-1

I am trying to make a login form using .php and xampp. After clicking the access button the google opens to me a page with the code from archive I marked instead of run the function. Here ir my code.

function login(){
    session_start();
$hostdb="localhost";
$userdb = "root";
$passworddb = "";
$db = "mapas";

$data=mysqli_connect($hostdb,$userdb,$passworddb,$db);

if ($data==false){
    die("Error de conexion");
}

if($_SERVER["REQUEST_METHOD"]=="POST")
{
    $username=$_POST["username"];
    $password=$_POST["password"];
    $sql="SELECT * FROM usuarios WHERE nombre='".$username."' AND password='".$password."'";
    $result=mysqli_query($data,$sql);
    $row=mysqli_fetch_array($result);

    if($row["rol"]=="user"){
        $_SESSION['authenticatedU']=true;
        header("location: usuario.php");
    }
    elseif ($row["rol"]=="admin"){
        $_SESSION['authenticatedA']=true;
        header("location: admin.php");
    }
    else{
        echo "ERROR";
    }
    // mysqli_free_result()
}
}

and the fronend

 <form action="verify.php" method="post" accept-charset='UTF-8'>
            <h5>Iniciar sesión</h5>
            <div class="line"></div>
            <div class="datosUsuario">
                <p>Usuario:<br></p>
                <input class="usuario" type="text" name="username" placeholder="Nombre de usuario"><br><br>
                <p>Contraseña:<br></p>
                <input class="pass" type="password" name="password" placeholder="Escriba su contraseña"><br><br>
                <input class="boton" id="boton" type="submit" name="submit" value="Acceder">
            </div>
            <p class="olvidar"><a href="#">¿Has olvidado la contraseña?</a></p>
            <div class="line"></div>
        </form>

And what I see.

enter image description here

Thank you!

Ekaterina Skripnikova
  • 1
  • 1
  • 2
    Can you please rephrase `clicking the access button the google opens to me a page with the code from archive I marked instead of run the function`? Do you mean the PHP code is being displayed instead of executing? Your code also is open to SQL injections and passwords should never be stored as plain text. – user3783243 May 15 '22 at 14:09
  • exactly. I see the page with the code. I will add the screenshot to my question – Ekaterina Skripnikova May 15 '22 at 14:40
  • Is archive/archivo an extension you are using? – user3783243 May 15 '22 at 15:39
  • **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/32391315) – Dharman May 15 '22 at 15:51
  • **Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) – Dharman May 15 '22 at 15:51

0 Answers0