I’m having problems with my login system

Question

I’m having problems with my login system

Asked 4 years, 7 months ago

Viewed 49 times

-1

<?php
include('conexao.php');

if(empty($_POST['usuario']) || empty($_POST['senha'])) {
    header('Location: index.html');
    exit();
}


$usuario = mysqli_real_escape_string($conexao, $_POST['usuario']);
$senha = mysqli_real_escape_string($conexao, $_POST['senha']);

$query = 'select usuario_id, usuario from usuario where usuario = '{$usuario}' and senha = md5('{$senha}')';

$result =  mysqli_query($conexao, $query);

$row = mysql_num_rows($result);

if($row == 1) {
    $_SESSION['usuario'] = $usuario;
    header('Location: home.html');
    exit();
} else {
    header('Location: index.html');
    exit();
}

It returns the following error:

Parse error: syntax error, Unexpected '' and password = md5('' (T_CONSTANT_ENCAPSED_STRING) in C: xampp htdocs login.php on line 13

Please help me I have no idea what it might be ...

When using variables inside a string use double-quoted strings. Anyway, on the line your error replaces the first and last ' with ".

– user142154

2020/02/06 at 07:55
But to make a query to the database, even more in an area as sensitive as login, please use at least mysqly:().

– user142154

2020/02/06 at 08:00
Nor should md5 be used to "encrypt" passwords

– tvdias

2020/02/06 at 12:40

2 answers

Browser other questions tagged php mysqli

You are not signed in. Login or sign up in order to post.

by Ivan Ferrer • **12,096** points · Answer 1 · 2020-02-06T11:22:28+00:00

I recommend using Preparestatement for security reasons and to avoid major risks of Sqlinjection, I simulated a session by taking the user’s access profile, and the user’s id, because that’s all you would need, in theory, in a session:

if (!$_POST || empty($_POST['usuario']) || empty($_POST['senha'])) {
    header('Location: index.html');
    exit();
}

$usuario = mysqli_real_escape_string($_POST['usuario']);
$senha = MD5($_POST['senha']);

$query = "SELECT id, role FROM usuario WHERE usuario = ? AND senha = ?";

 if (!($stmt = mysqli_prepare($conexao, $query) && $usuario && $senha)) {
    header('Location: index.html');
    exit();
 } else {
    $setParams = mysqli_stmt_bind_param($stmt, "ss", $usuario, $senha);
    $execute = mysqli_stmt_execute($stmt);
    $results = mysqli_stmt_get_result($stmt);
    $array_result = mysqli_fetch_assoc($results);

    //print_r($array_result);

   if (!$results) {
        header('Location: index.html');
        exit();
    }

    if (!isset($array_result['id'])) {
        header('Location: index.html');
        exit();
    }

    session_start();
    $_SESSION['usuario'] = $usuario;
    $_SESSION['id'] = $array_result['id'];
    $_SESSION['nivel_acesso'] = $array_result['role'];
    header('Location: home.html');
    exit();
}

by minds' • 1 point · Answer 2 · 2020-02-06T09:16:19+00:00

Hello @Jeanextreme002, all right? I updated the $_POST assigned in the variable "password" and updated your query. Change your code to do so:

<?php
include('conexao.php');

if(empty($_POST['usuario']) || empty($_POST['senha'])) {
    header('Location: index.html');
    exit();
}


$usuario = mysqli_real_escape_string($conexao, $_POST['usuario']);
$senha = mysqli_real_escape_string($conexao, md5($_POST['senha']));

$query = "SELECT * FROM usuario WHERE usuario = '$usuario' AND senha = '$senha'";

$result =  mysqli_query($conexao, $query);

$row = mysql_num_rows($result);

if($row == 1) {
    $_SESSION['usuario'] = $usuario;
    header('Location: home.html');
    exit();
} else {
    header('Location: index.html');
    exit();
}

I hope I helped. Regards, Minds'.