Login system

Question

Login system

Asked 10 years, 5 months ago

Viewed 176 times

7

I made a website on which I have implemented this file that belongs to login but does not work for me

<script type="text/javascript">


function loginsuccessufully(){
    setTimeout("window.location='backoffice/view.php'", 3000);
}

function loginfalhou(){
    setTimeout("window.location='../historia.php'", 3000);
}
</script>

<? php  include('backoffice/db-config.php') ?>
<? php

$nome = $_POST['nome'];
$password = $_POST['password'];
$db = mysql_query("SELECT * FROM 'users' WHERE nome = '$nome' and password = '$password' ") or die(mysql_error());
$num_row = mysql_num_rows($row);

if($num_row < 1){
    session_start();
    $_Session['nome']=$_POST['nome'];
    $_Session['password']=$_POST['password'];
    echo"tas dentro";
    echo" <script>loginsuccessufully()</script>";

} else{
    echo"Login falhoe";
    echo" <script> loginfalhou() </script>";

}
?>

don’t give me errors just run the last echo

To start, mysql_* does not work in the latest versions of PHP, you can use Mysqli or PDO

– braulio_holtz

2014/04/24 at 13:49
@braulio_holtz Do you know which version of PHP it uses? Do you know if the error is in the database driver?

– Guilherme Oderdenge

2014/04/24 at 13:52
I don’t know where the error is, it doesn’t execute the code

– Barofscas

2014/04/24 at 13:53
The last echo... hmm... you mean the "Login failed"?

– Guilherme Oderdenge

2014/04/24 at 13:53
what appears to me in the browser is this loginsuccessufully()</script>"; } Else{ echo"Login failed"; echo" <script> loginfalhou() </script>"; } ?>

– Barofscas

2014/04/24 at 13:56
@thingy Create a php file with <?php phpinfo() code; and run and send the result, php version, something like that

– braulio_holtz

2014/04/24 at 14:02

Show 1 more comment

3 answers

2

Do not use single quotes in table names, only in values.

$db = mysql_query("SELECT * FROM 'users' WHERE nome = '$nome' and password = '$password' ") or die(mysql_error());
$num_row = mysql_num_rows($row);

Pass the variable $db for mysql_num_rows() in place of $row

$db = mysql_query("SELECT * FROM users WHERE nome = '$nome' and password = '$password' ") or die(mysql_error());
$num_row = mysql_num_rows($db);

Browser other questions tagged php database

You are not signed in. Login or sign up in order to post.

by Guilherme Oderdenge • **2,771** points · Answer 1 · 2014-04-24T14:09:54+00:00

1. Changing the database adapter (recommended)

You should use PDO or Mysqli instead of mysql.

2. Handling of $_POST content (recommended)

Never pass magical request variables ($_POST, $_GET, etc) without a sanitizing proper. You are doing this:

[...]

$nome = $_POST['nome'];
$password = $_POST['password'];

[...]

When I speak of hygiene, I mean its literal meaning:

s.f. Sanitize action or effect.

(Etm. sanitize + action)

And sanitize, in turn:

v.t.d. Make it clean; be clean: sanitize toilets. Stop being sick; get healthy or hygienic.

(Etm. hygiene + Izar)

Your magical request variables nay are healthy because they can store various mischief that can harm your application as a whole; we go from SQL injection to malicious characters that your application is not prepared to handle, may be spaces or even some more exotic.

3. Problem in the query

The following code fragment is not correct:

[...]

$db = mysql_query("SELECT * FROM 'users' WHERE nome = '$nome' and password = '$password' ") or die(mysql_error());

[...]

The use of single quotes on database variables is incorrect. Instead, you can use the fully optional "`", staying that way:

[...]

$db = mysql_query("SELECT * FROM `users` WHERE nome = '$nome' and password = '$password' ") or die(mysql_error());

[...]

4. Problem under session registration condition

You have the following fragment:

[...]

if($num_row < 1){

[...]

The problem there is in your condition. That is to say that if the results of your query in the database are less than one, ie return "0" valid login, you will register a session?

We then replace it with the following:

[...]

if($num_row == 1) {

[...]

Why == 1?

If the number of rows returned is greater than one, it means that we have more than one result - which can’t be true, because there either we have a query problem or two identical records (or almost) in the database.

If the number of lines is equal the one, the margin of error is almost zero. Therefore, keep this option which is the most suitable for your case.

by user6026 · Answer 2 · 2014-04-24T14:02:29+00:00

Errors Found:

$db = mysql_query("SELECT * FROM 'users' WHERE nome = '$nome' and password = '$password' ") or die(mysql_error());
$num_row = mysql_num_rows($row);

You put $db in mysql_query and in the mysql_num_rows($row), would then be, mysql_num_rows($db).

Improved code:

<script type="text/javascript">
    function loginsuccessufully(){
        setTimeout("window.location='backoffice/view.php'", 3000);
    }
    function loginfalhou(){
        setTimeout("window.location='../historia.php'", 3000);
    }
</script>

<?php 
    include('backoffice/db-config.php') 
    $nome      = $_POST['nome'];
    $password  = $_POST['password'];
    $query     = mysql_query("SELECT * FROM 'users' WHERE nome = '{$nome}' and password = '{$password}' limit 1") or die(mysql_error());    

    if(mysql_num_rows($query) == 1){
        session_start();
        $_Session['nome']=$_POST['nome'];
        $_Session['password']=$_POST['password'];
        echo "tas dentro";
        echo" <script>loginsuccessufully()</script>";
    } else{
        echo"Login falhoe";
        echo" <script> loginfalhou() </script>";
    }
?>

Note: It is not the ideal code for the solution, because it contains mysql_* that is depreciated( use PDO or Mysqli), the use of $_POST that should be used filter_input.