1

I'm putting together a registration/login form in PHP using Netbeans. To implement this, I have my login, registration and database connection functionality in a scripts.php file, which is loaded via an include call.

Well, my login function uses this

$username = mysql_real_escape_string($_POST['username']);
$password = sha1(mysql_real_escape_string($_POST['password']));
$query = sprintf("SELECT * FROM users WHERE username='%s' AND password='%s'", $username, $password);

$link = connectDB();

$results = mysqli_query($link, $query);

to connect to the db and get the results. Validation happens later on.

For my registration logic, I use almost the same thing:

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);

//check if user name and password match conditions
$link = connectDB();
$query = "SELECT * FROM users WHERE username = '" . $username . "'";
$results = mysqli_query($link, $query);

The registration page loads fine, but the login page has an error text printout saying that there is an undefined index 'username' in the login function. This occurs as the page loads, and no functions have been called.

However, with almost the same layout in the registration function, I don't get the error.

Why is this occuring?

EDIT

I found the issue.

I was opening the database connection using mysqli_connect, but using the mysql-real_escape_string function. The two are incompatible, and adding the i made all the different.

Jason
  • 11,263
  • 21
  • 87
  • 181
  • 1
    This would imply that `$_POST` has no element with the key `;username'`... – Oliver Charlesworth May 25 '12 at 00:51
  • you need to check `isset($_POST['username'])` first since the form has not yet posted. This asked quite often, and the answer is pretty much always the same. http://stackoverflow.com/search?q=%5Bphp%5D+undefined+index – Michael Berkowski May 25 '12 at 00:51
  • Sounds like you are checking $_POST['username'] whether or not the form was posted. When it isn't posted, `username` is an undefined index in the $_POST array. – drew010 May 25 '12 at 00:51
  • So why is one function not throwing this error, but another is? – Jason May 25 '12 at 00:52
  • @Jason: Because in one case you will have sent a POST variable called `username`, and in the other case not. – Oliver Charlesworth May 25 '12 at 00:53
  • @Jason because on the first page load, the form has not been posted and those `$_POST` keys aren't set. Following a form post, they are populated, hence no notice. – Michael Berkowski May 25 '12 at 00:53
  • possible duplicate of [PHP: Avoid undefined index?](http://stackoverflow.com/questions/5839726/php-avoid-undefined-index) – Michael Berkowski May 25 '12 at 00:54
  • @Michael, maybe I'm being a little dense, but why does the interpreter care if a value is set if the function is not being called? The functionality above is executed on a form submit, yet I'm getting this error on initial page load. Where is the $_POST access call coming from? – Jason May 25 '12 at 01:02
  • @Jason: It's impossible to say, because you haven't shown all of your code. But the above code (or something similar to it) is clearly being executed. – Oliver Charlesworth May 25 '12 at 01:04
  • @OliCharlesworth, very true, but I don't think its a good idea for me to post 200-ish lines of php/html... – Jason May 25 '12 at 01:05
  • @Jason: I agree! You should create a [minimal test-case](http://sscce.org), and post that instead. – Oliver Charlesworth May 25 '12 at 01:06

1 Answers1

2

Several points, which may or may not be related to your question but that I simply cannot overlook:

  1. SQL-escaping a string is always the last thing that happens. Don't SQL-escape a string, then sha1 it. See The Great Escapism to learn what escaping is all about.
  2. When using mysql_real_escape_string, you need to connect to the database first before calling this function, since it needs to have an established database connection to do its job.
  3. You are mixing the mysql and mysqli extensions. Use one or the other, not functions of both.
  4. If you're using mysqli (and you should!), use prepared statements instead of manually SQL-escaping the string and sprintf.

In other words, currently you are doing it entirely wrong. Fix those things first and your problem may go away with it.

Community
  • 1
  • 1
deceze
  • 510,633
  • 85
  • 743
  • 889
  • Check my edit, #3 was spot on. I missed appending the i to mysql_real_escape_string. Your other points are valid and I will keep them in mind. – Jason May 25 '12 at 01:30
  • 2
    Don't just keep them in mind, stop using `sprintf` and `*_real_escape_string` and use parameterized/prepared statements instead. – deceze May 25 '12 at 01:32