1

I have a login.html page with a form. The form takes in username and password and then calls the home.php page. The home.php page assigns the username and password to a variable.

$username = $_POST["username"];
$password = $_POST["password"];

I also have a changepassword.html form page which takes in oldpassword and newpassword and calls the changepassword.php page.

The changepassword.php page assigns the old and new passwords to variables:

$oldpassword = $_POST["oldpassword"];
$newpassword = $_POST["newpassword];

On this page, I also have a link to go back to the home.php page but when I click on it, it gives me the following two error lines:

Notice: Undefined index: username in [path] on line 19
Notice: undefined index: password in [path] on line 20

I suspect that this is because changepassword.html form did not have those variables so it never got saved on $_POST.

So when I am calling the home page from changepassword.php page (instead of the login.html page), there is nothing to assign to those variables.

I want to get rid of those errors but dont know how. I would have thought when I logged in originally, session_start() would have saved username and password.

I have session_start() at the start of all files (dont know if that is correct).

cнŝdk
  • 31,391
  • 7
  • 56
  • 78
Gil
  • 515
  • 2
  • 10
  • 24
  • Surely you have the username available (or can get it from the database) when you change the password. And you do have the password. It's just a matter of providing them to the destination script, which expects it as a POST, so you'll need to create a form with that data as hidden inputs. – jcaron Dec 16 '15 at 09:32
  • argh, its like other posts that have the same question hide while I am researching it and all come out after I post it :( – Gil Dec 16 '15 at 09:33
  • Try putting `@` sign just before the variables. Like: @$username – Ozan Kurt Dec 16 '15 at 09:34
  • Note that if `home.php` is indeed a "home page" where users can go back in many cases (other than just after login), checking the username and password at this point is not a good idea. You should have another script to validate the username/password which then sets some sort of authentication token, and only that token should be checked by any of the login-protected pages. – jcaron Dec 16 '15 at 09:36
  • @OzanKurt wow... magic. It worked. Thanks heaps! Going to look it up now to see what it did. – Gil Dec 16 '15 at 09:37
  • @jcaron ah I see. Thanks for that. Ill research that bit. Cheers! – Gil Dec 16 '15 at 09:38
  • @HoGil Did you see my answer? – Praveen Kumar Purushothaman Dec 16 '15 at 09:42

1 Answers1

6

Have a simple ternary condition:

$username = isset($_POST["username"]) ? $_POST["username"] : "";
$password = isset($_POST["password"]) ? $_POST["password"] : "";

So you need to make sure of three things then:

  1. The <form> method. It should be always set to method="post".
  2. The <input /> element. It should have explicit name, name="username".
  3. The required attribute: This ensures that empty data is not sent.

So finally, a sample of your code should have:

<form method="post" action="">
  <input type="text" name="username" required="required" />
</form>

Note: I left out all the unnecessary elements.

You also do have another way to do this. By using the warning suppressing mechanism. Put an @ symbol before the error causing syntax. In this case, the $_POST:

$username = @$_POST["username"];
$password = @$_POST["password"];

But this is not recommended. So use it carefully.

Praveen Kumar Purushothaman
  • 164,888
  • 24
  • 203
  • 252