PHP-Authentication code error (isset($_POST['username'])) always returns false,

Question

I am making this simple code for authentication of a user. the page with the form is : >login.php. with the following code.

login.php :

<html>    
<body>  

<div style="position:absolute;left:300px;top:300px;width:300px;height:100px;z-index:9;>  

<form name="form1" method="POST" action="check.php">  
Username:<br />  
  <input type="text" name="Username" />  
  <br /><br />   
  Password:<br />  
  <input type="password" name="Password" />  
  <br /><br /><br/>  
  <input type=button onClick="location.href='check.php'" value='Continue'       name='continue'/>  
  </form>  
</div>  
</body>  
</html>

the form field values are being used in the next php page with following code:

check.php :

<?php
session_start();
$con = mysql_connect("localhost", "root", "");
mysql_select_db("aviation", $con) or die(mysql_error());
if (isset($_POST['continue'])) {
    $userName = $_POST[Username];
    $passWord = $_POST[Password];
    mysql_select_db('aviation');
    $query = "select * from users where Username='" . $userName . "'and     Password='" . $passWord . "'";
    $result = mysql_query($query, $con);
    if (!$result) {
        die('Could not enter data: ' . mysql_error());
    }
    $rows = mysql_num_rows($result);
    if ($rows == 1) {
        $_SESSION['Username'];
        $_SESSION['Password'];
        echo "Successful";
        echo "<BR>";
        echo "You are authorized to update the status of Bays.";
        echo "<BR>";
        $Msg = "Redirecting....";
        echo '<script type="text/javascript">  
         alert("' . $Msg . '");  
  </script>';
        header("location:upbstatus.php");
    } elseif ($userName == "" || $passWord == "") {
        $errorMsg = "Data was not entered <br/> Enter Username and Password";
        echo '<script type="text/javascript">  
         alert("' . $errorMsg . '");  
  </script>';
        else {
            $errorMsg = "Data Does Not Match <br/> Re-Enter Username and Password";
            $errorMsg = "Data was not entered <br/> Enter Username and Password";
            echo '<script type="text/javascript">  
         alert("' . $errorMsg . '");  
  </script>';
        }
    } else {
        echo ("  =============== not SET ===============");
    }
?>

It always return : =============== not SET ===============

I am so stuck at why is this happening.Can anybody help please? It'l be appreciated.
Thankyou.

Don't store your passwords in plain text. – Ja͢ck Dec 29 '12 at 17:36 — Ja͢ck, Dec 29 '12 at 17:36
Ma'am, where is the submit button? – Salman A Dec 29 '12 at 19:41 — Salman A, Dec 29 '12 at 19:41

Shiplu Mokaddim · Answer 1 · 2012-12-30T18:52:55.153

2

Your onclick (onClick="location.href='check.php'") event handler is requesting check.php before the form can make a POST request. Once the button is clicked it redirects to check.php which sends a GET request to check.php NOT POST.

To fix it you need to change the button to a submit typed input.

   <input type='submit' value='Continue' name='continue' />

Additional information:

Quote array indices. Like $_POST['Username']
Escape parameters in sql using mysql_real_escape_string. or Use prepared statements.

edited Dec 30 '12 at 18:52

answered Dec 29 '12 at 17:39

Shiplu Mokaddim

56,364
17
141
187

Voted down for not using proper double quotes in your answer. – frustratedtech Dec 30 '12 at 17:23
@frustratedtech you can [omit quotation in certain cases](http://www.w3.org/TR/REC-html40/intro/sgmltut.html#h-3.2.2). This is one of those cases. – Shiplu Mokaddim Dec 30 '12 at 19:11

score 1 · Answer 2 · edited May 23 '17 at 11:43

There are a few issues with the code:

Weird form behaviour

<input type=button onClick="location.href='check.php'" value='Continue'       name='continue'/>

Why are you doing this? This wouldn't send the username and password fields at all, because the browser will redirect before the form is submitted. If you want to submit the form when clicked, use <input type="submit">

<input type="submit" value="Continue" name="continue" />

Quote array indices

$userName = $_POST[Username];  
$passWord = $_POST[Password];

This causes notices to be raised in PHP because the constant Username doesn't exist. Use this instead:

$userName = $_POST['Username'];
$passWord = $_POST['Password'];

I won't get into the scenario where $_POST['Username'] might not be set.

Escape variables in SQL

$query = "select * from users where Username='".$userName."'and     Password='".$passWord."'";

This is dangerous; you should escape the variables properly:

$query = sprintf("select * from users where Username='%s' and Password='%s'",
    mysql_real_escape_string($userName),
    mysql_real_escape_string($passWord)
);

Don't store passwords in plain text

Storing passwords in plain text is just asking for trouble. Use bcrypt to store a hash of the password instead.

See also: Secure hash and salt for PHP passwords

Don't use mysql_xx functions

This feature is deprecated in favour of PDO / mysqli and prepared statements.

score 0 · Answer 3 · answered Dec 29 '12 at 17:40

0

Remove on click in your submit button. While your at your it, fix your quotes.

answered Dec 29 '12 at 17:40

frustratedtech

423
4
9

score 0 · Answer 4 · answered Dec 29 '12 at 17:45

<form name="form1" method="POST" action="check.php">  
Username:<br />  
  <input type="text" name="Username" />  
  <br /><br />   
  Password:<br />  
  <input type="password" name="Password" />  
  <br /><br /><br/>  
  <input type="submit" value="Continue" name="continue"/>  
  </form>

PHP-Authentication code error (isset($_POST['username'])) always returns false,

4 Answers4