Timothy Bomer Timothy Bomer - 1 month ago 7
MySQL Question

Issues logging in (With SQL) when using a .htaccess file?

Good evening SO community,

I've recently been working on a web project and ran into an interesting issue, I've searched all over the internet but was unable to resolve it. Here's what's going on.

When the user visits the website, it will automatically direct them to a login page. They simply enter their username and password and click the login button/link (or press enter) and it will send a request to the SQL server to verify the password, then log the user in, setting session variables for the users data. Simple right? It works fantastic! (Not much to gloat about. Simple PHP/SQL) Anyways, I continued working on the project and made plenty of progress. All along, the login system was working perfectly. I had to log in every day, and did so without issues.

I decided I wanted to take the file extension out of the URL (website.com/index.html to just website.com/index or website.com/dashboard.php to just website.com/dashboard). After doing a bit of research on the topic, I discovered that this can be done, fairly easily, by using a .htaccess file with a little bit of code. I created a .htaccess file and put the below code in it, then uploaded it to my server. I refreshed the page and tried a couple of links and saw that it did in fact remove the file extension. I was proud haha! Anyways, I continued working on the project with no issues. At the end of the day, I logged out and shut down my computer. The next day, I went to go log in and it said there was an error logging in (My custom error message when a match is not found in the SQL server for the username/password combination). I tried again a couple more times to no avail. Aggravated, I logged in to my control panel and SQL manager to check to make sure the information was accurate. It was. I thought about what I did the day before that could affect the login system and narrowed it down to the .htaccess file. I started up my FTP and deleted the file from the server, and attempted to log in again, with the same information. Guess what? It worked!

It caused no issues when working on it the day before since I was already logged in whenever I uploaded the file. In order for me to log in, I have to delete the .htaccess file, login, then re-upload it. I can't figure this one it. With my luck, it's probably something simple that I'm missing. Please see my code below and let me know if you need any more information. (Hopefully I covered everything.)

.htaccess

Options +FollowSymLinks -MultiViews
# Turn mod_rewrite on
RewriteEngine On
RewriteBase /

## hide .php extension
# To externally redirect /dir/foo.php to /dir/foo
RewriteCond %{THE_REQUEST} ^[A-Z]{3,}\s([^.]+)\.php [NC]
RewriteRule ^ %1 [R,L,NC]

## To internally redirect /dir/foo to /dir/foo.php
RewriteCond %{REQUEST_FILENAME}.php -f
RewriteRule ^ %{REQUEST_FILENAME}.php [L]

RewriteCond %{REQUEST_FILENAME}.html -f
RewriteRule ^ %{REQUEST_FILENAME}.html [L]

RewriteCond %{HTTP_HOST} ^subDomain\.website\.com$ [NC]
RewriteRule ^(.*) http://www.subdomain.com/$1 [L,R]

RewriteCond %{HTTP_HOST} ^www.subDomain\.website\.com$ [NC]
RewriteRule ^(.*) http://www.subdomain.com/$1 [L,R]


The last four lines of code was put in to redirect a subdomain of a URL to a completely different domain. Ex: subdomain.website.com would redirect to subdomain.com.

login.php

<?
session_start();
$_SESSION["LOGGEDIN"] = "FALSE";
$_SESSION["NAME"] = "NULL";
require_once 'myConnectionFile.php';

$uCheck = $_POST['uName'];
$uCheck = strtoupper($uCheck);
$pCheck = $_POST['pWord'];



//echo "Attempting to log in " . $uCheck . "!<br><br>";
//echo "";

$sql = "SELECT id FROM USERNAMES WHERE uName = '$uCheck' and PASSWORDS = '$pCheck'";
// echo $uCheck . " " . $pCheck;
$result = mysqli_query($conn,$sql);
$row = mysqli_fetch_array($result,MYSQLI_ASSOC);
// $active = $row['active'];
$count = mysqli_num_rows($result);

if($count == 1) {
//echo "Logged in!<br>";
$_SESSION["LOGGEDIN"] = "TRUE";
$_SESSION["NAME"] = $uCheck;
//echo $_SESSION["LOGGEDIN"];
$sql_SESSION = "SELECT * FROM USERNAMES WHERE uName='$uCheck'";
$result_SESSION = mysqli_query($conn,$sql_SESSION);
if ($result_SESSION->num_rows > 0) {
while($row_SESSION = $result_SESSION->fetch_assoc()) {
$_SESSION["USER"] = $row_SESSION['uName'];
// LOAD SESSION VARIABLES HERE
}
}

header('Location: http://www.website.com/Dashboard.php');
} else {
echo "Error logging in!";
header('Refresh: 3; URL=destroySessions.php');
}

// session_unset(); <- Unsets all session variables.
// session_destroy(); <- Destroys (Removes) a session.
?>


Keep in mind, I changed some of the information for security purposes.

After reviewing the code(s), can you see any reason the .htaccess file would prevent me/users from logging into my system?

Any suggestions are greatly appreciated!

Thanks in advance,

Tim

Answer

302 and 301 redirects will lose POSTed data and turn into a GET request. A good solution is to use a 307 redirect as it will remain a POST request during the redirect:

RewriteRule ^ %1 [R=307,L,NC]