Page redirection problem

[ttimon7]

Hi everyone, as I described it in the title bar, I can't redirect my site during the login process.
I've read a lot of posts already, but none has been helpful so far. (I put header() as a function in the begining part of my file too).
I am at a loss, maybe it's an URL problem, please, help me with this!
here is my code (for index.php):
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<?php
session_start();
if(!isset($_SESSION['access']))$_SESSION['access']='DENIED';
function redirect()
{
$_SESSION['access']='GRANTED';
header('Location: http://tlib.x10.mx/tlib.php');
die();
exit;
}
?>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="stylesheet" type="text/css" href="unity.css" />
<title>Login screen</title>
</head>
<body>
<div id="login">

<?php
$connection=mysql_connect("localhost", "loginname_login", "psw");
if(!$connection)die('Could not connect: ' . mysql_error());
mysql_select_db("loginname_book_lib", $connection);
$data = mysql_query("SELECT * FROM Account");

while($temp = mysql_fetch_array($data)){
if(!empty($_POST) && $temp["Username"] == $_POST["uname"] && $temp["Password"] == $_POST["password"])
{
redirect();
mysql_close($connection);
}
}
?>
<form action="index.php" method="post">
Username: <input type="text" name="uname" /></br>
Password: <input type="password" name="password" /></br>
<input type="submit" value="submit" />
</form>

</div>
</body>
</html>
And in my file manager, I uploaded files as index.php and tlib.php

 

[descalzo]

Do you get any error messages?

And once you output anything (ie the DOCTYPE), you cannot adjust the headers for relocation.

Also, die() is the same thing as exit(), so you do not have to call both.

 

[misson]

Firstly, browse the forums a little better. All of the following has been covered many times in many threads.

Please use

, [html] or [code] tags (as appropriate) to separate and format code.

[URL=http://www.phpfreaks.com/blog/or-die-must-die]Don't use [c]die[/c][/URL] (or [c]exit[/c]) when outputting HTML. You'll get invalid HTML.

Read up on HTTP (try [URL="http://www.jmarshall.com/easy/http/"]HTTP Made Really Easy[/URL] and [url=http://net.tutsplus.com/tutorials/other/http-headers-for-dummies/]HTTP Headers for Dummies[/url]) and [URL="http://www.php.net/manual/en/book.session.php"]PHP sessions[/URL], and you'll understand what's wrong whit the location for your calls to [c]header()[/c] and [c]session_start()[/c].

Outputting database error messages to non-admin users [URL=http://msdn.microsoft.com/en-us/library/ms995351.aspx#securityerrormessages_topic2]discloses too much information[/URL]. Instead, log the MySQL error message. For some errors (such as those related to missing or invalid values), output your own [url=https://developer.apple.com/library/mac/documentation/UserExperience/Conceptual/AppleHIGuidelines/Windows/Windows.html#//apple_ref/doc/uid/20000961-TP10]error message[/url] to the user and what action the user can take to address it. For the rest, inform the user that there was an internal error.

The [URL="http://x10hosting.com/forums/programming-help/162529-php-begin-deprecation-ext-mysql-start-moving-your-development-pdo-now.html"]mysql extension[/URL] is outdated and on its way to deprecation. Instead, use PDO, which has many useful improvements, such as [URL=http://www.php.net/PDO.prepared-statements]prepared statements[/URL] and support for the [url=http://php.net/Traversable]Traversable[/url] interface, so you can loop over results with [c]foreach[/c]. If you need a PDO tutorial, try "[URL=http://www.kitebird.com/articles/php-pdo.html]Writing MySQL Scripts with PHP and PDO[/URL]".

[URL="http://stackoverflow.com/questions/321299/"]Don't use [FONT="Courier New"]SELECT *[/FONT][/URL] unless you're writing a DB administration program; select only the columns you need.

Fetching every user from the database is needlessly inefficient. Fetch only the data for the user account you're trying to verify.

Never store plaintext passwords. If someone cracks the server, they have all your users' passwords. Since most people use the same password with every account they have, you've just compromised other sites. At a minimum, [url=http://us.php.net/manual/en/ref.hash.php]hash[/url] a random value + the password (in that order; don't put the password first) using whirlpool or sha512 (though using [URL="http://en.wikipedia.org/wiki/PBKDF2"]PBKDF2[/URL] with a merely decent hash function would be stronger); store both the hashed password and the random value. Since you're using the random value for just one thing, it's also called a "nonce". A random value added to a value that you hash is called "salt". Salt doesn't have to be kept secret. When a user attempts to log in, hash the purported password before comparing to the stored hashed password. Read "[url=http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html]Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes[/url]" for an introduction to the issues and "[url=http://phpsec.org/articles/2005/password-hashing.html]Password Hashing[/url]" for info on implementing a password storage scheme. See also "[url=http://x10hosting.com/forums/programming-help/177621-problem-encrypting-passwords.html#post880241]Problem with encrypting passwords.[/url]"

[url=http://brainstormsandraves.com/articles/semantics/structure/#br][c]<br/>[/c][/url] isn't being used [url=http://webstyleguide.com/wsg3/5-site-structure/2-semantic-markup.html]semantically[/url]; use something more appropriate, such as a paragraph or [url=http://www.w3.org/TR/html401/struct/lists.html]list[/url] element, or use CSS to separate fields onto different lines.

The input labels should be wrapped in [URL="http://www.w3.org/TR/html5/forms.html#the-label-element"]<label>[/URL] elements for [URL="http://webstyleguide.com/wsg3/2-universal-usability/index.html"]accessibility[/URL] and semantics (the two are intimately related).

That better not be your real DB [URL="http://x10hosting.com/forums/free-hosting/114005-free-hosting-faqs-read-before-posting-new-thread.html#post649309"]password[/URL]. If it is, you've just revealed it to not only thousands of X10 users, but Google.

Your code mixes too many disparate [URL="http://en.wikipedia.org/wiki/Separation_of_concerns"]concerns[/URL] (DB access, display, user account management and authentication are all mixed together). Each should be handled by a separate module. The need for this leads to various architecture patterns, such as [URL="http://www.webopedia.com/quick_ref/app.arch.asp"]multi-tiered[/URL] and [URL="http://en.wikipedia.org/wiki/Model-view-controller"]MVC[/URL]. See also:
[list]
[*][url=http://oreilly.com/php/archive/mvc-intro.html]Understanding MVC in PHP[/url]
[*][url=http://anantgarg.com/2009/03/13/write-your-own-php-mvc-framework-part-1/]Write your own PHP MVC Framework (Part 1)[/url]
[*][url=http://www.phpro.org/tutorials/Model-View-Controller-MVC.html]PHP Tutorials–Model View Controller[/url]
[*][url=http://stackoverflow.com/a/8423720/90527]Separation of data access & display[/url] (code sample) (note: If you're tempted to post questions on StackOverflow, first read its FAQs (especially the [url=http://meta.stackoverflow.com/q/7931/133817]MetaSO FAQs[/url]), as SO likely doesn't work the way you may first thing it does. SO isn't a forum but a Q&A site, a sort of super-FAQ for coding issues. Chances are, your questions have already been answered somewhere on the site.)
[/list]

 

[ttimon7]

Thank you for your time, I'll start correcting my mistakes now.