-2

This is really starting to get annoying...

I'm trying to create a register page where it sends the username, password and security level.

HTML form

<div class="login">
    <h1>Register</h1>
    <form method="POST" action="" name="register_form">
        <input type="text" name="user" placeholder="Username" required="required" />
        <input type="password" name="pass" placeholder="Password" required="required" />
        <input type="text" name="level" placeholder="LEVEL" value="1" disabled="true"/>
        <button type="submit" name="Register" class="btn btn-primary btn-block btn-large">Register</button>
    </form>
</div>

And my PHP code which is in the same file...

<?php
    require 'config/db_connect.php';

    if (isset($_POST['Register'])) {
        session_start();
        $username = $_POST['user'];
        $password = $_POST['pass'];
        $level = $_POST['level'];
        //$seccode = $_POST['seccode'];

        $sql = $con->query("INSERT INTO secure_login (email, password, lvl) VALUES('{$username}', '{$password}','{$level}')");
    }
?>

And I keep getting this error:

Notice: Undefined index: level in C:\xampp\htdocs\tools\register.php on line 8

Community
  • 1
  • 1
Ace
  • 3
  • 1
  • 6
  • 2
    disabled `input` elements don't get posted – billyonecan Jan 22 '16 at 08:10
  • 2
    side note: you should definitely(!) sanitize your inputs before pushing them into your database. and/or use parameterized queries. that code right there is predestined for [sql-injections](http://php.net/manual/de/security.database.sql-injection.php) – Franz Gleichmann Jan 22 '16 at 08:11
  • As already stated - disabled input-elements does not get posted, you could use a `readonly` attribute instead. – Qirel Jan 22 '16 at 08:13
  • **Danger**: You are using [an unsuitable hashing algorithm](http://php.net/manual/en/faq.passwords.php) and need to [take better care](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) of your users' passwords. – Quentin Jan 22 '16 at 10:39

1 Answers1

1
Notice: Undefined index: level in C:\xampp\htdocs\tools\register.php on line 8

Happens when you try to access an array by a key that does not exist in the array.

Hint: to check the exist of the variable do print_r($_POST);

Values for disabled form elements are not passed to the processor method. The W3C calls this a successful element.(This works similar to form check boxes that are not checked.)

Instead of disabling the input you rather should add some Javascript to make it unable to edit it like:

var defaultValue = "hello";
element.addEventListener("keyup", function(e){
    this.value = defaultValue ;
});

or just use: readonly instaed of disabled or use: style="display: none"

For e.g.:

<input type="text" name="level" placeholder="LEVEL" value="1" style="display: none"/>

(I use this for hidden file upload forms.)

Because I got my coffee already:

Your database connection is (more or less) insecure. Try this example for a safe connection:

    $db = new PDO("mysql:host=$db_host;dbname=$db_name;charset=utf8", "$db_user", "$db_pass");
    $query = $db->prepare("INSERT INTO accounts(username, password) VALUES (?, ?)");
    $query->execute(array($username, $password));
    $db = null;
  • I put what you said to do "readonly" still getting the error aswel, and when i put in "print_r($_POST); it only showing the username and password ? – Ace Jan 22 '16 at 08:18
  • Then you did not delete the disabled. Updated with an 100% working example. –  Jan 22 '16 at 08:18
  • Can you visit me here: http://chat.stackoverflow.com/rooms/17/javascript ? –  Jan 22 '16 at 08:20
  • Sorry can't not enough rep. And yeah still happening even with your code – Ace Jan 22 '16 at 08:22
  • Do following: add to the DOM form and give me the print_r result. –  Jan 22 '16 at 08:23
  • Array ( [user] => Ace [pass] => ace [level] => 1 [test] => Hello! [Register] => ) i can see now the level is showing up but the error is still there aswel it's not adding to the database – Ace Jan 22 '16 at 08:25
  • $sql = $con->query("INSERT INTO secure_login (email, password, lvl) VALUES('$username', '$password','$level')"); –  Jan 22 '16 at 08:26
  • Uhh, thankyou! That fixed it! – Ace Jan 22 '16 at 08:28
  • Check my answer again for a better database example. –  Jan 22 '16 at 08:29