I am using a header redirect after the user submits a login and registration form and the input has been stored in a mysql database. The registration info is successfully stored into the database but when the script goes to redirect I reach a 404 error.
I am using the variable $redirectURL to pass the absolute path to the header function. Upon redirecting the URL is passed the variable $redirectURL instead of redirecting.
http://localhost/Shape_Search/app/model/user_util/$redirectURL
Here is the php script redirecting user_account.php:
<?php
/* Registration, Login, and Logout Request Processing
This server-side script handles registration, authentication, and logout requests which come from login.php and registration.php. The database.class.php is used to fetch and insert user account data from/to the database
*/
require_once (realpath(dirname(dirname(dirname(__DIR__)))) . '\config\config.php');
session_start();
// Include and initialize database class
require_once (CONTROLLER . 'database.class.php');
$accountDB = new DB();
$postData = $statusMsg = $valErr = '';
$status = 'error';
$redirectURL = INDEX;
/* SIGNUP SUBMIT
If signup request is submitted, input data is inserted in the database after validation
*/
if (isset($_POST['registerSubmit'])) {
$redirectURL= FORM . 'registration.php';
// Get user's input
$postData = $_POST;
$cleanUsername = strip_tags(trim($_POST['username']));
$cleanPassword = strip_tags(trim($_POST['password']));
$cleanPasswordConfirm = strip_tags(trim($_POST['passwordConfirm']));
// Validate form fields
if (empty($cleanUsername)) {
$valErr .= 'Please enter a username.';
}
if (empty($cleanPassword)) {
$valErr .= 'Please enter a password.';
}
if (empty($cleanPasswordConfirm)) {
$valErr .= 'Please confirm your password.';
}
/* Clean username input to prevent injections
* Allow usernames that begin with a-z and only contain alphanumeric plus '-' and -_' a
* Also checks that username is at between 5 and 50 characters long
*/
$regexUsername = '/^[a-zA-Z]+(?:[a-zA-Z0-9\d_]+){4,50}$/';
if (preg_match($regexUsername, $cleanUsername)) {
/* Clean password input to prevent injections
* Allow passwords that contain:
* Minimum of 8 characters
* Minimum of 1 Uppercase Letter
* Minimum of 1 numeric value
* Minimum of 1 Special Character !@#$%^&-
*/
$regexPassword = '/^(?=.*[!@#$%^&*-])(?=.*[0-9])(?=.*[A-Z]).{8,20}$/';
if (preg_match($regexPassword, $cleanPassword) && preg_match($regexPassword, $cleanPasswordConfirm)) {
if ($cleanPassword != $cleanPasswordConfirm) {
$valErr .= 'Passwords should match.';
}
} else {
$valErr .= 'Password must contain the following:
Minimum of 8 characters
Minimum of 1 Uppercase Letter
Minimum of 1 numeric value
Minimum of 1 Special Character !@#$%^&- ';
}
} else {
$valErr .= 'Username must be between (5-50) characters and may only contain letters or numbers or - or _';
}
// Check whether user errors are empty
if (empty($valErr)) {
// Check whether user already exists with same username in database
$prevCon['where'] = array(
'username' => $cleanUsername
);
$prevCon['return_type'] = 'count';
$prevUser = $accountDB->getRows('user',$prevCon);
if ($prevUser > 0) {
$statusMsg = 'Username already registered, please choose another username.';
} else {
// Insert user data into the database
$passwordHash = password_hash($cleanPassword, PASSWORD_DEFAULT);
$memberData = array(
'username' => $cleanUsername,
'password' => $passwordHash
);
$insert = $accountDB->insert('user', $memberData);
if ($insert) {
$status = 'success';
$statusMsg = 'Your account has been registered successfully, you may now login to your account.';
$postData = '';
$redirectURL = FORM . 'login.php';
} else {
$statusMsg = 'Something went wrong, please try again after some time.';
}
}
} else {
$statusMsg = 'Something is wrong with your input: '.$valErr;
}
// Store registration status into the SESSION
$sessData['postData'] = $postData;
$sessData['status']['type'] = $status;
$sessData['status']['msg'] = $statusMsg;
$_SESSION['sessData'] = $sessData;
// Redirect to the login/registration page
header('Location: $redirectURL');
exit();
/* LOGIN SUBMIT
* If login request is submitted, the system checks if any record exists in database with given username and password
*/
} elseif (isset($_POST['loginSubmit'])) {
// Get user's input
$postData = $_POST;
// Clean username and password input by removing injection tags and white space
$cleanUsername = strip_tags(trim($_POST['username']));
$cleanPassword = strip_tags(trim($_POST['password']));
// Validate form fields
if (empty($cleanUsername)) {
$valErr .= 'Please enter your username.';
}
if (empty($cleanPassword)) {
$valErr .= 'Please enter your password.';
}
// Check whether user inputs are empty
if (empty($valErr)) {
$conditions['where'] = array(
'username' => $cleanUsername,
);
$conditions['return_type'] = 'single';
$userData = $accountDB->getRows('user', $conditions);
if (password_verify($cleanPassword, $userData['password'])) {
if (!empty($userData)) {
$statusType = 'success';
$statusMsg = 'Welcome '.$userData['username'].'!';
$postData = '';
$_SESSION['userLoggedIn'] = TRUE;
$_SESSION['userID'] = $userData['id'];
$redirectURL = HOME;
} else {
$statusMsg = 'Wrong username or password, please try again!';
}
} else {
$statusMsg = 'Password does not match record.';
}
} else {
$statusMsg = 'Username does not exist.';
}
} else {
$statusMsg = 'There is something wrong with your inpput: '.$valErr;
}
// Store login status into the SESSION
$sessData['postData'] = $postData;
$sessData['status']['type'] = $status;
$sessData['status']['msg'] = $statusMsg;
$_SESSION['sessData'] = $sessData;
// Redirect to home page
header('Location: $redirectURL');
exit();
?>
>Solution :
$redirectURL variable should be outside from single quote in header method and concatinate with ‘.’ operator.
// Redirect to home page
wrong header('Location: $redirectURL');
right header('Location:'.$redirectURL);