Shadow_Walker Posted March 31, 2014 Share Posted March 31, 2014 Please any suggestion or comments here: Login.php <td width="65%" align="left"><input name="student_id" type="text" id="student_id" action="Student_Home.php" method="post"></td> Student_Home.php <blockquote> <p>Welcome <?php echo $_POST["student_id"];?> </p> </blockquote> OUTPUT: Welcome Notice: Undefined index: student_id in C:\xampp\htdocs\a\Student_Home.php on line 44 DESIRED OUTPUT: Welcome "student_id" !!! Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted March 31, 2014 Share Posted March 31, 2014 First these action="Student_Home.php" method="post" Should not be used in an <input /> they are attributes to control the behaviour of a <form>. Example code of a form with 1 input and submit button <form action="Student_Home.php" method="post"> Student ID: <input type="text" name="student_id" /> <input type="submit" value="Submit" /> </form> Secondly you're getting the notice message because $_POST['student_id'] wont exist, until the form has been submitted so you need to check that it exists before using it, example // check whether $_POST['student_id'] exists // form has been submitted if(isset($_POST['student_id'])) { echo 'Welcome, ' . $_POST['student_id']; } // $_POST['student_id'] does not exist, display a message else { echo 'Please provide Student ID!'; } Quote Link to comment Share on other sites More sharing options...
Shadow_Walker Posted April 12, 2014 Author Share Posted April 12, 2014 I have resolved your first suggestion in the codes. Of course i edit my login.php On the second suggestion. May i ask to what file i'll insert your if-else code? Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted April 12, 2014 Share Posted April 12, 2014 (edited) Hi, first of all, you both have a cross-site scripting vulnerability in your code. Since you insert $_POST["student_id"] straight into the document, an attacker can use this parameter to inject malicious JavaScript code. Every value you want to put into the document must be escaped first: echo 'Welcome, ' . htmlspecialchars($_POST['student_id'], ENT_QUOTES, 'UTF-8'); On the second suggestion. May i ask to what file i'll insert your if-else code? The target script of your form: Student_Home.php. However, the current program logic doesn't make a lot of sense. The time to welcome the student is after they've logged in and proven their identity, not during the login procedure. I mean, what if I gave you the wrong student ID? Will you still greet me with “Welcome, xyz”? The usual workflow of a login-protected site is like this: You send the data to a script which processes it (this is usually the form script itself). If the login was successful, you redirect the user to the protected page. Otherwise, you send them back to the form. Edited April 12, 2014 by Jacques1 Quote Link to comment Share on other sites More sharing options...
Shadow_Walker Posted April 12, 2014 Author Share Posted April 12, 2014 Sorry im a beginner here. this is how i improved my codes in Login.php <tr bgcolor="#E1E1E1" class="stylesmall"> <td width="35%" align="left" class="style7 style1">Learner Id : </td> <td width="65%" align="left"> <form action="Student_Home.php" method="post"> <input name="student_id" type="text" id="student_id"> </form> </td> </tr> and in Student_Home.php i just copy and paste your code. <? if(isset($_POST['student_id'])) { echo 'Welcome, ' . $_POST['student_id']; } // $_POST['student_id'] does not exist, display a message else { echo 'Please provide Student ID!'; } ?> I have done thru this, there is no notifications but still doesn't work. Please help. Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted April 12, 2014 Share Posted April 12, 2014 Have you read my reply? Your code has a security vulnerability, and it simply makes no sense in its current form. Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted April 12, 2014 Share Posted April 12, 2014 and in Student_Home.php i just copy and paste your code. That code is fine except for the opening PHP tag <? The code will only run if your have a setting called short_open_tag enabled in the php.ini. Otherwise you will need to use the full opening tag <?php I would recommend you to always use the full opening PHP tag, as not all configurations of PHP has short tags enabled. Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted April 12, 2014 Share Posted April 12, 2014 (edited) That code is fine No, it's not fine, as I've explained above. It would be very nice if you didn't just ignore all other replies. You've even repeated his XSS vulnerability. Edited April 12, 2014 by Jacques1 Quote Link to comment Share on other sites More sharing options...
Shadow_Walker Posted April 12, 2014 Author Share Posted April 12, 2014 To Jacques: Thank you for your insights. I have already done your suggestion that if the user can't log in, they will still remain in the form. They can only enter in Student_Home.php as long as they are already registered. The only problem left is after they logged-in (database registered user). I wanted that on the upper left of the page they will be welcome as Welcome 'user_id'. I am grateful for your advice in preventing the inject of malicious JavaScript code. I'll also add that in my code. Do you have any suggestions other than Ch0cu3r advice to welcome the user? Quote Link to comment Share on other sites More sharing options...
Shadow_Walker Posted April 12, 2014 Author Share Posted April 12, 2014 To Ch0cu3r, I am very thankful for your immediate response. I will try that complete PHP tag later. I hope this time it will work, i'll update you then. Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted April 12, 2014 Share Posted April 12, 2014 After the user has logged in, you start a PHP session, right? Well, that's were you get the correct student ID from: The user logs in with their password You verify the password and start a session; the session contains the user ID On the protected page, you display a welcome message for the user ID from the session Quote Link to comment Share on other sites More sharing options...
Shadow_Walker Posted April 15, 2014 Author Share Posted April 15, 2014 @jacques: Yeah!! i have no problem with that.. For the number 3. it is a page where they can see their profile and on the upper left is a welcome message (Welcome 'user_id') and that is im referring to which i get stuck and have prob on the codes. Quote Link to comment Share on other sites More sharing options...
Shadow_Walker Posted April 15, 2014 Author Share Posted April 15, 2014 To Ch0cu3r, You've been a great help to me. I have followed your instructions and it went well. Your code is good but i have my problem--it echoes the ELSE_part. <?php if(isset($_POST['student_id'])) { echo 'Welcome, ' . $_POST['student_id']; } // $_POST['student_id'] does not exist, display a message else { echo 'Please provide Student ID!'; } ?> The webpage indicate Please provide Student ID. Literally it doesn't define found out the $_POST['student_id'] inspite that we have created it already on the Login.php <td width="35%" align="left" class="style7 style1">Learner Id : </td> <td width="65%" align="left"> <form action="Student_Home.php" method="post"> <input name="student_id" type="text" id="student_id"> </form> </td> Please help me again. Quote Link to comment Share on other sites More sharing options...
QuickOldCar Posted April 15, 2014 Share Posted April 15, 2014 htmlspecialchars() isn't a fix all for that, if was numbers by chance would be better checking ctype_digit(), is_numeric() or something, depending exactly what the op expects it to be Ch0cu3r is just trying to help the guy along his immediate issues, not train him all aspects of coding. It's been said many times all over to never ever trust user input sanitize,filter and escape Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted April 15, 2014 Share Posted April 15, 2014 To Ch0cu3r, ... Literally it doesn't define found out the $_POST['student_id'] inspite that we have created it already on the Login.php <td width="35%" align="left" class="style7 style1">Learner Id : </td> <td width="65%" align="left"> <form action="Student_Home.php" method="post"> <input name="student_id" type="text" id="student_id"> </form> </td> Please help me again. Where is the submit button for that from? You have only defined one input field but you appear to have no way of actually submitting the form. Quote Link to comment Share on other sites More sharing options...
Shadow_Walker Posted April 15, 2014 Author Share Posted April 15, 2014 here are the codes including the submit button found in login.php <tr bgcolor="#E1E1E1" class="stylesmall"> <td width="35%" align="left" class="style7 style1">Learner Id : </td> <td width="65%" align="left"> <form action="Student_Home.php" method="post"> <input name="student_id" type="text" id="student_id"> </form> </td> </tr> <tr bgcolor="#E1E1E1" class="stylesmall"> <td align="left" class="style7 style1">Password:</td> <td align="left"><input name="student_password" type="password" id="student_password"> </td> </tr> <tr bgcolor="#E1E1E1"> <td colspan="2" align="center"> <?php if(!empty($_GET['flag']) && $_GET['flag'] == "invalid") { ?> <span class="stylered style1">Invalid Login Id or Password</span> <?php }?> </td> </tr> <tr bgcolor="#E1E1E1"> <td colspan="2" align="center"> <form action="Student_Home.php" method="post"> <input name="login" class="style10" type="submit" id="login" value="Login"> </form> <p class="style1">New Learner?<a href="Student_Registration.php"> Register Here</a> </p> </td> </tr> here is also my login.php handler. <?php session_start(); include 'Connect.php'; $flag = ""; $student_id = $_POST['student_id']; $student_password = $_POST['student_password']; $query = "select last_login_date from student_information where student_id='$student_id' and student_password='$student_password' and student_status ='Disable'"; $result = mysql_query($query,$link_id); if(mysql_error() != null){ die(mysql_error()); } if($date = mysql_fetch_array($result)) { $lastdate = $date['last_login_date']; $date2 = date("d-m-Y h:i A",strtotime($lastdate)); $_SESSION["student_id"] = $_POST["student_id"]; $_SESSION["lastlogin"] =$date2; $_SESSION["type"] = "Student"; mysql_query("update student_information set last_login_date=now() where student_id='$student_id'",$link_id); if(mysql_error() != null){ die(mysql_error()); } header("location: Student_Home.php"); die(); } else { $flag = "invalid"; header("location:Student_login.php?flag=$flag"); die(); } ?> I am starting to feel ashame on this for your time but i need to forget it just to solve this problem of mine.. hope this info will help you analyze to help me more on this. Please help me again.. Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted April 15, 2014 Share Posted April 15, 2014 your form(s) make no sense, and it is necessary for you to understand what your code is doing in order to (efficiently) get it to do what you want. you need to start with the basics and get them to work first. you are trying to make a form with input fields for a 'student_id', a 'student_password', and a submit button. all three of these must be in ONE single form. start with just the following (do things like formatting and styling after you have learned the basics) - <form action="Student_Home.php" method="post"> Student id: <input name="student_id" type="text"><br> Password: <input name="student_password" type="password"><br> <input name="login" type="submit" value="Login"> </form> Quote Link to comment Share on other sites More sharing options...
Shadow_Walker Posted April 16, 2014 Author Share Posted April 16, 2014 @mac gyver: I dont really have a problem with the form. It's a form inside the table and the log in process works very well (the user who logged in the database if registered is directed to its profle and those who don't will be invalid and will stay in the log in page). The only problem is i wanted that on the upper left of the page they will be welcome like WELCOME 'user_id'. I need someone help for the PHP code so that 'student_id' will be identified in this code <?php if(isset($_POST['student_id'])) { echo 'Welcome, ' . $_POST['student_id']; } // $_POST['student_id'] does not exist, display a message else { echo 'Please provide Student ID!'; } ?> The present situation is the webpage will echo the ELSE part which is: Please provide Student ID! of course without the underline. Quote Link to comment Share on other sites More sharing options...
QuickOldCar Posted April 16, 2014 Share Posted April 16, 2014 Are you saying you want to show the value of $_POST['student_id'] even if it does not exist? Quote Link to comment Share on other sites More sharing options...
Shadow_Walker Posted April 16, 2014 Author Share Posted April 16, 2014 @quick old car: Your not helping and your making a dumb question. If you could analyze first before making a comment. You would understand that i want to know how to make it exist and to show it. Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted April 16, 2014 Share Posted April 16, 2014 (edited) the reason he asked that is because $_POST data is only available on the page that the form submits to. it's empty otherwise. why is your login php code setting $_SESSION variables? wouldn't that be so that you can use that information on other pages? as to your form, you have two sets of opening and closing form tags. the first form has the student_id field, the password field is in between the two forms, and the second form has the submit button. what you have shown will only submit the submit button itself, because that's the only thing in the form where the submit button is. edit: your login query is open to sql injection and basically anyone can cause it to select any row in your table. you need to escape your data being put into the query. you also need to use a strong hashing method for your passwords. Edited April 16, 2014 by mac_gyver Quote Link to comment Share on other sites More sharing options...
QuickOldCar Posted April 16, 2014 Share Posted April 16, 2014 @quick old car: Your not helping and your making a dumb question. If you could analyze first before making a comment. You would understand that i want to know how to make it exist and to show it. That's so hilarious I even liked it. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.