Jump to content

Recommended Posts

Hey all,

 

Today I have received an error of one of my websites I created 2 years ago. The user cannot login anymore. He stays on the login screen and nothing happens. If he enters the wrong username & password he gets the correct error code. I use sessions and the user & pass are stored in the DB.

I havent changed anything but the provider did some general updates. So can you guys check if any code is outdated? It seems like the session is not stored or the form does not send the user&pass.

If I go directly to the login.php file I get the error:

PHP Notice: Undefined index: username in D:\www\orangerie-krekelh.be\www\login.php on line 5 PHP Notice: Undefined index: pw in D:\www\orangerie-krekelh.be\www\login.php on line 6

The loginform

<div id="content">
        <h1>Login</h1>
       <form action="login.php" method="post">
<b>Username</b>:<input type="text" name="username" size="20"><br>
<b>Password</b>:<input type="password" name="pw" size="20"><br>
<input type="submit" value="Login"></form>
    </div>

The login php file

<?php
session_start();
include('dbconnect.php');
print_r($_POST);
$username = $_POST['username'];
$pw = $_POST['pw'];
$q="SELECT * FROM `users` WHERE ((username='$username') AND (pw='$pw'))";
$result= mysql_query($q) or die ("Could not execute query : $q." . mysql_error());

if (mysql_num_rows($result) == 0)
{
echo "<div align=center><b>Uw login en/of paswoord is verkeerd ingegeven, probeer opnieuw.</b></div>";
}
else
{
$r=mysql_fetch_array($result);
$login_username=$r["username"];
session_register("login_username");
Header("location: protected.php");
}
?>

 

Thanks in advance for any kind of help!

greetz

Link to comment
https://forums.phpfreaks.com/topic/215147-undefined-index-with-login/
Share on other sites

Your host has probably modified the default error reporting to show notifications (which is kind of odd in my opinion). You should definitely have error reportingset to show everything in a development environment, but in a production environment notification errors should be suppressed.

 

But, the problem is that on first access of the page the POST values don't exist. So, when you try to set $username = $_POST['username']; you are getting the error because $_POST['username'] doesn't exist.

 

The right way to do that would be

$username = isset($_POST['username']) ? $_POST['username'] : false;

 

But, you shoudl rework the logic further. Te current page does a db query regardless if the user submitted login credentials or not. You should only do the authnetication if the user submitted the form.

After furhter review I suspect the root fo the problem is in the form page. You may be getting the same type of notification errors - but they may be masked in the HTML code, thereby corrupting the input data. Kind of hard to know for sure without debugging it.

 

Another possibility is that the host may have enabled/disabled magic quotes which would make the input data different from what you were receiving before.

 

What is the output of the print_r()? Is it what you would expect?

This is very weird, as stated above, I changed the POST to GET for the username & password but not for the print_r. If I also change the print_r to GET, the array is empty again. So the code at this point (with a correct filled array) is 

<?php
session_start();
include('dbconnect.php');
// $username = $_POST['username'];
// $pw = $_POST['pw'];
$username = isset($_GET['username']) ? $_GET['username'] : false;
print_r($_POST);
$pw = isset($_GET['pw']) ? $_GET['pw'] : false;
$q="SELECT * FROM `users` WHERE ((username='$username') AND (pw='$pw'))";
$result= mysql_query($q) or die ("Could not execute query : $q." . mysql_error());

if (mysql_num_rows($result) == 0)
{
echo "<div align=center><b>Uw login en/of paswoord is verkeerd ingegeven, probeer opnieuw.</b></div>";
}
else
{
$r=mysql_fetch_array($result);
$login_username=$r["username"];
session_register("login_username");
Header("location: protected.php");
}
?>

 

Just reviewing a log in script that i have here and working. Why are you setting the session right away?

 

The way i would do this ( and i am no mean coder by the way ;D )

 

<?php
include('dbconnect.php');
if (isset($_POST['username'])) {$username=$_POST['username'];}
$username= mysql_real_escape_string($username);
if(isset($_POST['pw'])) {$pw=$_POST['pw'];}
$pw= mysql_real_escape_string($pw);
$q="SELECT * FROM `users` WHERE ((username='$username') AND (pw='$pw'))";
$result= mysql_query($q) or die ("Could not execute query : $q." . mysql_error());
if (mysql_num_rows($result) == 0)
{
session_start();
$_SESSION['login_username'] = "";
header ("Location: loginpage");	
}
else
{
$r=mysql_fetch_array($result);
$login_username=$r["username"];
session_start();
$_SESSION['login_username'] = "$login_username";
Header("location: protected.php");
}
?>

 

Or something along those lines LOL

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.