0

Could some one help me here (newbie alert) Im putting together a login/register/admin page.

I have no idea why I've gotten undefined variables when I think I've defined them on this specific page.

Notice: Undefined variable: fname in F:\Uni\log-on\mysql-project-users-add.php on line 34

Notice: Undefined variable: insert in F:\Uni\log-on\mysql-project-users-add.php on line 42

<?php

$host = 'localhost';
$user = 'tim_williams';
$pass = 'baroness';
$db  = 'php_db05';

$link = mysqli_connect($host, $user, $pass, $db);

if(!$link) {
  die("Database connection failed: " . mysqli_connect_error());
}


if(isset($_POST['submit'])) {
  $fname     = mysqli_real_escape_string($link, $_POST['fname']);
  $lname     = mysqli_real_escape_string($link, $_POST['lname']);
  $email     = mysqli_real_escape_string($link, $_POST['email']);
  $password1 = mysqli_real_escape_string($link, $_POST['password1']);
  $password2 = mysqli_real_escape_string($link, $_POST['password2']);
  if($password1 != $password2) {
    echo "Error : Passwords must match each other";
  }else{
    $password = sha1(mysqli_real_escape_string($link, $_POST['password1']));
    $username  = strtolower($fname.substr($lname,0,1));
    $dateTime   = date('Y-m-d g:i:s',time());
  }
}





if ($fname && $lname && $email && $password && $username && $dateTime) {
    $qry  =  "INSERT INTO registeredusers (UserID, UserName, FirstName,  Surname, EmailAddress, Password, LastLogin)
              VALUES ('','$username','$fname', '$lname', '$email',  '$password','$dateTime')";
    $insert = mysqli_query($link, $qry);

}


if($insert) {
  header("Location: mysql-project-users-login.php");
  exit;
}

mysqli_close($link);


?>


<!DOCTYPE html>
<html>
  <head>
    <link rel="stylesheet" href="./css/layout.css" media="screen" type="text/css">
    <link rel="stylesheet" href="./css/menu.css" media="screen" type="text/css">
    <meta charset="utf-8">
    <title>New User Registration</title>
  </head>
  <body>
    <div class="holder">

      <div class="header"></div>
      <div class="navbar">
        <nav>
          <ul>
            <li><a href="mysql-project-users-login.php">Login</a></li>
            <li><a href="mysql-project-users-add.php">Register</a></li>
          </ul>
        </nav>
      </div>
      <div class="content">
        <div class="pageheading">
          <h1>Register</h1>
        </div>
        <div class="contentleft">
          <h2>Welcome to my site</h2><br />
          <h6>Please register an account with us to access main content and more.</h6>
        </div>
        <div class="contentright">
          <form class="registerform" action="" method="post">
            <input class="styletxtfield" type="text" name="fname" placeholder="First Name" value=""><input class="styletxtfield forminput" type="text" name="lname" placeholder="Last Name" value=""><br /><br />
            <input class="styletxtfield" type="text" name="email" placeholder="Email address" value=""><br /><br />
            <input class="styletxtfield" type="password" name="password1" placeholder="Password" value=""><input class="styletxtfield forminput" type="password" name="password2" placeholder="Confirm Password" value=""><br /><br />
            <input type="submit" name="submit" value="submit">
          </form>
        </div>

      </div>
      <div class="footer"></div>

    </div>

</body>
</html>
Community
  • 1
  • 1
Tim Williams
  • 69
  • 1
  • 9
  • What does `echo $_POST['submit']` give you? (Before the `if` condition.) – bloodyKnuckles Jun 09 '16 at 13:36
  • Just get rid of all this `if ($fname && $lname && $email && $password && $username && $dateTime) {` and check if any are `!empty()` under your `if(isset($_POST['submit'])) {...}`. – Funk Forty Niner Jun 09 '16 at 13:38
  • Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared statement and parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Jun 09 '16 at 13:41
  • This isn't for a live site or is live already I hope? – Funk Forty Niner Jun 09 '16 at 13:41
  • Instead of using `if ($fname && $lname && && &&...` define criteria, which your input data have to fulfill (for example `$fname!==''`), and kick the useless checks like the one for `$dateTime`. – syck Jun 09 '16 at 13:44
  • no it's not live, simply trying to learn php, this is me trying to learn the ropes – Tim Williams Jun 09 '16 at 14:04
  • You really shouldn't use [SHA1 password hashes](https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1) and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure that you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jun 09 '16 at 14:16
  • [Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jun 09 '16 at 14:16

1 Answers1

1

Nope, when you do not sent form, which is when you first time go into your page, then you do not have anywhere initialized those variables. You must add your if command:

if ($fname && $lname && $email && $password && $username && $dateTime) {
...
}

inside this IF:

if(isset($_POST['submit'])) {
nospor
  • 4,190
  • 1
  • 16
  • 25