web page accessible by user authorized/unauthorized and causes error

Question

My page is main.php it was made like this code

<?php
  include_once('createtables.php');
  include('function.php');

?>

<!DOCTYPE html>
<html lang="en">
<head>
  <title></title>
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <link rel="stylesheet" href="../includes/css/bootstrap.min.css">
  <link rel="stylesheet" href="../includes/css/main.css">
  <script src="../includes/js/jQuery.js"></script>
  <script src="../includes/js/login.js"></script>
  <script src="../includes/js/bootstrap.min.js"></script>
</head>
<body>
  <div class="container-fluid">
    <form id="lgform" action="checklogin.php" method="post">
      <h4 class="text-primary" id="llc"><img src="../includes/img/chatballoon.png"> Network Chat </h4>

      <div class="input-group" id="firstone">
        <span class="input-group-addon">
          <span class="glyphicon glyphicon-user"></span>
        </span>
        <input type="text" class="form-control" placeholder="Enter Account name" id="username" name="username" autofocus>
      </div>
      <div class="input-group" id="secondtwo">
        <span class="input-group-addon" id="password-addon">
          <span class="glyphicon glyphicon-lock"></span>
        </span>
        <input type="password" class="form-control" placeholder="Enter your password" aria-decribedby="password-addon" id="password" name="password" autofocus>
      </div>
      <a href="createaccount.php" id="signup">Create Account</a>
      <input type="submit" class="pull-right btn btn-primary btn-sm" name="submit" id="submit" value="Enter now">
    </form>
  </div>
</body>
</html>

This is my checklogin php was like this:

<?php
    ob_start();
    session_start();

    include("function.php");

    $conn = new Functions();
    $conn = $conn->db;

    //define username and password

    $username = $_POST['username'];
    $password = $_POST['password'];

    $username = stripslashes($username);
    $password = stripcslashes($password);
    $salt = "dctech2015ABcRXd";
    $password = md5($password) . $salt;
    $password = sha1($password);


    //SELECT QUERY TO FIND IF INPUT INFORMATION WAS ON DATABASE
    $stmt = $conn->query("SELECT * FROM users WHERE username ='$username' AND password='$password'");

    //LOOP ENTIRE DATABASE ROW
    $count = $stmt->rowCount();

    //IF INFORMATION FOUND SELECT STATUS IF ALREADY ONLINE OR NOT
    if($count == 1){
        $status;
        $stmt = $conn->prepare("SELECT status FROM users WHERE username='$username'");
        $stmt->execute();
        while($checkstatus = $stmt->fetch(PDO::FETCH_OBJ)){
            $status = $checkstatus->status;
        }
        if($status == 'Online'){
            echo "online";

        }else{

            echo "success";
            $_SESSION['username'] = $username;
            $_SESSION['password'] = $password;

            $stmt = $conn->prepare("UPDATE users SET status='Online' WHERE username='$username'");
            $stmt->execute();
        }

    }

    ob_end_flush();
?>

ajax here:

$(document).ready(function(){
    $("#submit").click(function(e){
        e.preventDefault();

        var username = document.getElementById("username").value;
        var password = document.getElementById("password").value;

        if(username==""){
            alert("Please enter your account name");
        }else if(password == ""){
            alert("Please enter your password");
        }else{
            $.ajax({
                type: "POST",
                url: "checklogin.php",
                data: "username="+username+"&password="+password,
                success: function(data){
                    if(data == "success"){
                        window.location.href="chat.php";
                    }
                    else if(data == "online"){
                        alert("account is already online");
                    }else{
                        alert("Invalid Account name/Account password");
                    }
                },error:function(data){
                    alert("an error occured through data");
                }
            });
        }

        document.getElementById("username").value = "";
        document.getElementById("password").value = "";
    });
    return false;
});

problem that checklogin.php file is accessible to browser. what i want is to avoid unauthorized users to go to this page cause even login users if they type on browser register.php it will go to it and says username error etc.

This type of error:

Answer 1

You should respond with the standard http status code: 401, so the browser knows it has failed to load the page:

if($count == 1){
   ...
} else {
    header("HTTP/1.1 401 Unauthorized");
    // or for php 5.4:
    http_response_code(401);
}

Update: For the errors you added later:

Before you access the values in $_POST, check if they are present:

if (isset($_POST['username']) && isset($_POST['password'])) {
    $username = $_POST['username'];
    $password = $_POST['password'];
    // ... all the rest of your code that depends on $_POST comes here
}

Answer 2

You can add some checking to your check_login script to see if the URL matches and kick it back. if(strpos($_SERVER['REQUEST_URI'], 'register.php')) exit() or something to that affect.