Apakah code ini benar

Question

1.00/5 (2 votes)

See more:

<?php
  include 'koneksi.php';
  session_start();

  if(isset($_SESSION['login'])){
    return header('location: index.php');
  }

  if(isset($_POST['login'])){
    $username = $_POST['username'];
    $password = $_POST['password'];
    $encryptPass = md5($password);

    $query = "SELECT * FROM user where username= '$username' And password = '$encryptPass' ";
    $result = mysqli_query($koneksi, $query)->fetch_all(MYSQL_ASSOC);

    if($result){
        $_SESSION['username'] = $result[0]['username'];
        $_SESSION['level'] = $result[0]['level'];
        header('location: index.php');
    } else{
        echo 'email atau password salah';
        $error = true;
    }

  }

?>

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Login</title>
    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css" rel="stylesheet"
        integrity="sha384-T3c6CoIi6uLrA9TneNEoa7RxnatzjcDSCmG1MXxSR1GAsXEV/Dwwykc2MPK8M2HN" crossorigin="anonymous">
    <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/js/bootstrap.bundle.min.js"
        integrity="sha384-C6RzsynM9kWDrMNeT87bh95OGNyZPhcTNXj1NW7RuBCsyN/o0jlpcV8Qyq46cDfL" crossorigin="anonymous">
    </script>
</head>
<body>
    <div class="container mt-5">
        <div class="row">
            <div class="col-4 mx-auto">
                <?php if(isset($error)){?>
                    <div class="alert alert-danger" role="alert">
                        Username or password is incorrect
                    </div>
                <?php }?>
                <form action="" method="post">
                    <div class="mb-3">
                        <label for="username" class="form-label">Username</label>
                        <input type="text" class="form-control" name="username" id="username" aria-describedby="usernameHelp"
                            value="<?= (isset($username)) ? $username : ''; ?>">
                    </div>
                    <div class="mb-3">
                        <label for="password" class="form-label">Password</label>
                        <input type="password" class="form-control" name="password" id="password">
                        <div id=usernameHelp class="form-text">We'll never share your password with anyone else.</div>
                    </div>
                    <button type="submit" value="submit" name="login" class="btn btn-primary">Login</button>
                </form>
                <div id="usernameHelp" class="form">If you don't have account please
                    <a href="register.php">Register</a> first
                </div>
            </div>
        </div>
    </div>
</body>
</html>

What I have tried:

apakah code ini benar

Translation: Is this code correct?

Posted 19-Nov-23 5:09am

Member 16143475

Updated 19-Nov-23 5:27am

Greg Utas

v3

Add a Solution

Comments

Greg Utas 19-Nov-23 11:26am

You haven't told us what the code is supposed to do. To see if it's correct, you should run it and test it. After all, you are the one who knows what it's supposed to do.

Richard MacCutchan 19-Nov-23 11:41am

Noi it is incorrect. You should not use MD5 to hash passwords, you should use the PHP builtin PHP: password_hash - Manual[^],

CHill60 20-Nov-23 3:58am

Whilst syntactically correct

SELECT * FROM ...

is not good practice. You should explicitly list the columns you want to extract

Richard Deeming 20-Nov-23 4:09am

No - between the SQL Injection[^] and insecure password storage, your code is most definitely NOT "correct".

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Andre Oosthuizen · Answer 1 · 2023-11-20T06:40:00

No...

The session_start() function must be the very first thing in your document. Before any HTML tags or other code. Also check if a session is running, if not then start it...

Start a PHP Session [^]

PHP

if (session_status() == PHP_SESSION_NONE) {
	session_start();
}
//Check if session was started, if not, then start session as a first line of code...

When you are including files you need to check that they exist or your app might crash without the user knowing why your app is not working, error trapping should be in ALL of your code, I am not going to check each of them -

PHP

if (file_exists(__DIR__ . '/koneksi.php')) {
    require_once __DIR__ . '/koneksi.php';    
} else {
    //Handle error: file not found...
    echo "We are aware of the page not loading, please retry again in a few whilst you enjoy that much needed coffee. Our support team is hard at work on this!";
}

If Login session is running, all good and well, what IF it is not, you have no alternative but for the page to load nothing -

PHP

if(isset($_SESSION['login'])){
    return header('location: index.php');
  } else {
return header('location: AnotherStupidPage.php');
}

And then we get into the grinding of things... Never Ever but Ever post, link, share, hardcode or time capsule any usernames or passwords, yes EVER. There were already some basic links given above in the comments you can follow on how to do this securely. I would suggest that you read up some more on this (I am busy with an article on how to secure your site "almost" completely, will be posting soon), once you get the hang of security you will be moving up the ranks to a full blown developer, if not you will be seen as a junior wannabe that just started coding. I am sure that is not where you want to be. :)

Work through the PHP tutorial on PDO (PHP Data Objects) where you will use prepared statements - PHP PDO | Tutorial [^]

You should also sanitize your data - Sanitize filters | Tutorial [^]

The below link is a tutorial on the proper way to create a login/register flow of your app using a class - PHP PDO Login/Register System [^]
Also not 100% IF you followed the above links and advice, but 1000% better than waht you have right now!