Using POST in a Username and Password

[davidd07]

I am using POST and initially works well when using the Username and Password, after the next step I use a TXT file_get_contents to explode.

The problem is the message that I don't get a response.  

It may have something to do with if($password == $passwordCompare) {

<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">  

  <p>You can create your own password or generate a password, leave the password box empty to generate a password.</p>

  <div>
    <label>Username:</label>
    <input type="text" name="username" value="<?php echo $name;?>">
    <span class="error">* <?php echo $usernameErr;?></span>
  </div>

  <br>

  <div>
    <label>Password:</label>
    <input type="password" name="password" value="<?php echo $password;?>">
    <span class="error">* <?php echo $passwordErr;?></span>
  </div>

  <br>

  <input type="submit" name="submit" value="Submit">  
</form>

 

<?php
$usernameErr = $passwordErr = $websiteErr = "";
$username = $password = $website = "";

if ($_SERVER["REQUEST_METHOD"] == "POST") {
    
    if (empty(trim($_POST["username"]))) {
        $usernameErr = "Username is required";
    } else {
        $username = test_input($_POST["username"]);
        
        if (!preg_match("/^[a-zA-Z0-9]*$/", $username)) {
            $usernameErr = "Only letters and numbers allowed";
        }
    }

    if (empty(trim($_POST["password"]))) {
        $passwordErr = "Password is required";
    } else {
        $password = test_input($_POST["password"]);
        
        if (!preg_match("/^[a-zA-Z0-9]*$/", $password)) {
            $passwordErr = "Only letters and numbers allowed";
        }
    }

    if ($username == true && $password == true) {

        $contents = file_get_contents("accounts.txt", true);
        $lines = explode("\n", $contents);

        $userfound = "N";
        for ($i=0; $i < count($lines)-1; $i++) {
            $fields = explode(" ", $lines[$i]);

            if ($fields[0] == $username) {
                $passwordCompare = $fields[1];
                $userfound = "Y";
            }
        }

        if($password == $passwordCompare) {
            $success = "<p class=\"success\">The username is already exists</p>";
            header("location: admin.php");
            exit;
        }
        else {
            if ($userfound == "Y") {
                $passwordErr = "Username/Password incorrect!";
            }
            else {
                $passwordErr = "Username/Password not found!";
            }
        }
    }
}

function test_input($data) {
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
}
?>

 

Example of POST AND TXT

Edited April 4, 2023 by davidd07

[mac_gyver]

it doesn't look like you are reading, understanding, or using the information from the previous threads.

your post method form processing should -

1. detect if the post method form was submitted (it is actually doing this.)
2. trim the input data, one time, then use the trimmed data throughout the rest of the code.
3. validate the trimmed data.
4. after the end of the validation logic, if there are no errors, use the summitted data. your current test - if ($username == true && $password == true) { doesn't do this. the $username and $password will be true values, even if they contain invalid characters. one of the points of remembering if there are any errors, by storing them in variable(s), is so that you can test if there are or are not any errors in your code. in your previous thread, i recommend using an array to hold the user/validation errors. if you do this, you can simply test if the array is empty() to determine if there are no validation errors.

the registration form and processing code should be very similar to the login in form and processing code. the major differences are - 1) in the login processing, after trimming the data, you don't really care what characters the values contain, all you care about is if the username/password matches an entry in the data file and 2) the actual processing of the validated data is different. why do you have a bunch of different variable name between the two pieces of code? you even have a nonexistent $name variable in the username form value='...' attribute that should be producing a php error. why are you using file() in the registration code and file_get_contents() in the login code?

your logic in this code is unconditionally testing if the passwords match, without testing if the username was found.

as to this ridiculous test_input() function that you found on the web. the only thing it is doing that is correct is trimming the data. the function is improperly named (it's not testing anything), it should not unconditionally apply stripslashes (when this was necessary to do, it needed to be conditionally applied, but the need to do this has been removed from php for a long time), and htmlspecialchars is an OUTPUT function, do NOT apply it to the input data in your form processing code.