0

So I java a php script that is supposed to receive information from a java file but for some reason I get this error

Notice:Undefinedindex:user_nameinC:\xampp\htdocs\login.phponline3

Notice:Undefinedindex:passwordinC:\xampp\htdocs\login.phponline4
loginnotsuccess

Anyone know how to fix it? Java code:

   try {

        Scanner x;
        URL url = new URL("http://localhost:1234/login.php");
        URLConnection con = url.openConnection();
        con.setDoOutput(true);
        con.setDoInput(true);
        Formatter form = new Formatter(con.getOutputStream());
        form.format("user_name=123");
        form.format("&password=123");
        con.getInputStream();
        form.close();

        x = new Scanner(con.getInputStream());
        while(x.hasNext())
        {
            System.out.print(x.next());
        }
        x.close();
    } catch (MalformedURLException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    } catch (IOException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }

PHP code:

<?php
require "conn.php";
$user_name = $_POST['user_name'];
$user_pass = $_POST['password'];
$mysql_qry = "SELECT * FROM employee_data WHERE username LIKE '$user_name' AND password LIKE '$user_pass';";
$result = mysqli_query($conn,$mysql_qry);

if(mysqli_num_rows($result) > 0)
{
    echo "login  success";
}
else
{
    echo "login not success";
}

?>

Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
user2626734
  • 26
  • 8
  • SQL injections in all `POST` parameters.. Also `Undefined index` probably means that you can't get `$_POST['user_name']` because you don't put that value in your POST payload. – Maximilian Gerhardt Feb 23 '17 at 20:46
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) – Jay Blanchard Feb 23 '17 at 20:46
  • **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Feb 23 '17 at 20:47
  • do var_dump($_REQUEST); in your php. also try changing $_POST to $_GET and see if that works. – Dimi Feb 23 '17 at 20:47

0 Answers0