2
Good morning!
I have the following code to log in to the system:
<?php
require_once('conexao.php');
// FETCH DATA FROM FORM USING METHOD POST
// IF BUTTON NAME "LOGIN" IS SET
if (isset($_POST['login'])) {
// FETCH DATA FROM INPUT FIELD
$user = mysqli_real_escape_string($conexao, $_POST['usuario']);
$pass = mysqli_real_escape_string($conexao, $_POST['password']);
// CHECK ALL FIELD HAS BEEN FILLED UP
if ($user && $pass) {
// QUERY FROM DATABASE
$query= mysqli_query($conexao, "SELECT * FROM usuarios WHERE usuario='".$user."'");
$checkuser= mysqli_num_rows($query);
// CHECK IF USERNAME EXIST ON DATABASE
if($checkuser != 1) {
// I'LL BE SETTING A VARIABLE IF YOUR DOESN'T EXIST
$error = "Username doesn't exist in our database!";
}
// FETCHING PASSWORD IN DATABASE WHERE USERNAME COINCIDES
while ($row = mysqli_fetch_array($user)) {
$checkpass= $row['senha'];
// CHECK IF ENTERED PASSWORD MEETS THE USERNAME PASSWORD
if ($pass== $checkpass) {
// IF ALL OKAY SET SESSION
setcookie("usuario", $user, time()+7200);
$_SESSION['usuario'] = $user;
$_SESSION['start'] = time();
$_SESSION['expire'] = $_SESSION['start'] + (60 * 60 * 60);
header("Location: ../admin.php");
exit();
} else {
// SET VARIABLE THAT'LL SHOW IF USER PASSWORD IS INCORRECT
$error = "Incorrect password!";
}
}
} else {
// SET VARIABLE IF ALL FIELD ARE NOT FILLED UP
$error = "Please enter a username and password.";
}
}
?>
When trying to log in, on the "login.php" page, I get the following error:
Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, string given in C:\xampp\htdocs\projetoqa\php\checklogin.php on line 32
Perfect! Thanks for the help! Gave straight! Another doubt, I do not know if it can be cured here. On my system, if the user changes the url to the place he logs in, in the case of "admin.php", he can access it without logging in. Right? Is it something related to this code here? Or some other procedure?
– Rodrigo BRF
@Rodrigobrf in this case would be correct to create a file where you check for the session you created in the login process. If she was past due you give access denied. This file you have to include on every page with restricted access at the beginning. I usually save - in this same file - the time the user accessed, but before I check if it has been more than 5 minutes - or the time you prefer - that was accessed, then the session is invalidated.
– DontVoteMeDown
perfect! I will research more deeply into it after I finish the rest of the programming. thanks!
– Rodrigo BRF