Security failure (PHP, JS, API, MYSQL)

Question

Security failure (PHP, JS, API, MYSQL)

Navigation

#1 by (1 votes)
#2 by (0 votes)

0

I made a site with login, registration, and so on. I validated the login and the registration with POST method, the site is on the server and everything, but when I put the url link already from inside the page it loads. Is it some mistake I may have made or is it "normal"?

LOGIN

<form name="formulario" id="formEnvia" action="valida.php" method="POST">

                        <label >CPF*</label>

                        <input type="text" id="cpf" name="cpf" class="form-control input-lg" placeholder="000.000.000-00" maxlength="14" pattern="\d{3}\.\d{3}\.\d{3}-\d{2}"
  title="Digite o CPF no formato nnn.nnn.nnn-nn" required />
                <br>
                        <label inputemail>E-mail*:</label>
                        <input type="email" id="inputEmail" name="inputEmail" class="form-control input-lg " placeholder="[email protected]" maxlength="50" required/>

                        <br>
                        <button type="submit" onclick="valida_envio()" class="btn btn-primary btn-lg btn-block">
                            <span class="glyphicon glyphicon-ok"></span>
                            Acessar</button>

                    </form>

LOGIN VALIDATION:

<?php


require_once "conexao.php";

$email = $_POST['inputEmail'];
$cpf = $_POST['cpf'];

$query = "SELECT * FROM usuarios WHERE cpf = '$cpf' AND email = '$email'";

$querySelect = mysqli_query($conn,$query);

if(mysqli_num_rows($querySelect) <=0){
    echo"<script type='text/javascript'>alert('Email ou cpf incorretos.');window.location.href='index.html';</script>";
    die();
}else if(mysqli_num_rows($querySelect) > 0 ){
    setcookie("login", $cpf);
    header("Location:Postagem.html");
}

php mysql api javascript

asked by anonymous 17.11.2017 / 14:24

2 answers

DELPHI function for PHP Android WebService Error while using Android 4.2

score 1 · Answer 1

According to the code, it is missing you to use the session and validate in the page if the session exists, and if it exists, you allow the user to pass.

NT: You need to start the session first, in order to set the values, using this session_start () method. That is, go to your first php file that is called and put that method there.

NT2: I recommend reading about sessions , About access restriction in PHP

Example:

Whereas it is the first page (login.php)

<?php
    session_start();
?>

    <form name="formulario" id="formEnvia" action="valida.php" method="POST">

                    <label >CPF*</label>

                    <input type="text" id="cpf" name="cpf" class="form-control input-lg" placeholder="000.000.000-00" maxlength="14" pattern="\d{3}\.\d{3}\.\d{3}-\d{2}"
                            title="Digite o CPF no formato nnn.nnn.nnn-nn" required />
                    <br>
                    <label inputemail>E-mail*:</label>
                    <input type="email" id="inputEmail" name="inputEmail" class="form-control input-lg " placeholder="[email protected]" maxlength="50" required/>

                    <br>
                    <button type="submit" onclick="valida_envio()" class="btn btn-primary btn-lg btn-block">
                        <span class="glyphicon glyphicon-ok"></span>
                        Acessar</button>
    </form>

Considering that you have already requested the post and passed the data

        <?php

        require_once "conexao.php";

        $email = $_POST['inputEmail'];
        $cpf = $_POST['cpf'];

        $query = "SELECT * FROM usuarios WHERE cpf = '$cpf' AND email = '$email'";

        $querySelect = mysqli_query($conn,$query);

        if(mysqli_num_rows($querySelect) <=0){
            echo"<script type='text/javascript'>alert('Email ou cpf 
                 incorretos.');window.location.href='index.html';</script>";
            die();
        }
        else if(mysqli_num_rows($querySelect) > 0 ){//aqui você ta redirecionando pra página postagem, certo?                

            //editado
            //setando os valores nas sessions
            //NT: você precisa startar a session antes de tudo,
            $_SESSION["email "] = $email;
            $_SESSION["cpf "] = $cpf;

            //setcookie("login", $cpf);

            header("Location:Postagem.php");//depois de mudar

        }

Considering that you are on the page Posting.php

         <?php
             //isset verifica se a variável existe
             if(isset($_SESSION['email']) && isset($_SESSION['cpf'])) {
         ?>
                    //conteudo da página aqui
                    <h1>página postagem</h1>

         <?php
              }
              else {
                   //redirecionar pra página login se não existir session
                   header('Location: index.php');
              }

score 0 · Answer 2

I managed to solve it like this:

Connecting to the database:

<?php

$conn = new mysqli("localhost", "root", "", "portal");

if ($conn->connect_error) {
    die("Falha ao conectar!, Motivo: " . $conn->connect_error);
}

Validating login:

  <?php

if(isset($_REQUEST['valida'])){
  $cpf = $_REQUEST['cpf'];
  $email = $_REQUEST['email'];

  $query = "SELECT * FROM usuarios WHERE cpf = '$cpf' AND email = '$email'";

         $querySelect = mysqli_query($conn,$query);

         if(mysqli_num_rows($querySelect) == 0){
             echo "Erro ao logar";
         }else {

           $_SESSION['cpf'] = $cpf;
           $_SESSION['email'] = $email;
         header("Location:postagem.php");
       }
}

My index page:

I start with: <?php session_start(); include 'config/conexao.php'; ?>

This is the directory where I saved my connection to bd.

And at the end of the code I put:

<?php include 'config/valida.php' ?> That's where I saved the codes that I validated the login.

On my site page I start with:

<?php session_start(); ?>

<?php

if (!isset($_SESSION['cpf']) && (!isset($_SESSION['email']))) {
  header("Location: ../index.php");
}

 ?>

Soon after the <body> tag I put:

<?php

                   $secao_cpf = $_SESSION['cpf'];
                   $secao_email   = $_SESSION['email'];

                  ?>

And right after the "exit" button I put:

<?php
                               if (isset($_REQUEST['sair'])) {
                                 session_destroy();
                                 header ("Location:index.php");
                               }
                              ?>

So no one can enter the site directly through the link, only those who log in correctly enter.