When the password or login is wrong the session is not closed

Question

When the password or login is wrong the session is not closed

Navigation

#1 by (2 votes)

0

Good afternoon, I did a schedule to check if the login data is wrong or not, when I put the wrong data it gives me a alert saying that the login or password is incorrect but when I click ok It looks like another alert saying that I logged in successfully and going to another page ... what's happening?

code:

<html>

<head>
    <script src="../js/angular.min.js"></script>
    <script src="../js/jqueryAtualizado.js"></script>
    <script src="../js/jqueryAtualizado.min.js"></script>
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js"></script></head><body><?phpinclude("conexao.php");

if(isset($_POST['senha']) && strlen($_POST['login']) > 0){

    if(!isset($_SESSION))
        session_start();

    $_SESSION['login'] = $link -> escape_string($_POST['login']);
    $_SESSION['senha'] = $_POST['senha'];


    $sql_code = "SELECT senha, codigo FROM usuario WHERE login = '$_SESSION[login]'";
    $sql_query = $link -> query($sql_code) or die ($link -> error);
    $dado = $sql_query->fetch_assoc();
    $total = $sql_query-> num_rows;


    if($total == 0){
        echo "<script>alert('Login ou a senha estão errados.');</script>";
    }
    else{
        if($dado['senha'] == $_SESSION['senha']){

            $_SESSION['usuario'] = $dado['login'];

        }
    }

    if(count($total) != 0){
        echo "<script>alert('Login efetuado com sucesso.'); location.href='../Adm/AdmAgenda.php';</script>";
    }

}


?>
</body>

</html>

Thank you ...

php session

asked by anonymous 18.01.2017 / 20:30

1 answer

htaccess does not load CSS with second parameter How to validate if a String already exists in the JComboBox list? [duplicate]

score 2 · Accepted Answer

The question is not whether the session is closed when the login is wrong, but rather that it should not even be set if the login is wrong. It should only come into existence if the login was ok. So, you would create it.

Ideal would look something like:

$login = $_POST['login'];
$senha = $_POST['senha'];

$resultado = $bd->consultarLogin($login);

if ($resultado && $resultado['senha'] === $senha) {
      // Só aqui então é que a sessão seria criada

      $_SESSION['usuario'] = $resultado;
}

The above code was merely illustrative, what matters in the end is you understand the idea.

What's more, your code needs refactoring. It does not make sense for example to use count in $total since it is a variable of type int . It also has redundant code.

I thought of something like this:

// Sempre lembre-se que session deve vir no topo do script, por precaução

if(!isset($_SESSION)) session_start();

include("conexao.php");

if(isset($_POST['senha']) && strlen($_POST['login']) > 0) {


    $login = $link -> escape_string($_POST['login']);
    $senha = $_POST['senha'];


    $sql_code = "SELECT senha, codigo FROM usuario WHERE login = '$login'";
    $sql_query = $link -> query($sql_code) or die ($link -> error);
    $dado = $sql_query->fetch_assoc();
    $total = $sql_query-> num_rows;


    if ($total == 0) {
        echo "<script>alert('Login ou a senha estão errados.');</script>";

    } elseif ($dado['senha'] == $_SESSION['senha']) {

        $_SESSION['usuario'] = $dado['login'];

        echo "<script>alert('Login efetuado com sucesso.'); location.href='../Adm/AdmAgenda.php';</script>";
    }

}

Note that I avoid putting things into the session before being logged in.

The code above is not the eighth wonder yet, but to improve some redundancies