0

So mistake in POST, I tried sent the variable login thought load, but when I tried receive it in sea.php it is give me mistake.

js code :

$(document).on('click','#sea_submit', function () {
    var login = $("input[name=log]").val();
    if (login != "")
    {
        $("#din_content").load("sea.php", {login:login});
        return false;
    }
});

php code:

$login=stripslashes(strip_tags($_POST['login'])); //mistake here
// I tried  and like that $login = $_POST['login'];
if ((isset($login)) && (!empty($login)))
{
    $result=mysql_query("SELECT * FROM users WHERE Login='$login'",$db);
    if (empty($result))
    {
        printf("The user with login=".$login." not found");
    }
    else 
    {
        $row=mysql_fetch_result($result);
       //code
    }
}

Html code:

<form>
 <div id="sea_cr_login">
        <h2 class="sea_names">Login:</h2>
        <div>
            <div class="sea_labels">                        
                <label class="sea_var">Login:</label>
                <input class="sea_ch" name="log" type="text" maxlength="16" size="10">
            </div>
        </div>
    </div>
    <div class="cleaner"></div>
    <div id="sea_sub">
        <input type="submit" value="sea" id="sea_submit">
    </div>  
</form>
ZeroVash
  • 546
  • 4
  • 20
  • 1
    If you can, you should [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) [statements](http://php.net/manual/en/pdo.prepared-statements.php) instead, and consider using PDO, [it's really not hard](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Jun 09 '15 at 20:00
  • 1
    And this mistake is...? You are also vulnerable to [sql injection attacks](http://bobby-tables.com). – Marc B Jun 09 '15 at 20:03
  • WAIT! Are you saying the code you originally posted was wrong? – Jay Blanchard Jun 09 '15 at 20:08
  • yes , but now is correct, But still mistake is there – ZeroVash Jun 09 '15 at 20:10
  • What is the mistake? – Jay Blanchard Jun 09 '15 at 20:10
  • POST http://localhost/fold/sea.php [HTTP/1.0 500 Internal Server Error 1ms] – ZeroVash Jun 09 '15 at 20:13
  • 1
    That means there is something wrong with your PHP. Is that *all* of the PHP in the file? – Jay Blanchard Jun 09 '15 at 20:14
  • actually no there is another 300 lines, but as soon I delete this line $login=stripslashes(strip_tags($_POST['login'])); it is works without mistakes – ZeroVash Jun 09 '15 at 20:15
  • There is *nothing* wrong with that line outside of a best practices issue. Change the line to `$login = $_POST['login'];` just to test. – Jay Blanchard Jun 09 '15 at 20:16
  • yes, the same mistake, if I put this line in comment everything work, also you sad that is not a best way to do it, what will be the best way? if I have one page and the jquery alway load content that user need. – ZeroVash Jun 09 '15 at 20:22
  • post your HTML form. If you feel it's not part of the problem, great. Otherwise, we don't know if your syntax is correct. @alex_mike – Funk Forty Niner Jun 09 '15 at 20:25
  • 3
    You're too far removed from best practice at this point. Try this instead - `$login = mysql_real_escape_string($_POST['login']);` and comment out everything below the line to make sure this line works. using this function *is much better than* what you're doing now. – Jay Blanchard Jun 09 '15 at 20:29
  • yes I'm sure, I'm make alert(login); in Jquery that make sure that it is works – ZeroVash Jun 09 '15 at 20:33
  • using $login = mysql_real_escape_string($_POST['login']); it doesn't give me any mistake – ZeroVash Jun 09 '15 at 20:37
  • 2
    Hallelujah! now you can start uncommenting other code until you find the error. – Jay Blanchard Jun 09 '15 at 20:39
  • also is it ok using structure of web site as one page with jquery that loaded content, instead creating 10 pages and move one to another? – ZeroVash Jun 09 '15 at 20:40
  • Sure, there is no problem with that. – Jay Blanchard Jun 09 '15 at 20:41
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/80106/discussion-between-alex-mike-and-jay-blanchard). – ZeroVash Jun 09 '15 at 20:41
  • is this question still considered open? or has the answer below solved it? I don't see a green ticky, so this tells us that the question is still open/unsolved. @alex_mike – Funk Forty Niner Jun 09 '15 at 21:03

1 Answers1

3

You have (prior to the OP's edit) mis-matched variable names. You're sending login_sch so you have to change this line:

$login=stripslashes(strip_tags($_POST['login_sch'])); //mistake here

Ideally you should change the line to use mysql_real_escape_string() as it is much more effective than the two nested functions you have now:

$login = mysql_real_escape_string($_POST['login']);

Your script is at risk for SQL Injection which needs to be fixed as soon as possible.

If you can, you should stop using mysql_* functions. They are no longer maintained and are officially deprecated. Learn about prepared statements instead, and consider using PDO, it's really not hard.

If you're set on building your own login system you should start with having the proper basics in place - Use the proper methods to hash passwords with PHP.

Community
  • 1
  • 1
Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
  • I'm sorry but it was my mistake when I create the post in login_sch, even if it is will be a login it will make me mistake – ZeroVash Jun 09 '15 at 20:09