getting notice like undefined index

Question

$result = mysql_query("SELECT * FROM customers 
WHERE loginid='$_POST[login]' AND accpassword='$_POST[password]'");


    if(mysql_num_rows($result) == 1)
{
    while($recarr = mysql_fetch_array($result))
    {

    $_SESSION[customerid] =     $recarr[customerid];
    $_SESSION[ifsccode] =   $recarr[ifsccode];
    $_SESSION[customername] =   $recarr[firstname]. " ". $recarr[lastname];
    $_SESSION[loginid] =    $recarr[loginid];
    $_SESSION[accstatus] =  $recarr[accstatus];
    $_SESSION[accopendate] =    $recarr[accopendate];
    $_SESSION[lastlogin] =  $recarr[lastlogin];     
    }
    $_SESSION["loginid"] =$_POST["login"];
    header("Location: accountalerts.php");
}
else
{
    $logininfo = "Invalid Username or password entered";
}

Notice: Undefined index:login and Notice: Undefined index:password try to help me out getting error message in second line

The mysql extension is deprecated. You should move onto pdo or mysqli. Also, you should be validating your POST values, as you are leaving yourself open to SQL injection. — Chris Henry, Jun 28 '13 at 22:32

score 0 · Answer 1 · answered Jun 28 '13 at 22:23

It seems as if u did not pass the POST params used inside your query:

>     $result = mysql_query("SELECT * FROM customers 
>     WHERE loginid='$_POST[login]' AND accpassword='$_POST[password]'");

You have to send key value pairs explicitly to your script. One for login and one for password.

Sammitch · Answer 2 · 2013-06-28T22:33:51.650

You need to wrap the index names in quotes, and your query string is hella messy.

$query = sprintf(
            "SELECT * FROM customers WHERE loginid='%s' AND accpassword='%s'",
            $_POST['login'],
            $_POST['password']);
$result = mysql_query($query);

That whole thing should be wrapped in a block like:

if( isset($_POST['login']) && isset($_POST['password']) ) {
    //code here
} else {
    echo "No username/password supplied.";
}

mysql_* functions are going away, learn to use mySQLi or PDO.
Your query is as wide-open to SQL injection as anything could ever possibly be. Look into parameterized queries with mySQLi or PDO, or at least validating your data before including it in your query.

Here's a PDO example:

//create DB object
$dbh = new PDO('mysql:host=mysql.domain.com;dbname=mydb', $username, $password);
//write query
$query = "SELECT * FROM customers WHERE loginid = ? AND accpassword = ?";
//define parameters to replace ?
$params = array($_POST['login'], $_POST['password']);
//prepare the statement
$sth = $dbh->prepare($query);
//execute
if( ! $sth->execute($params) ) {
    //error reporting
    die('Query failed: ' var_export($dbh->errorInfo(), true));
}
//fetch all results as associative array
$results = $dbh->fetchAll(PDO::FETCH_ASSOC)l
//display
var_dump($results);

getting notice like undefined index

2 Answers2