Login Code - PHP

[Rogerio]

Hello.. I'm learning php and after seeing tutorials, made ​​my first code to login. I need your help to find out if what I did is right, what needs to be improved (or even if everything is wrong) .. very grateful for your help / opinion .

Thank you

//This is my login page

<?php 
	session_start();
?>

<!DOCTYPE html>
<html>
<head>
	<title>Rede Social</title>
	<link rel="stylesheet" type="text/css" href="home.css">
</head>
<body>
	<?php 
		if(isset($_SESSION["tentarLogin"])){ 
			unset($_SESSION["tentarLogin"]); 
		}
		else{
			$_SESSION["msg"]="";
			$_SESSION["user"]="";
		}


	?>

	<h1 id="welcome">WELCOME!</h1>
	<form method="post" action="login.php" method="POST">
		<div class="login" id="login">
			<?php echo '<p id="welcome1">'.$_SESSION["msg"].'</p><br>' ;?>
			<input type = "text" id = "user" name="user" class="login-data" placeholder = "Username"  value=<?php echo $_SESSION["user"]?>><br>
			<input type = "password" id = "pass" name = "pass"class="login-data" placeholder = "Password" ><br>
			<div class="submit">
				<input type="submit" class ="submitButton" id="loginButton" value="LOGIN"><br>
				<input type="button" class ="submitButton" id="registarButton" onclick="location.href='/Rede%20Social/registar/registar.php'" value="REGISTAR">
			</div>
		</div>
	</form>
</body>
</html>

//This is my login form

<?php  
session_start();
$user = $_POST["user"];
$pass = $_POST["pass"];
$_SESSION["tentarLogin"] = "true";
if(strcmp($user,"roger")==0){

	if(strcmp($pass,"abreu")==0){
		header('Location: http://www.google.pt');
	}
	else{
		$_SESSION["user"]="roger";
		$_SESSION["msg"]="*Password errada!";
		header('location: /Rede%20Social/home/home.php');
	}
}
else{
	$_SESSION["msg"]="*Username inexistente!";
		header('location: /Rede%20Social/home/home.php');
	}



?>

Hello.. I'm learning php and after seeing tutorials, made ​​my first code to login. I need your help to find out if what I did is right, what needs to be improved (or even if everything is wrong) .. very grateful for your help / opinion . Thank you

[benanamen]

That is not any kind of login code.

[Rogerio]

 

benanamen ok. Can please help me understand what is wrong? Why isn't a login code?

[Jacques1]

The code is currently too trivial for any kind of meaningful feedback.

 

You have an HTML form, hard-coded dummy credentials and a few session values. That's great, but it doesn't really show anything. It would be a lot more interesting if you had an actual log-in system with a database and password hashes.

 

Until then, all I can say is this:

• Learn and apply the basics of security as early as possible, especially when you write a log-in form. This includes HTML-escaping values before you insert them into your HTML markup so that an attacker cannot inject malicious JavaScript code.
• Keep PHP and HTML separate. It makes no sense to do session management in the middle of the body element. You should have a block of PHP code on top of the script and then all HTML markup at the bottom. The only time you use PHP within HTML is when you need to display dynamic data (like the username from the session).
• The register button which changes the location through JavaScript is odd. Use a plain old link instead.
• When you redirect the user with a header() call, you must stop the script with an exit statement. Otherwise the code will keep running, which can have dangerous side effects.
• Don't use spaces in URLs (or other characters which have to be encoded), and don't mix lowercase and uppercase letters. “Rede%20Social” is difficult to read and just ugly. Why not “rede-social”?

Edited August 19, 2016 by Jacques1