How to fix Server Status Code: 302 Found by SQL Inject Me Firefox Addon

Question

I scanned my login script using SQL Inject Me Firefox addon

According to the Test Results, my script was vulnerable to SQL Injection. Result by example

Results:
Server Status Code: 302 Found
Tested value: &#49&#39&#32&#79&#82&#32&#39&#49&#39&#61&#39&#49
Server Status Code: 302 Found
Tested value: 1' OR '1'='1
Server Status Code: 302 Found
Tested value: 1 UNI/**/ON SELECT ALL FROM WHERE
Server Status Code: 302 Found
Tested value: %31%27%20%4F%52%20%27%31%27%3D%27%31

My script

1. login.php - Login form

2. check-login.php - To check login detail and here is the code.

   $email = clean($_POST['username']); $pass = clean($_POST['password']); $user = "select * from tbl_admin where admin='$email' and pass='$pass'";

   // some code

   $_SESSION['login_mes'] = "You have successfully logged in !"; header("Location:admin.php"); exit();

   } else {

   $_SESSION['login_mes'] = "Invalid email address or password, please try again."; header("Location:login.php"); exit(); }

The problems came when login failed. If I remove the

} else {

$_SESSION['login_mes'] = "Invalid email address or password, please try again.";
header("Location:login.php");
exit();
}

No failures detect by SQL Inject Me and how to fix this part?

Answer 1

302 is the server's way of saying "I want you to go to [somewhere else]" (in this case login.php). It is not an error but a perfectly normal response. Especially in your case it makes much more sense (if you ask me) to send the user to a login page after a SQL injection attempt than to let him in.