I have a problem with my PHP, apparently when I enter anything in username and password can log in even without being a user

Question

I have a problem with my PHP, apparently when I enter anything in username and password can log in even without being a user

Navigation

#1 by (2 votes)
#2 by (0 votes)

0

I have a problem with my php, apparently when I enter anything in username and password I can log in even without being a user

<?php
     session_start();
     require 'conexion.php';      

     if($_POST['proceso_ingreso']=="iniciando"){
        if($_POST['nombreUsuario']!="" && $_POST['password']!=""){

           #leyendo los paramentros ingresados
           $nombre =    $_POST["nombreUsuario"];
           $password =  $_POST["password"];         

           $query = "SELECT *FROM registro WHERE nombre = '$nombre' AND password = '$password'";

           if ($resultado = mysqli_query($mysqli, $query)){
                $numrows = mysqli_num_rows($resultado);
           }else if(!$numrows || mysqli_num_rows($resultado)!= 0){
                header('location: paginaDconsulta.php');    
           }else{
                echo "Usuario o contraseña incorrectos vuelve a ingresarlos";   

           }
       } else{
           echo "Por favor llenar todos los campos"; 
       }
    }
 ?>

mysql php

asked by Fred Albert Morales 26.06.2017 в 21:57

source

2 answers

How to send a link through AJAX? how can I achieve this with the editText?

score 2 · Answer 1

I made some changes to your code, change the way you wrote it, I leave you here the changes.

<?php
     session_start();
     require 'conexion.php';


     if($_POST['proceso_ingreso']=="iniciando"){
        if($_POST['nombreUsuario']!="" && $_POST['password']!=""){
            #leyendo los paramentros ingresados
            $nombre =    $_POST["nombreUsuario"];
            $password =  $_POST["password"];


          $query = "SELECT *FROM registro WHERE nombre = '$nombre' AND password = '$password'";
          $resultado = mysqli_query($mysqli, $query);
            if (mysqli_num_rows($resultado) > 0){

                header('location: paginaDconsulta.php');

            }else{

                echo "Usuario o contraseña incorrectos vuelve a ingresarlos"; 
            }

        }else{

            echo "Por favor llenar todos los campos"; 

        }
    }
 ?>

score 0 · Answer 2

I'll give you an alternative example, even so, I would use mysqli_prepare or PDO , since your code is vulnerable to attacks by SQL injection .

<?php
    session_start();
    require 'conexion.php';      

    if($_POST['proceso_ingreso']=="iniciando"){
        //empty — Determina si una variable está vacía.
        if(!empty($_POST['nombreUsuario']) && !empty($_POST['password'])) {

            //leyendo los paramentros ingresados.            
            //mysqli_real_escape_string — Escapa los caracteres especiales de una cadena para usarla en una sentencia SQL.
            $nombre =    mysqli_real_escape_string($mysqli,$_POST["nombreUsuario"]);
            $password = $_POST["password"];

            //Sentencia.
            $query = mysqli_query($mysqli,"SELECT * FROM registro WHERE nombre = '$nombre' AND password = '$password' LIMIT 1");

            //Comprobamos si existe registro.
            if (mysqli_num_rows($query)===1){           
                header('location: paginaDconsulta.php');    
            }else{
                echo "Usuario o contraseña incorrectos vuelve a ingresarlos."; 
            }

        } else{
           echo "Por favor llenar todos los campos."; 
        }
    }
?>