Login with PHP + MYSQL +MD5

Asked

Viewed 3,257 times

2

I created a login form with the following code:

Login.html:

<form action="login.php" method="post">
<input type="hidden" name="id" value=''>
Usuário<input type="text" name="usuario" id="usuario" >
Senha<input type="password" name="senha" id="senha">
<input type="submit" name="entrar" id="entrar" value="Entrar">
</form>

The php code:

Login.php:

<?php
//inclui arquivo com conexao ao banco
include_once('db.php');

$usuario = mysql_real_escape_string($_POST['usuario']);
$senha = md5(mysql_real_escape_string(($_POST['senha'])));
$entrar = $_POST['entrar'];
    if ($_POST['entrar']) {

        $sql = "SELECT * FROM login WHERE usuario='$usuario' AND senha='$senha'" or die("erro ao selecionar");
        $acao_sql = $mysqli->query($sql);

            if ($acao_sql=mysqli_num_rows($sql)>=0){

                setcookie("usuario",$usuario);
                header("Location:painel.php");

            }else{
                echo"<script language='javascript' type='text/javascript'>alert('Login e/ou senha incorretos');window.location.href='login.html';</script>";
                die();

            }
    }
?>

The problem is that any password and user I put in, it enters the system (panel.php).

php mysql md5
  • 1

    http://answall.com/questions/13386/login-em-php-com-niveis-de-permissao?rq=1 I made a very similar example but, serves as a basis!

  • 1

    Just as a recommendation: do not use MD5 because it is more than proven that it is not very safe these days - use another hashing method like bcrypt or at least SHA512 with 12 characters. You can always improve this with an additional field in the database, known as SALT, which is generated in a unique way and does not repeat, increased attack difficulty.

  • 1

    @walrus I will research on this, thank you for the tip!

2 answers

4


Are you using the comparison operator >= (Maior ou Igual) in the stretch, mysqli_num_rows($sql) >= 0, that is, if you find the user > maior do 0, if you don’t find, Igual a 0, in this case, your if always returns true, and redirects to painel.php.

Plus you need to do mysqli_num_rows of result of the query, i.e., $acao_sql->num_rows.

Edit your code to:

if($acao_sql->num_rows == 1)

or

if($acao_sql->num_rows > 0)

  • I have already tested the following error: Warning: mysqli_num_rows() expects Parameter 1 to be mysqli_reuslt

  • I edited the code, actually you need to do mysqli_num_rows of result, try again.

  • Very grateful for your help!

  • It is important to use start_session() for this type of application?

  • 1

    Yes, it is important and besides the tip given by @morsa, there are other important recommendations to be followed for more security, see some on this link: http://pt.wikihow.com/Criar-um-Script-de-Login-Seguro-PHP-e-MySQL

  • I am using the following code to force the user to log in to certain pages: $login_cookie = $_COOKIE['user']; if(isset($login_cookie)){ echo"Welcome, $login_cookie <br>"; Is something wrong? 'Cause it’s not working.

  • Do, var_dump($login_cookie); exit; before your if and analyze the result.

  • Result: string 'user' (length=7)

  • Exactly, your script tests if(isset($login_cookie)), isset test whether the variable has been initialized, therefore the if always returns true.

  • for the reason of always returning true, is what makes the user logged in or not entering the page?

  • Yes, even for users who have not correctly entered the login and password you are initiating the variable $login_cookie.

  • Do you know any material I can follow to try to soluiconate?

Show 7 more comments

0

If you are using version (PHP 5 >= 5.5.0) I strongly recommend using password_hash or if < 5.5.0, use phpass.

Browser other questions tagged php mysql md5

You are not signed in. Login or sign up in order to post.