php error when using get request

Question

I am trying to select and insert into a database with PDO. When I pass my parameters in the url it works perfectly. But when there is nothing in the url, i get 2 errors.

Notice: Undefined index: username in C:\wamp64\www\MT\magiclogin.php on line 19

Notice: Undefined index: password in C:\wamp64\www\MT\magiclogin.php on line 20

Post works perfectly but i want to send it through the url and remove the html. But every time i reload the page i get the error. Here is my code

<?php

if($_SERVER['REQUEST_METHOD'] =="GET"){

    try{

        // new php data object 
        $handler = new PDO('mysql:host=127.0.0.1;dbname=magicsever', 'root', '');
        //ATTR_ERRMODE set to exception
        $handler->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

    }catch(PDOException $e){
        die("There was an error connecting to the database");   

    }



    $username = trim($_GET['username']); 
    $password = trim($_GET['password']);

    $stmt = $handler->prepare("SELECT * FROM generalusersdata WHERE username = ?");

    $stmt->execute(array($username));

    if($row = $stmt->fetch()){

        $hashedPassword = md5(md5($row['user_id']).$_GET['password']);

        if($hashedPassword == $row['password']){

            $token = md5(uniqid(mt_rand(), true));
            $stmtTokenCheck = $handler->prepare("SELECT * FROM token_table WHERE token = ?");

            $stmtTokenCheck->execute(array($token));

            if($rowToken = $stmtTokenCheck->fetch()){

                $token = md5(uniqid(mt_rand(), true));
            }   

            $time = time();
            $stmt = $handler->prepare("INSERT INTO token_table (timestamp, user_id, token)VALUES(?, ?, ?)");
            $stmt->execute(array($time, $row['user_id'], $token));

            echo json_encode([

                "timestamp" => $time,
                "token" => $token,
                "fullname" => $row['fullname'],
                "username" => $row['username'],
                "email" => $row['email']
            ]);

        }else{

            die("Password or Username entered is incorrect!");
        }

    }else{

            die("Password or Username entered is incorrect!");
        }





}




?>

Ryan Tuosto · Accepted Answer · 2017-06-15T21:06:32.753

3

If there is no username or password arguments in the url query (The portion of the url that comes after ?) then your $_GET array will be empty.

You should check that these arguments are not empty before trying to do logic with them:

if (!empty($_GET['username']) && !empty($_GET['password')) {
  // trim and db stuff here
}

Also must note that it is not secure to send a password through the url query. Further, md5 is not sufficient for encrypting passwords. Look into PHP's password_hash function.

edited Jun 15 '17 at 21:06

answered Jun 15 '17 at 20:44

Ryan Tuosto

1,941
15
23

I tried that but i got other errors. And is it better to use post instead for the password? – Jagr Jun 15 '17 at 20:48
Yes it's better to use POST otherwise the user's password will be visible for all to see in the URL. – Ryan Tuosto Jun 15 '17 at 20:51
Will this make it easier for someone to hack and take the information. And do you think my form is good and will be less likely to get sql injected? – Jagr Jun 15 '17 at 20:55
Yes using prepared statements is good for avoiding sql injection. Your form doesn't have any obvious risk of being hacked, but the issue is if your user data is exposed somehow, the passwords can be easily decrypted because you are not using a strong one way encryption. – Ryan Tuosto Jun 15 '17 at 20:58
Wow you are amazing thank you for answering my questions and more :D – Jagr Jun 15 '17 at 21:01
if(!empty($_GET['username']) && !empty($_GET['password'])){ edit the code because you're missing some stuff :D – Jagr Jun 15 '17 at 21:06

score 1 · Answer 2 · answered Jun 15 '17 at 20:43

1

What if you try this in your first line:

if(isset($_GET['username']) && isset($_GET['password'])) {

...

instead of if($_SERVER['REQUEST_METHOD'] =="GET"){

answered Jun 15 '17 at 20:43

Saulo M

173
2
7

OH THAT WORKED! So your checking if data was entered ? – Jagr Jun 15 '17 at 20:50
Yep! It checks if these variables exist and are passed via GET. Glad I could help! In any case, I think you should be using POST for security... – Saulo M Jun 15 '17 at 20:54
I dont think isset is quite correct here since you can set username and password to empty strings which pass the isset check but unless you are doing further validation it isn't sufficient. – Ryan Tuosto Jun 15 '17 at 20:54

php error when using get request

2 Answers2