I'm playing PHP for login and I'm using PDO

I have created a login page with PDO connection for db.
Then i got 5 files index.php, login.php, securedpage.php,
user.php, connection.php, and the style.css.

And now submitting my login form which is in login.php.
Instead securedpage.php, it will display the index.php
after submission. I wonder why it won't redirect to
securedpage.php. Can anyone give advice on why and how.
This is my securedpage.php

<?php

// Inialize session
session_start();

// Check, if username session is NOT set then this page will jump to login page
if (!isset($_SESSION['username'])){
header("Location: index.php");
}

?>
<html> body goes along after this line.


And my user.php to process the login.

<?php

include_once('connection.php');

class User{

private $db;

public function __construct(){
$this->db = new Connection();
$this->db = $this->db->dbConnect();
}

public function Login($name, $pass){
if(!empty($name) && !empty($pass)){
$st = $this->db->prepare("select * from user where username=? and password=?");
$st->bindParam(1, $name);
$st->bindParam(2, $pass);
$st->execute();

var_dump($st->rowCount());
if($st->rowCount() == 1){
header('Location: securedpage.php');
}else {
echo "Incorrect username and password";
}

}else{
echo "Please enter username and password";
}

}
}


I feel there is something missing on these part.
Can anyone give an advice.

Thanks advance. :)

thought #1, why redirect when you can include the content directly?

thought #2, a User class should not do the redirect. what if the target page changes? cf. thought #1

thought #3, if you eventually make a redirect, do not proceed with the page. cf. thought #1

thought #4, SQL, if you’re only interested in whether the user’s credentials are correct, why fetching alll the user data? using COUNT() and PDOStatement->fetchColumn() is better.

thought #5, a class should not echo directly. otherwise its uses (use places) are limited.

thought #6, where do you set $_SESSION['username']?

thought #7, I recommend to use bindValue() over bindParam() in this case (the Manual is a bit inconsistent on when to use what).

thought #1, why redirect when you can include the content directly?

thought #2, a User class should not do the redirect. what if the target page changes? cf. thought #1

thought #3, if you eventually make a redirect, do not proceed with the page. cf. thought #1

thought #4, SQL, if you’re only interested in whether the user’s credentials are correct, why fetching alll the user data? using COUNT() and PDOStatement->fetchColumn() is better.

thought #5, a class should not echo directly. otherwise its uses (use places) are limited.

thought #6, where do you set $_SESSION['username']?

thought #7, I recommend to use bindValue() over bindParam() in this case (the Manual is a bit inconsistent on when to use what).

I'm not really good on this yet. Just following some random tuts then analyzing on how was it etc...
#1 - Can you help me point?
#2 - What do you mean changes and is it possible with a user class?
#3 - I just want to go to another page once login has successfully.
#4 - I'll try this one.
#5 - I'll try this one.
#6 - It was a name of my table col.
#7 - Ok i'll try this one.

#1, example
// instead of
if ($condition)
{
header("Location; page.php");
exit;
}

// do
if ($condition)
{
include "page.php";
exit;
}

#2, what if you want to redirect to secure_page_2.php instead of securedpage.php?


#3, if you send a redirect header, you tell the browser to request a new page. but if you send further output along, you will transfer unnecessary data.