0

I am developing a system to practice but I was generated a problem with the Login, since using a validation script using AJAX sending via the GET method a variable to a switch and a conditional did not achieve the desired effect since pressing the submit redirects to the system page so the user is non-existent, ie no validation exists. here is the code I am using.

//Funcion para verify system access

 public function verificar($login,$password){
    $sql="SELECT idusuario,nombre,tipo_documento,num_documento,tlf,email,cargo,imagen,login FROM usuario WHERE login='$login' AND password='$password' AND condicion='1'";

    return executeQuery($sql);
}

Case del SWITCH

case 'verificar':
    $logina=$_POST['logina'];
    $passworda=$_POST['passworda'];

    //Hash SHA256 en la contraseña
    $passwordhash=hash("SHA256",$passworda);

    $rspta=$usuario->verificar($logina, $passwordhash);

    $fetch=$rspta->fetch_object();

    if (isset($fetch))
    {
        //Declaramos las variables de sesión
        $_SESSION['idusuario']=$fetch->idusuario;
        $_SESSION['nombre']=$fetch->nombre;
        $_SESSION['imagen']=$fetch->imagen;
        $_SESSION['login']=$fetch->login;
    }

        echo json_encode($fetch);
        break;

Validation Script

 $("#frmAcceso").on('submit',function(e)
{
 e.preventDefault();
logina=$("#logina").val();
passworda=$("#passwora").val();

$.post("ajax/usuario.php?op=verificar",
    {"logina":logina,"passworda":passworda},
    function(data)
{
    if (data!="null")
    {
        $(location).attr("href","views/pages/categoria.php");            
    }
    else
    {
        bootbox.alert("Usuario y/o Password incorrectos");
    }
});
})

Form HTML

<form method="post" id="frmAcceso">
            <div class="form-group has-feedback">
                <input type="text" id="logina" name="logina" class="form-control" placeholder="Usuario" required>
                <span class="fa fa-user form-control-feedback"></span>
            </div>
            <div class="form-group has-feedback">
                <input type="password" id="passworda" name="passworda" class="form-control" placeholder="Password" required>
                <span class="fa fa-key form-control-feedback"></span>
            </div>
            <div class="row">
                <div class="col-xs-8">
                </div>
                <!-- /.col -->
                <div class="col-xs-4">
                    <button type="submit" class="btn btn-primary btn-block btn-flat">Ingresar</button>
                </div>
                <!-- /.col -->
            </div>
        </form>

pressing the submit button sends me to 'categoria.php' no matter what data is put in the form I already probre that the ** Case ** Verify works correctly, since it returns data to me or null depending on the result, but in my JS the Data field receives information that is not ** null ** always and this is what causes the apparently redirection

Alvaro Santafe
  • 65
  • 1
  • 5
  • 2
    Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Oct 09 '17 at 14:56
  • Your null test here: `if (data!="null")` is testing for a string equal to the word 'null', which is incorrect. `console.log()` the data returned from your PHP to view what you're actually receiving – WillardSolutions Oct 09 '17 at 15:02
  • 1. Do a var_dump() of $rspta after the $usuario->verificar(...); call. 2. Also log the SQL query inside verificar() and manually run it to make sure it's actually returning data. 3. Fix your SQL injection issues. Right now, your SQL query is vulnerable to injection on the login and password POST parameters. – jhilgeman Oct 09 '17 at 15:10
  • I test the **case** _"verificar"_ manually and effectly its return a JSON data or NULL value, that means the sql query execute correctly, the problem is the JS file allways recive a data because i change the if for : 'if( data=null)' and the 'else' message appears. – Alvaro Santafe Oct 09 '17 at 15:42
  • After where exactly? "header:location" does not appear anywhere in your code. – ADyson Oct 09 '17 at 15:49
  • after the conditional sorry . – Alvaro Santafe Oct 09 '17 at 15:51
  • i try to make a console.log(data) after the conditional but the console dont show me anything – – Alvaro Santafe Oct 09 '17 at 15:51
  • What about if you put it before that conditional? Then you can be sure it will always give you something (assuming that the ajax call actually returns successfully - have you checked for that?). – ADyson Oct 09 '17 at 15:52
  • P.S. Your code is vulnerable to SQL injection attacks. You should use parameterised queries and prepared statements to help prevent attackers from compromising your database by using malicious input values. http://bobby-tables.com gives an explanation of the risks, as well as some examples of how to write your queries safely using PHP / mysqli. **Never** insert unsanitised data directly into your SQL. – ADyson Oct 09 '17 at 15:52

0 Answers0