Php anyone? Need help with login/admin

Hello! I have a slight issue where when I start my login session, to get to the secret page "that only people logged in are suppose to see."  I can get there just fine when logging in. The issue is making it so you have to login instead of you just being able to type "" in the browser bar. So when I'm trying to make it so people can't just jump to the directory, some code I used and almost worked,

require "index.php";


        header("Location: index.php");

        die("Redirecting to index.php");

which worked to keep them out.. but also when using the login it doesn't let you pass.. (And the people that are saying "wait why do you have a header and a die?" I just put that in to show I tried both.. Not at the same time!)

Additional information:

database: phpmyadmin.

server test: localhost, wamp.

If you need additional information, just let me know and I can try my best to supply you with information.

Thanks for looking at, -Fire.

This might be an obvious question (better to get them out of the way first), but all of the session information is managed before the if statement, right? And the specific session 'username' is defined?

Just to make sure that everything is working correctly there, I would write this line just before or in place of the if statement just to make sure that the session variable does have a value - it wouldn't make any sense if it did, in any case.

echo "username:{$_SESSION['username']}"

EDIT: Also, I would try the following equivalence. It's code that I've used on my website for a while and I don't remember don't having any problems with it.

if(!isset($_SESSION['username'])) header("Location: index.php");

Yes they are followed by a if command, and 'username' is being fetched by the databases query, as long with the password. (hope that's what you mean.)

I have it to where when they try to login, and it's bad it will say "Bad login, go back." And if it does match it will take them to the next part. Ie.



        $username = $_POST['username'];

        $password = $_POST['password'];

        $result = mysql_query("SELECT * FROM users WHERE username='$username' AND


        $num = mysql_num_rows($result);

        if ($num == 0) {

        echo "Bad login, click <a href='index.php'> here to go-back</a>";

    } else {

        echo "you in";


        $_SESSION['username'] = $username;

        header("location: admin.php");




Sorry that's really spaced out.. I can't seem to get it organize any other way..
However I'm not quite sure on where you are saying I should insert the snip of code you added at the bottom (the one you used on your site.)

I was suggesting trying to use the inverse of the isset() command instead of the empty() command in your snippet. The empty() command will return false in a few cases you may not want, whereas !isset() will return true for only NULL and a declared, unassigned variable. Look at this.

Also, I'm pretty sure sessions have to be managed before any information is transmitted, like headers. I would remove any echo functions up to the point where the session variables you use are set, specifically the echo right above the session_start() call.

Hmm, require index.php and redirects to index.php

Also header function must be before any output to client browser

Jeol is right, use isset

You always have to do session_start() before trying to access any $_SESSION vars. You include index.php in your admin.php, but index.php only calls session_start() when the script was accessed from a POST request. Because this is not the case (since you get to admin.php from a Location-header) the session is never initialized and consequently your $_SESSION variable is empty.

Also I want to point out that directly inserting POST variables into SQL queries is a very very bad idea. Google some info on mysql injection. You should process these variables first, which is easily done with mysql_real_escape_string().

Lastly, including your index file is pretty bad code design and should be avoided. I know you're learning so it's good to get on the right track early on. If I were you I would make a separate file and call it functions.php, then define in that file all sorts of functions that check whether a user is signed in or not (amongst other stuff you might use in more scripts) and then just include that anywhere you need. This not only looks cleaner, it also prevents all sorts of weird bugs and greatly improves code portability.

I just got a break from some work, I will see if I can apply those changes, and tinker with it to get them to work. Just wanted to say thanks to everyone that posted something. I will eventually get this working, And I will defiantly look into the sql injections to make a more secure session.

A word of warning: If you do want to build your own session for testing/learning purposes, go for it. Otherwise, look into a tested&trusted framework (such as Zend Framework, Symfony, Yii, CodeIgniter, etc) that does session handling for you and eliminates most common security flaws (unless you try really, really hard to recreate them). 

Another word of notice for working with any programming language. You can learn it best with the help of a debugger. Get a proper IDE (NetBeans is free and okay, prefer PhpStorm myself which is awesome, but costs money) that supports XDebug. Then you can put breakpoints where you want and observe the program as it runs. 

I'm sorry for not providing any direct answers, but I hope that these tips will help you on your path.

Just to clarify - you want to redirect not-loggedin users to the login page, or you want to stop them from getting there by putting the address in the address bar? I don't do or like PHP too much, but if you still have this problem I'll be glad to help.