Script is not heading the user to defined page

Question

I have a form which I am using to register an user. Here I the form I am using.

<form method="post" name="registration_form" action="<?php echo esc_url($_SERVER['PHP_SELF']); ?>">
  <div class="form-group">
    <input type="text" name="username" id="username" class="inputs"><br />
    <input type="text" name="email" id="email" class="inputs" /><br />
    <input type="password" name="password" id="password" class="inputs" /><br />
    <input type="password" name="confirmpwd" id="confirmpwd" class="inputs" /><br />
    <input type="button" name="register" id="register" value="Register" onclick="return regformhash(this.form, this.form.username, this.form.email, this.form.password, this.form.confirmpwd);" class="btn"><br />
  </div>
  <div style="font-weight:bold;color:red"><p><?php
    if (!empty($error_msg)) {
      echo $error_msg;
    }
  ?>
  </p></div>
</form>

The register script should send the user, after adding to user to the database to the page register_success.php. But when I click on the submit button the script creates an new user and sends the user back to a blank register page (index.php).

Does someone know why the user dont gets sended to the register_success.php?

Here is my register script:

if (empty($error_msg)) {
    // Create a random salt
    $random_salt = hash('sha512', uniqid(openssl_random_pseudo_bytes(16), TRUE));

    // Create salted password 
    $password = hash('sha512', $password . $random_salt);

    // Insert the new user into the database 
    if ($insert_stmt = $mysqli->prepare("INSERT INTO members (username, email, password, salt) VALUES (?, ?, ?, ?)")) {
        $insert_stmt->bind_param('ssss', $username, $email, $password, $random_salt);
        // Execute the prepared query.
        if (! $insert_stmt->execute()) {
            header('Location: ../error.php?err=Registration failure: INSERT');
            exit();
        }

        $user_id = mysqli_insert_id($mysqli);

        if ($insert_stmt2 = $mysqli->prepare("INSERT INTO members2 (user_id, username, email, password, salt) VALUES (?, ?, ?, ?, ?)")) {
            $insert_stmt2->bind_param('sssss', $user_id, $username, $email, $password, $random_salt);
            // Execute the prepared query.
            if (! $insert_stmt2->execute()) {
                header('Location: ../error.php?err=Registration failure: INSERT');
                exit();
            }
        }
    }
    header('Location: ./register_success.php');
    exit();
}

I also tried to add an else statement after:

if (! $insert_stmt2->execute()) {
    header('Location: ../error.php?err=Registration failure: INSERT');
    exit();
}

But the script still sends the user to index.php

Here is the function regformhash:

function regformhash(form, uid, email, password, conf) {
    // Check each field has a value
    if (uid.value == '' || email.value == '' || password.value == '' || conf.value == '') {
        alert('Error 1');
        return false;
    }

    // Check the username
    re = /^[. \w]+$/; 
    if(!re.test(form.username.value)) { 
        alert("Error 2"); 
        form.username.focus();
        return false; 
    }

    // Check that the password is sufficiently long (min 6 chars)
    // The check is duplicated below, but this is included to give more
    // specific guidance to the user
    if (password.value.length < 6) {
        alert('Error 3');
        form.password.focus();
        return false;
    }

    // At least one number, one lowercase and one uppercase letter 
    // At least six characters 
    var re = /(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{6,}/; 
    if (!re.test(password.value)) {
        alert('Error 4');
        return false;
    }

    // Check password and confirmation are the same
    if (password.value != conf.value) {
        alert('Error 5');
        form.password.focus();
        return false;
    }

Answer 1

I believe the problem is with how you're using the header() function. It appears you're using it like a file browser, when it requires a URL. There are two possible solutions.

1) If register_success.php is accessible. E.G., example.com/register_success.php, then you should be using...

header("Location: /register_success.php");

or...

header("Location: example.com/register_success.php");

However, this would not be a good way to structure your code, and I wonder if it actually isn't what you meant. So...

2) Assuming you are using the better approach of keeping your primary PHP code outside the web document tree, then you shouldn't be using the header() command at all. Replace the entire line with...

require_once("register_success.php");

Without a path prefix the command assumes register_success.php is in the same file directory as the original file.

If "better approach" doesn't make sense to you, please understand that it's good programming practice for (e.g.) index.php to contain one line: require("/some_directory_outside_web_root/my_index.php"); and all of your PHP files are in /some_directory_outside_web_root. If you don't do this, then it's possible (depending on how your server is set up) to download your PHP files as text files and users can suddenly get everything from your DB password to how you're using your database. Ug. Better to be completely safe. Cheers.