So I rewrote your code a little bit. I did a few things:
- I converted your MySQL to MySQLi. MySQL is depreciated and will be removed. I used OOP style MySQLi, but you can do procedural style.
- I changed your query string. Sometimes SQL can get picky about formatting and sql really likes when you use the '`' character.
- Next I separated out your large hash statement. This was for readability.
- I also added an "isset" check for the salt and the password. This check just confirms that these values actually exist.
- I've added the "error" variable for "login_form.php" I would remove it at release, but it gives you as the programmer a good chance to see where your code seems to be going wrong.
- I've now also added "true" and "303" to your header area where you set the location. true is a boolean about whether or not it should override a previous set header value for Location. 303 tells the browser that it should "see other"
Finally I added some extra headers designed to remove any chance of caching. While I do not know of any browsers that would cache your page that requests a redirect, it could happen seeing as it's all about how the browser handles it.
$username = $_POST['username']; $password = $_POST['password']; $dbhost = 'localhost'; $dbname = '******'; $dbuser = '******'; $dbpass = '******'; //not really $sql_connection = new mysqli($dbhost, $dbuser, $dbpass, $dbname); $username = mysql_real_escape_string($username); $query = "SELECT password, salt FROM users WHERE username = '$username';"; $result = $sql_connection->query($query); if($result->num_rows != 1) //no such user exists{ header("Location: login_form.php"); die(); } $userData = $result->fetch_assoc(); if(!isset($userData['salt']) || !isset($userData['password'])){ header("Location: login_form.php?error=MissingInformation"); die(); } $salt = $userData['salt']; $password_hash = hash('sha256', $password); $hash = hash('sha256', $salt . $password_hash); $correct_password = $userData['password']; if($hash != $correct_password){ // incorrect header('Location: login_form.php'); die(); }else{ validateUser(); //sets the session data for this user } header("Location: membersonly.php", true, 303);
Hope it helps!
Edit: I would also recommend removing the redirect and looking at the result to make sure it's not returning a warning. If it's just a warning, your script will still execute and it will redirect, but you'll never see the error.