Jump to content

Will not echo the new user welcome paragraph


Shadow_Walker

Recommended Posts

Please any suggestion or comments here: 

 

Login.php

 <td width="65%" align="left"><input name="student_id" type="text" id="student_id" action="Student_Home.php" method="post"></td>

Student_Home.php

<blockquote>
	  <p>Welcome <?php echo $_POST["student_id"];?> </p>
</blockquote>
OUTPUT: Welcome Notice: Undefined index: student_id in C:\xampp\htdocs\a\Student_Home.php on line 44 
 
DESIRED OUTPUT: Welcome "student_id" !!! 
 
Link to comment
Share on other sites

First these

action="Student_Home.php" method="post"

Should not be used in an <input /> they are attributes to control the behaviour of a <form>.

 

 Example code of a form with 1 input and submit button

<form action="Student_Home.php" method="post">
    Student ID: <input type="text" name="student_id" />
    <input type="submit" value="Submit" />
</form>

Secondly you're getting the notice message because $_POST['student_id'] wont exist, until the form has been submitted so you need to check that it exists before using it, example

// check whether $_POST['student_id'] exists
// form has been submitted
if(isset($_POST['student_id']))
{
    echo 'Welcome, ' . $_POST['student_id'];
}
// $_POST['student_id'] does not exist, display a message
else
{
    echo 'Please provide Student ID!';
}
Link to comment
Share on other sites

  • 2 weeks later...

Hi,

 

first of all, you both have a cross-site scripting vulnerability in your code. Since you insert $_POST["student_id"] straight into the document, an attacker can use this parameter to inject malicious JavaScript code.

 

Every value you want to put into the document must be escaped first:

echo 'Welcome, ' . htmlspecialchars($_POST['student_id'], ENT_QUOTES, 'UTF-8');

On the second suggestion. May i ask to what file i'll insert your if-else code? 

 

The target script of your form: Student_Home.php.

 

However, the current program logic doesn't make a lot of sense. The time to welcome the student is after they've logged in and proven their identity, not during the login procedure. I mean, what if I gave you the wrong student ID? Will you still greet me with “Welcome, xyz”?

 

The usual workflow of a login-protected site is like this: You send the data to a script which processes it (this is usually the form script itself). If the login was successful, you redirect the user to the protected page. Otherwise, you send them back to the form.

Edited by Jacques1
Link to comment
Share on other sites

Sorry im a beginner here.

 

this is how i improved my codes in Login.php

<tr bgcolor="#E1E1E1" class="stylesmall">
        <td width="35%" align="left" class="style7 style1">Learner Id : </td>
	<td width="65%" align="left">
	   <form action="Student_Home.php" method="post">
	      <input name="student_id" type="text" id="student_id">
	   </form>  
	</td>
</tr>

and in Student_Home.php i just copy and paste your code.

<?  if(isset($_POST['student_id']))
	{
   		 echo 'Welcome, ' . $_POST['student_id'];
	}
		// $_POST['student_id'] does not exist, display a message
		else
	{
   		 echo 'Please provide Student ID!';
	}
?>

I have done thru this, there is no notifications but still doesn't work. Please help.

 

 

Link to comment
Share on other sites

 

 

and in Student_Home.php i just copy and paste your code.

That code is fine except for the opening PHP tag  <?  The code will only run if your have a setting called short_open_tag enabled in the php.ini. Otherwise you will need to use the full opening tag  <?php  

I would recommend you to always use the full opening PHP tag, as not all configurations of PHP has short tags enabled.

Link to comment
Share on other sites

To Jacques: 

 

Thank you for your insights. I have already done your suggestion that if the user can't log in, they will still remain in the form. They can only enter in Student_Home.php as long as they are already registered. 

 

The only problem left is after they logged-in (database registered user). I wanted that on the upper left of the page they will be welcome as Welcome 'user_id'. I am grateful for your advice in preventing the inject of malicious JavaScript code. I'll also add that in my code.

 

Do you have any suggestions other than Ch0cu3r advice to welcome the user?

Link to comment
Share on other sites

After the user has logged in, you start a PHP session, right? Well, that's were you get the correct student ID from:

 

  1. The user logs in with their password
  2. You verify the password and start a session; the session contains the user ID
  3. On the protected page, you display a welcome message for the user ID from the session
Link to comment
Share on other sites

To Ch0cu3r,

 

You've been a great help to me. I have followed your instructions and it went well. Your code is good but i have my problem--it echoes the ELSE_part.

<?php  if(isset($_POST['student_id']))
	{
   		 echo 'Welcome, ' . $_POST['student_id'];
	}
		// $_POST['student_id'] does not exist, display a message
		else
	{
   		 echo 'Please provide Student ID!';
	}
?>

The webpage indicate 

 

Please provide Student ID. 

 

Literally it doesn't define found out the $_POST['student_id'] inspite that we have created it already on the Login.php

<td width="35%" align="left" class="style7 style1">Learner Id : </td>
<td width="65%" align="left">
     <form action="Student_Home.php" method="post">
	<input name="student_id" type="text" id="student_id">
     </form>  
</td>

Please help me again.

Link to comment
Share on other sites

htmlspecialchars() isn't a fix all for that, if was numbers by chance would be better checking ctype_digit(), is_numeric() or something, depending exactly what the op expects it to be

 

Ch0cu3r is just trying to help the guy along his immediate issues, not train him all aspects of coding.

 

It's been said many times all over to never ever trust user input

 

sanitize,filter and escape

Link to comment
Share on other sites

To Ch0cu3r,

 

...

 

Literally it doesn't define found out the $_POST['student_id'] inspite that we have created it already on the Login.php

<td width="35%" align="left" class="style7 style1">Learner Id : </td>
<td width="65%" align="left">
     <form action="Student_Home.php" method="post">
	<input name="student_id" type="text" id="student_id">
     </form>  
</td>

Please help me again.

Where is the submit button for that from? You have only defined one input field but you appear to have no way of actually submitting the form.

Link to comment
Share on other sites

here are the codes including the submit button found in login.php

<tr bgcolor="#E1E1E1" class="stylesmall">
    <td width="35%" align="left" class="style7 style1">Learner Id : </td>
    <td width="65%" align="left">
	<form action="Student_Home.php" method="post">
	<input name="student_id" type="text" id="student_id"> 
	</form>
     </td>
</tr>
<tr bgcolor="#E1E1E1" class="stylesmall">
    <td align="left" class="style7 style1">Password:</td>
  <td align="left"><input name="student_password" type="password" id="student_password">  </td>
</tr>
<tr bgcolor="#E1E1E1">	
    <td colspan="2" align="center"> 
      <?php if(!empty($_GET['flag']) && $_GET['flag'] == "invalid") { ?>
       <span class="stylered style1">Invalid Login Id or Password</span>
      <?php }?>	
    </td>
</tr>
<tr bgcolor="#E1E1E1">
    <td colspan="2" align="center">
    <form action="Student_Home.php" method="post">
        <input name="login" class="style10" type="submit" id="login" value="Login">
    </form>
              	
<p class="style1">New Learner?<a href="Student_Registration.php"> Register Here</a> </p>     </td>
</tr>     

here is also my login.php handler.

<?php
	session_start();
	include 'Connect.php';
	$flag = "";
	$student_id = $_POST['student_id'];
	$student_password =  $_POST['student_password'];
	$query = "select last_login_date from student_information where student_id='$student_id' and student_password='$student_password' and student_status ='Disable'";
	$result = mysql_query($query,$link_id);
	if(mysql_error() != null){
		die(mysql_error());
	}
		if($date = mysql_fetch_array($result))
	{
		 $lastdate = $date['last_login_date'];
		 $date2 = date("d-m-Y h:i A",strtotime($lastdate));
		 $_SESSION["student_id"] = $_POST["student_id"];
		 $_SESSION["lastlogin"] =$date2;
		 $_SESSION["type"] = "Student";
		 mysql_query("update student_information set last_login_date=now() where student_id='$student_id'",$link_id);
		 if(mysql_error() != null){
			die(mysql_error());
		}
		 header("location:  Student_Home.php");
		 die();
	}
	else
	{
		$flag = "invalid";
		header("location:Student_login.php?flag=$flag");
		die();		
	} 
	
?>

I am starting to feel ashame on this for your time but i need to forget it just to solve this problem of mine.. hope this info will help you analyze to help me more on this.

Please help me again..

Link to comment
Share on other sites

your form(s) make no sense, and it is necessary for you to understand what your code is doing in order to (efficiently) get it to do what you want.

 

you need to start with the basics and get them to work first. you are trying to make a form with input fields for a 'student_id', a 'student_password', and a submit button. all three of these must be in ONE single form. start with just the following (do things like formatting and styling after you have learned the basics) -

<form action="Student_Home.php" method="post">
Student id: <input name="student_id" type="text"><br>
Password: <input name="student_password" type="password"><br>
<input name="login" type="submit" value="Login">
</form>
Link to comment
Share on other sites

@mac gyver:

 

I dont really have a problem with the form. It's a form inside the table and the log in process works very well (the user who logged in the database if registered is directed to its profle and those who don't will be invalid and will stay in the log in page).

 

The only problem is i wanted that on the upper left of the page they will be welcome like  WELCOME 'user_id'.

 I need someone help for the PHP code so that 'student_id' will be identified in this code

<?php  if(isset($_POST['student_id']))
	{
   		 echo 'Welcome, ' . $_POST['student_id'];
	}
		// $_POST['student_id'] does not exist, display a message
		else
	{
   		 echo 'Please provide Student ID!';
	}
?>

 The present situation is the webpage will echo the ELSE part which is:  

 

Please provide Student ID!

 

of course without the underline.

Link to comment
Share on other sites

the reason he asked that is because $_POST data is only available on the page that the form submits to. it's empty otherwise.

 

why is your login php code setting $_SESSION variables? wouldn't that be so that you can use that information on other pages?

 

as to your form, you have two sets of opening and closing form tags. the first form has the student_id field, the password field is in between the two forms, and the second form has the submit button. what you have shown will only submit the submit button itself, because that's the only thing in the form where the submit button is.

 

edit: your login query is open to sql injection and basically anyone can cause it to select any row in your table. you need to escape your data being put into the query. you also need to use a strong hashing method for your passwords.

Edited by mac_gyver
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.