PHP issue with login screen

Question

I have his index.php code:

<?php
 session_start();
 session_destroy();
?>

<!DOCTYPE html>
<html lang="es">
<meta charset="utf-8">
<head>
<title>Login</title>
<link rel="stylesheet" type="text/css" href="css/estilos.css">
</head>
<body>
<center>
<div class="caja_login">
<form method="POST" action="validar.php">
    <label>Nombre de usuario:</label><input type="text" name="nombre" placeholder="Usuario" required/><br><br>
    <label>Contraseña:</label><input type="password" name="contraseña" placeholder="Contraseña" required /><br><br>
    <input type="submit" value="Entrar" class="enviar" placeholder="Entrar"/><br>
</form>
</div>
<div class ="caja_registro">
<form method="POST">
    <label>¿Aún no estás registrado?</label><br>
    <label>Nombre de usuario:</label><input type="text" name="nombrerg" placeholder="Nombre de usuario" required><br>
    <label>Contraseña:</label><input type="password" name="contrarg" placeholder="Contraseña" required>
    <input type="submit" name="registro" value="Crear Cuenta"><br>
    </form>
</div>
<h1><?php include("conexion.php");?></h1>
</center>

<?php//para el registro
 include("conexion.php");
 if(isset($_POST['registro'])){
    $sql = 'SELECT FROM cuenta';
    $rec = mysqli_query($conexion, $sql);
    $verificar =0;

    while ($resultado = mysql_fetch_array($rec)) {
        if ($resultado->nombre == _POST['nombrerg']) {//verificamos que el nombre de usuario no existe
            $verificar = 1;//si verificar es 1 es que el usuario esta repetido
        }
    }
    if ($verificar == 0) {//si varificar es 0 entonces el nombre no esta repetido
        $nom = _POST['nombrerg'];
        $pw = _POST['contrarg'];

        $conexion->query("INSERT INTO cuenta (usuario, contraseña) VALUES ('$nom','$pw')";
        mysqli_query($conexion, $sql);

        echo 'Te has registrado con exito';

    }else{
        echo "El nombre de usuario ya existe!";
    }

 }

?>
</body>
</html>

When I go to the page, it shows everything right, but below everything it shows the PHP code, and when I click the button "registro" it doesn't insert the data into the DB.

The page's is a simple login and register, but as I said the register button (registro) isn't working.

EDIT:

This is what is showing in the bottom of the page:

nombre == _POST['nombrerg']) {//verificamos que el nombre de usuario no existe $verificar = 1;//si verificar es 1 es que el usuario esta repetido } } if ($verificar == 0) {//si varificar es 0 entonces el nombre no esta repetido $nom = _POST['nombrerg']; $pw = _POST['contrarg']; $conexion->query("INSERT INTO cuenta (usuario, contraseña) VALUES ('$nom','$pw')"; mysqli_query($conexion, $sql); echo 'Te has registrado con exito'; }else{ echo "El nombre de usuario ya existe!"; } } ?>

Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) prepared statements with bound parameters as described in [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). — Alex Howansky, May 19 '17 at 19:34

score 2 · Answer 1 · answered May 19 '17 at 19:08

2

It's due to your code-formatting.

Change this:

<?php//para el registro

To:

<?php //para el registro

And this:

    $conexion->query("INSERT INTO cuenta (usuario, contraseña) VALUES ('$nom','$pw')";

To:

    $conexion->query("INSERT INTO cuenta (usuario, contraseña) VALUES ('$nom','$pw')");

The last one you're missing and ending ) after the last "

For the other ones, having the //-comment without space from the start-tag <?php prevents it from being interpreted correctly.

As a side-note, you have two includes right after eachother, for the same file, one of them inside a <h1> for no reason.

Also, your code is horribly prone to SQL injection attacks.

answered May 19 '17 at 19:08

junkfoodjunkie

3,168
1
19
33

1

Upvoted for pointing out sql injection. Read more about them [here](https://www.owasp.org/index.php/SQL_Injection) and [here](https://xkcd.com/327/). I would recommend not rolling out your own authentication. Use an existing framework if you can – Dylan Madisetti May 19 '17 at 19:13
`Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given in C:\xampp\htdocs\PrograWebInd\index.php on line 41 Notice: Use of undefined constant _POST - assumed '_POST' in C:\xampp\htdocs\PrograWebInd\index.php on line 47 Warning: Illegal string offset 'nombrerg' in C:\xampp\htdocs\PrograWebInd\index.php on line 47 Notice: Use of undefined constant _POST - assumed '_POST' in C:\xampp\htdocs\PrograWebInd\index.php on line 48 Warning: Illegal string offset 'contrarg' in C:\xampp\htdocs\PrograWebInd\index.php on line 48`` – user8004087 May 19 '17 at 19:23
1

Then fix those errors? You're missing `$` from the beginning of the `_POST` assignments – junkfoodjunkie May 19 '17 at 19:28
Ok, and for the error: `Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given in C:\xampp\htdocs\PrograWebInd\index.php on line 41` ? – user8004087 May 19 '17 at 19:43
That is a normal error - it means the query you're running is not returning a result, but `false`, which is a boolean 0 (zero). That cannot be used as a result for fetching the info, naturally, and you get an error. You need to fix your query. – junkfoodjunkie May 19 '17 at 19:47

Dylan Madisetti · Answer 2 · 2017-05-19T19:32:29.933

<?php//para el registro is probably causing problems. Change it to <?php //para el registro (notice the space)

If the rest of the php renders, then it's unlikely a server issue.

Also, the variable for post is $_POST not _POST

Just to reiterate. Please don't store passwords in clear text. Here's a good article explaining why. For more questions related to that, feel free to checkout other StackExchange sites like security

score 0 · Accepted Answer · answered May 19 '17 at 23:17

On the code below, I put a line break to separate where the PHP started from your comment, after that, I notied you were using both mysqli and mysql functions and changed to mysqli only and insert $ where it was missing in $_POST. Your last query had a column named contraseña, do not use especial characters in column names, I've changed it to contrasena.

<?php
//para el registro
 include("conexion.php");
 if(isset($_POST['registro'])){
    $sql = 'SELECT FROM cuenta';
    $rec = mysqli_query($conexion, $sql);
    $verificar =0;

    while ($resultado = mysqli_fetch_array($rec)) {
        if ($resultado->nombre == $_POST['nombrerg']) {//verificamos que el nombre de usuario no existe
            $verificar = 1;//si verificar es 1 es que el usuario esta repetido
        }
    }
    if ($verificar == 0) {//si varificar es 0 entonces el nombre no esta repetido
        $nom = $_POST['nombrerg'];
        $pw = $_POST['contrarg'];

        $conexion->query("INSERT INTO cuenta (usuario, contrasena) VALUES ('$nom','$pw') )";
        mysqli_query($conexion, $sql);

        echo 'Te has registrado con exito';

    }else{
        echo "El nombre de usuario ya existe!";
    }

 }

?>
</body>
</html>

Thanks, I notified the mysql, and the $ but not the "ñ". – user8004087 May 20 '17 at 15:33 — user8004087, May 20 '17 at 15:33

PHP issue with login screen

3 Answers3