0
I have this code for an application from an online store but since I’m new in php I’m having some difficulty validating the login because when submitting the form it accepts everything you have written, whether the user exists in the database or not. What I’m missing from?
php menu.:
<!doctype html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Menu</title>
<?php
include ("estilos.php");
?>
</head>
<body>
<!-- menu -->
<div class="menu">
<ul>
<p><img src="imagens/logo.png" height="50px" width="50px"></p>
<p><h2>LOJA ONLINE LUIS NARCISO</h2></p>
<li><?php echo "<a href='index.php'> Produtos </a>";?></li>
<li><?php echo "<a href='carrinho.php'> Carrinho </a>";?></li>
<li><?php echo "<a href='forum.php'> Fórum </a>";?></li>
<li><?php echo "<a href='consultas.php'> Consultas </a>";?></li>
<li><?php echo "<a href='login.php'> Login/Registar </a>";?></li>
<li><?php
session_start();
if(!isset($_SESSION['username'])){
echo "<font color='white'>Olá  <b>convidado</font>";
} else {
echo "<font color='white'>Olá  <b>".$_SESSION['username']."</b><a href='logout.php'>Logout</a></font>";
};
?></li>
</ul>
</div>
</body>
</html>
login.php:
<!doctype html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Carrinho</title>
<?php
include ("menu.php");
?>
</head>
<body>
<!-- conteudo -->
<div class="conteudo">
<p><h1> Login/Registar </h1></p>
<!-- formulario login -->
<?php
if(!isset($_SESSION['username']) ){
if(!isset($_SESSION['']) and !isset($_SESSION['tentativas'])){
$_SESSION['codigo']=md5(rand());
$_SESSION['tentativas']=0;
$_SESSION['tempo_espera']=0;
}
if($_POST){
$_SESSION['tentativas']++;
if($_SESSION['tentativas']>10 and $_SESSION['tempo_espera']==0){
$_SESSION['tempo_espera']=time()+120;
} else {
if($_SESSION['codigo']==$_POST['codigo']){
$conexao = mysqli_connect("localhost", "root", "", "loja_online_lnarciso");
$hash = md5($_POST['password']);
$query = "SELECT * FROM utilizadores WHERE username = '{$_POST['username']}' and password = '{$hash}'";
$resultado = mysqli_query($conexao,$query);
$_SESSION['username']=$_POST['username'];
header("Location: {$_SERVER['PHP_SELF']}");
} else {
echo "formulário inválido!</br>";
}
}
} else if($_SESSION['tentativas']<10) {
?>
<form method="POST" action="">
<table align="center" width="300" border="0">
<tr>
<td><label>ENTRAR</label></td>
</tr>
<tr>
<td><label>Username</label></td>
<td><input type="text" name="username"><br></td>
</tr>
<tr>
<td><label>Password</label></td>
<td><input type="password" name="password"><br></td>
</tr>
<tr>
<td> </td>
<input type="hidden" name="codigo" value="<?php echo $_SESSION['codigo']; ?>" />
<td><input type="submit" value="login"></td>
</tr>
<tr>
<td><?php echo "<a href='utilizadores.php'><font color='black'> Registar </a></font>";?></td>
</tr>
</table>
</form>
<?php }
if($_SESSION['tempo_espera'] < time() and $_SESSION['tentativas']>10){
$_SESSION['tempo_espera']=0;
$_SESSION['tentativas']=0;
}
} else {
echo "<center>Login efetuado com sucesso!</center>";
}
?>
</div>
</body>
</html>
Why are you in one condition $_POST, without any logical verification ?
– Renato Junior