Jump to content

Line error

Noxin

By Noxin
in PHP Coding Help

 Share

Recommended Posts

Noxin Newbie

Noxin

Posted
Posted
<?php
if(isset($_POST['submit'])){
$_user=$_POST['user'];
}
if(isset($_POST['submit'])){
$password=$_POST['password'];
}
 
if ($user&&$password){
$connect = mysql_connect("*******************************Secret Password Stuff****************************") or Die("Could not Connect");
mysql_select_db("users") or Die ("Could not find DB");
}
 
else
die ("Data Base Is dead we still have a Problem");
 
?>
 
 
 
 
This is the error code:
 
 
 

Notice: Undefined variable: user in C:\Users\RoSeAnN\Desktop\Web Designing\server\htdocs\connectionphp.php on line 9
Data Base Is dead we still have a Problem
 
 
 
And Html... if you need it
 
 
 
<html>
<form action='connectionphp.php' method='POST' accept-charset='UTF-8'>
Username:<input type='text' name='user'>
Password:<input type='password' name='password'>
<input type='submit' value='Log in'>
</form>
 
</html>
 
 
 
so what am I not doing wrong here and how can i make it work??? All help is much appreciated Thank you!
 
 
;D  
Link to comment
Share on other sites
hansford Member

hansford

Posted
Posted

$_user (an underscore at the beginning of a variable name is usually used to indicate the variable is private - like in class visibility)

 

This will come up time and time again, so I might as well say it now - meaning you might as well spend a little time learning it now rather than later - when you have no choice.

Best practices for database interactions are to use prepared statements. The code you presented in this regard is deprecated and slated for removal. This means it won't run on newer versions of PHP and it will look like you don't know what your doing if you present code in this manner expecting a paycheck someday. http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

<?php

// don't let php hide any errors every how humbling it makes you feel 
error_reporting(E_ALL);
ini_set('display_errors', 1);

if ( isset($_POST['submit']) )
{
    if ( isset($_POST['password']) && isset($_POST['user']) )
    {
        $password = trim($_POST['password']);
        $user = trim($_POST['user']);

        $con = new mysqli($host, $user, $password, $dbname);

        if ($con->connect_errno)
        {
            die('Connection failed: ' . $con->connect_error);
        }
        // do your database stuff here
    }
}
Link to comment
Share on other sites
Noxin Newbie

Noxin

Posted
  • Author
Posted

 

$_user (an underscore at the beginning of a variable name is usually used to indicate the variable is private - like in class visibility)

 

This will come up time and time again, so I might as well say it now - meaning you might as well spend a little time learning it now rather than later - when you have no choice.

Best practices for database interactions are to use prepared statements. The code you presented in this regard is deprecated and slated for removal. This means it won't run on newer versions of PHP and it will look like you don't know what your doing if you present code in this manner expecting a paycheck someday. http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

<?php

// don't let php hide any errors every how humbling it makes you feel 
error_reporting(E_ALL);
ini_set('display_errors', 1);

if ( isset($_POST['submit']) )
{
    if ( isset($_POST['password']) && isset($_POST['user']) )
    {
        $password = trim($_POST['password']);
        $user = trim($_POST['user']);

        $con = new mysqli($host, $user, $password, $dbname);

        if ($con->connect_errno)
        {
            die('Connection failed: ' . $con->connect_error);
        }
        // do your database stuff here
    }
}

So if what you say is right which I assume it is is the code you present me, the right way to write the document??

 

Also May I have your permission to use it please!

Link to comment
Share on other sites
hansford Member

hansford

Posted
Posted

You can use anything we post on this forum. The important thing is to understand why you are writing the code you write. 

Regurgitating code without knowing it's purpose will never make you a better programmer. A deeper understanding of what your coding is the key. When you understand something, then you can create something.

Copy/paste programming can't help you when you get stuck and actually have to come up with a solution on your own.

Never post a question to a forum when you can easily obtain the answer from a simple search. (not referring to your post, but generalizing)

Link to comment
Share on other sites
Jacques1 Prolific Member

Jacques1

Posted
Posted

While hansford is right about the deprecation of the old mysql_* functions and the importance of prepared statements, the suggested code has several issues:

  • Hard-coding the PHP error configuration in a script is a bad idea. Sure, during development, it makes sense to display the errors right on the screen. But if you forget to remove this code before the site goes into production, you have a problem, because everybody will see the messages. This may leak critical information to attackers, and of course it's very unprofessional and irritating for legitimate users. Dynamic error settings also have no effect on errors which happen before the script runs (syntax errors, startup errors etc.). A much better solution is to put the error configuration into the global php.ini or a site-specific user.ini or .htaccess file.
  • The same applies to MySQL error messages: Do not just print them on the screen. They're meant for developers and administrators, not the end user. If you want to generate internal error messages, use trigger_error() or throw in exception. In the case of MySQLi, you don't have to manually trigger errors at all, because the MySQLi driver can do that for you. Again, it's very important to understand that your database issues are none of the user's business. They don't administer your server, so all they need to know is that there's some technical issue.
  • Do not trim passwords. In a password, every character counts, so don't change it in any way.
  • If you do an isset() check of input parameters, you also need an else part. Simply doing nothing is the worst possible solution, because both the user and the developer will wonder what the hell is going on.
  • The code connects to the MySQL database system with the user-provided credentials. I'm fairly sure this is not what the OP wants. The credentials surely belong to an application-level user account.
Link to comment
Share on other sites
hansford Member

hansford

Posted
Posted

Ok, so my example wasn't perfect. You can choose whether to allow spaces in your passwords or not when users register.

Some users like to copy and paste their passwords which sometimes adds a space.

Users shouldn't be copy/pasting, but they do. 

<?php

// use error reporting, but only while debugging
error_reporting(E_ALL);
ini_set('display_errors', 1);

if ( isset($_POST['submit']) )
{
    if ( isset($_POST['password']) && isset($_POST['user']) )
    {
        $password = $_POST['password']; // get password as it is.
        $user = trim($_POST['user']);

        $con = new mysqli($host, $dbuser, $dbpass, $dbname);

        if ($con->connect_errno)
        {
            die('Connection failed: ' . $con->connect_error);
        }
        // do your database stuff here
    }
    else
    {
       // redirect back to login screen 
    }
}
else // redirect or whatever
{
   exit('Direct access to this page is not allowed');
}
Link to comment
Share on other sites
Jacques1 Prolific Member

Jacques1

Posted
Posted (edited)

Like I said, in a password, every character is significant. You can't just delete whitespace characters.

 

For example, I generate my passwords randomly, so they may very well include whitespace. If you delete those characters, you actually truncate my password and make I weaker.

 

I understand where you're coming from. But in case of passwords check, fuzziness is a terrible bad idea. You want an exact match, not “The password is kinda-sorta correct, come in”.

 

 

 

Some users like to copy and paste their passwords which sometimes adds a space.

Users shouldn't be copy/pasting, but they do.

 

What? Why on earth should users not copy and paste their passwords? That's exactly how password managers work.

 

I wonder where this myth comes from. Some websites do in fact prevent pasting the password into the form field, and that's a major PITA for security-oriented users.

Edited by Jacques1
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.