Error session variable not displaying message in another php file

[Alexa]

Hi!
I have 2 files based on the Model View Arhitecture.

The file login.php and the config file containing the db connection are in the model folder and the login_view is in view folder.

I am trying to make a login form am display some error messages to the user, but I don't get the error messages.

Can you help me figure it out?

PS: the connection to the db works fine!

Thx!

LOGIN.PHP

<?php
 //start the session
 session_start();
 foreach (glob("model/*.php") as $filename) {
    include $filename;
}

 //form defaults
 $error["alert"]= "";
 $error["user"]= "";
 $error["pass"]= "";
 $input["user"]= "";
 $input["pass"]= "";

if(isset($_POST["submit"]))
{
    //process form
    if($_POST["username"] == "" || $_POST["password"] == ""){
        //display errors
        if($_POST["username"] == ""){$error["user"] = "required";}
        if($_POST["password"] == ""){$error["pass"] = "required";}
        $error["alert"] = "Please fill in the required fields";

        //get the values for the username and password
        $input["user"]= $_POST["username"];
        $input["pass"]= $_POST["password"];
   
        include("../views/login_view.php");
    }
}else{
    include("../views/login_view.php");
}

LOGIN_VIEW.PHP

<?php
    session_start();
    foreach (glob("model/*.php") as $filename) {
        include $filename;
    }
?>
<link href="//maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css" rel="stylesheet" id="bootstrap-css">
<script src="//maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
<!------ Include the above in your HEAD tag ---------->

<!--author:starttemplate-->
<!--reference site : starttemplate.com-->
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <meta name="keywords"
          content="unique login form,leamug login form,boostrap login form,responsive login form,free css html login form,download login form">
    <meta name="author" content="leamug">
    <title>Unique Login Form | Bootstrap Templates</title>
    <link href="/styles/style.css" rel="stylesheet" id="style" type="text/css">
    <!-- Bootstrap core Library -->
    <link href="//netdna.bootstrapcdn.com/bootstrap/3.2.0/css/bootstrap.min.css" rel="stylesheet" id="bootstrap-css">
    <script src="//netdna.bootstrapcdn.com/bootstrap/3.2.0/js/bootstrap.min.js"></script>
    <script src="//code.jquery.com/jquery-1.11.1.min.js"></script>
    <!-- Google font -->
    <link href="https://fonts.googleapis.com/css?family=Dancing+Script" rel="stylesheet">
    <!-- Font Awesome-->
    <link href="//maxcdn.bootstrapcdn.com/font-awesome/4.2.0/css/font-awesome.min.css" rel="stylesheet">
</head>
<body>

<!-- Page Content -->
<div class="container">
    <div class="row">
        <div class="col-md-offset-5 col-md-4 text-center">
            <h1 class='text-white'>Login Form</h1>
            <form action ="" method="POST">
              <div class="form-login"></br>
                </br>
                <?php
                    if($error["alert"] != ''){
                        echo "<div class='alert'>".$error["alert"]."</div>";
                    }
                ?>
                <div>
                    <input type="text" name ="username" id="userName" class="form-control input-sm chat-input" placeholder="Username" value= "<?php echo $input['user'] ?>" required/>
                    <?php echo $error['user'] ?>
                </div>
                </br></br>
                <input type="text" name ="password" id="userPassword" class="form-control input-sm chat-input" placeholder="Password" value= "<?php echo $input['password'] ?>" required/>
                <div class="error"> <?php echo  $error['pass'] ?>
                </br></br>
                <div class="wrapper">
                <input type="submit" class="btn btn-primary" value="submit">
                 
                </div>
            </div>
        </div>
    </form>
    </div>
</div>
</body>
</html>

 

Edited October 28, 2020 by Alexa

[gw1500se]

I see the session start but I don't see where you set any $_SESSION variables. Where is the code that outputs the error you say is not showing up?

[Alexa]

<?php
     if($error["alert"] != ''){
         echo "<div class='alert'>".$error["alert"]."</div>";
      }
?>

I also tried to add session variables and the result is the same

Edited October 28, 2020 by Alexa

[Alexa]

I also tried to add session variables and the result is the same

 

[cyberRobot]

Try adding some echo statements to your if constructs where you test the form input. That way you can make sure the code is executing properly. For example, you could try something like this:

if(isset($_POST["submit"]))
{

    echo '<br>form submission detected';

    //process form
    if($_POST["username"] == "" || $_POST["password"] == ""){

        echo '<br>either username or password is blank';

 

Note that you'll want to comment out or remove the session code in your login_view.php file to avoid errors caused by the above echo statements. That session code isn't necessary anyways since you already started the session in your login.php file.

[Alexa]

cyberRobot, thanks for the advice. I noticed there is a problem with the if(isset($_POST["submit"])), but I don't know how to solve it

[cyberRobot]

What was the problem that you noticed? Are you getting an error? If so, what is it?

If you haven't done so already, it may help to set PHP to display all errors. You could add the following code to the top of login.php:

//REPORT ALL PHP ERRORS
error_reporting(E_ALL);
ini_set('display_errors', 1);

Just remember to remove the code when you are done debugging the script.

[benanamen]

You have made a classic mistake of depending on the name of a button to be submitted for your code to work instead of checking the POST Request Method. Since you didn't name your submit button, the code does not do anything. The fix is NOT to add a name to the button, but to instead check the REQUEST METHOD instead.

Depending on the name of a button to be submitted will completely fail in certain cases.
 

if($_SERVER['REQUEST_METHOD'] == ‘POST’){

// Do stuff

}

Your error checks will also fail. You need to trim the entire POST array and then check for empty.

Do not create variables for nothing.

Your code is also vulnerable to an XSS Attack. You are allowing user supplied data directly in your form.

Edited October 28, 2020 by benanamen

[Alexa]

20 hours ago, cyberRobot said:

What was the problem that you noticed? Are you getting an error? If so, what is it?

If you haven't done so already, it may help to set PHP to display all errors. You could add the following code to the top of login.php:

//REPORT ALL PHP ERRORS
error_reporting(E_ALL);
ini_set('display_errors', 1);

Just remember to remove the code when you are done debugging the script.

So, I had some undefined variable errors and I solved them by deleting that code from the login_view.php file, as  I don't need them now. But if I leave the input fields empty and hit submit, the problem remains the same: nothing happens, no error messages displayed

[Alexa]

16 hours ago, benanamen said:

You have made a classic mistake of depending on the name of a button to be submitted for your code to work instead of checking the POST Request Method. Since you didn't name your submit button, the code does not do anything. The fix is NOT to add a name to the button, but to instead check the REQUEST METHOD instead.

Depending on the name of a button to be submitted will completely fail in certain cases.
 

if($_SERVER['REQUEST_METHOD'] == ‘POST’){

// Do stuff

}

Your error checks will also fail. You need to trim the entire POST array and then check for empty.

Do not create variables for nothing.

Your code is also vulnerable to an XSS Attack. You are allowing user supplied data directly in your form.

I tried and implemented your suggestion, but the problem remains the same..

[cyberRobot]

Just to make sure, for benanamen's suggestion, you should replace the following line:

if(isset($_POST["submit"]))

With the line below. Note that I removed the curly / smart quotes around POST.

if($_SERVER['REQUEST_METHOD'] == 'POST')

I would also add some sort of debug code to see if the if test is working. For example,

if($_SERVER['REQUEST_METHOD'] == 'POST')
{
    echo '<br>form submission detected';

Does the script display "form submission detected" after submitting the form? Also, if the script still doesn't work as you expect, please post your most recent code.

[Alexa]

22 hours ago, cyberRobot said:

Just to make sure, for benanamen's suggestion, you should replace the following line:

if(isset($_POST["submit"]))

With the line below. Note that I removed the curly / smart quotes around POST.

if($_SERVER['REQUEST_METHOD'] == 'POST')

I would also add some sort of debug code to see if the if test is working. For example,

if($_SERVER['REQUEST_METHOD'] == 'POST')
{
    echo '<br>form submission detected';

Does the script display "form submission detected" after submitting the form? Also, if the script still doesn't work as you expect, please post your most recent code.

So, I tried your suggestion. The problem was that the form got submitted before entering the data. Anyway, https://codeshack.io/secure-login-system-php-mysql/ I found this site and from here I made a working login. I need to read more about php sessions and post and get. But one last question, for example if I start a session on the config/database.php file must I start another one in the login.php? Or the session must be uniquely defined in one folder?

 

Thank you for all the help. I will mark both answers as solution as they helped me kind of figure out the problem.

Edited October 30, 2020 by Alexa

[gw1500se]

Yes. Session start must be called on each page on which you want to share data.

[benanamen]

5 hours ago, Alexa said:

 I found this site and from here I made a working login.

Surprisingly, that tutorial got it pretty right. It could use a hand full of small improvements but overall they got it right.