH_PW)) {

      // Connect to MySQL 

mysql_connect( 'hostname', 'username', 'password' ) 
    or die ( 'Unable to connect to server.' ); 

// Select database on MySQL server 

mysql_select_db( 'your_db' ) 
    or die ( 'Unable to select database.' ); 

// Formulate the query 

$sql = "SELECT * FROM users WHERE 
        username = '$PHP_AUTH_USER' AND 
        password = '$PHP_AUTH_PW'"; 

// Execute the query and put results in $result 

$result = mysql_query( $sql ) 
    or die ( 'Unable to execute query.' ); 

// Get number of rows in $result. 

$num = mysql_numrows( $result ); 

if ( $num != 0 ) { 

    // A matching row was found - the user is authenticated. 

    $auth = true; 

}

      }

      if ( ! $auth ) {

      header( 'WWW-Authenticate: Basic realm="Private"' ); 
header( 'HTTP/1.0 401 Unauthorized' ); 
echo 'Authorization Required.'; 
exit;

      } else {

      echo '<P>You are authorized!</P>';

      }

      ?> 😃

      -Blake

        5 days later

        Thanks batman. That's a lot more than I asked for but I guess I can use the other stuff you gave me.

          Originally posted by jpmoriarty
          a header must be sent before anything else - so you cant send a load of html to the page and then send it a header - it wont wash.

          You've got to send the header before anything else is sent to the browser (one space is enough to stop it from working). If you get rid of everything like the "Login success" etc so that if they enter a valid password they get taken straight to the header bit with nothing else being echoed before it, then it will work.

          as for the secret page bit, when they've logged in successfully then do a session_register("valid_user"). then on every page that's secret, have at the top:

          session_start();
if(!session_is_registered("valid_user"))
   header("Location:login.php");
else
{

          and then have the content for the page. That way, if they go to the page and the session variable "valid_user" hasnt been set (ie they havent gone through the form) then they'll get sent back to the login page. [/B]

          I can't get it to work. After replacing "valid_user" with the username, it didn't work, then after leaving it as "valid_user" it still didn't work. If the username is "username", how should this script look? Sorry for my newbiness.

            the theory is that provided the username and password are correct (ie a successful login) then you register the session variable "valid_user". It is completely independent from a user name, a password, anything - all it is is a variable called "valid_user" which is registered as a session variable. That way, all you need to do is to test to see if the variable exists - if it does, then you know that they logged in successfully, and therefore that they are allowed to view the page: who they are doesnt matter, all that matters is you want to know if they've logged in successfully.

            Bare in mind there is a line in my post you need to have read:

            when they've logged in successfully then do a session_register("valid_user")

            - to do that you'll need to have a log in processing form that does something like:

            if($username=="admin" && password == "letmein")
{
   $valid_user = $username;
   session_register(valid_user);
}

            note that although i've given valid_user the value of username, but all that the subsequent code that i've suggested does is test to see if the variable exists, so you could give it any value you want.

              Write a Reply...