-1

Let's say my code looks like this:

if (isset($_POST["reset"])){
   //selects email and phoneNo from database based on values entered in form
   $_SESSION['email'] = $_POST['email'];
}else if (isset($_POST["submit"])) {
    //line 68 -- $rePas = "UPDATE user SET 'password' = '" .password_hash($_POST['password'], PASSWORD_DEFAULT) . "' WHERE email = '$_SESSION[email]'";
}

I have session_start(); at the beginning of the page, outside any if's etc. I enter the page to see a form that asks me to input email and phone number, then I click Reset button, if the sql code returns something the form is changed to another form that asks me to input password. Once I do that I press Submitbutton and I get $_POST['submit'] I get Notice: Undefined index: email in ... on line 68

I can't understand why the session variable is set to null after pressing submit button, is there anyway to pass a variable through two forms, if that makes sense? I have looked through stackoverflow similar question yet I couldnt find a working solution.

Looks like this piece of code and explanation is not enough therefore here is the link to full file code: https://pastebin.com/fDEBCakp

hDDen
  • 145
  • 1
  • 2
  • 13
  • 1
    check that you actually receive $_POST['email'], the field may not be submitted or its name could be spelled different. – Juan May 10 '18 at 12:42
  • 1
    is `$_SESSION['email']` set before the if statement / anywhere else? because if not.. then why would you expect it to hold a value in the else if statement? – treyBake May 10 '18 at 12:42
  • @ThisGuyHasTwoThumbs `$_SESSION['email']` i set in the first if statement. Then I am trying to use it in the second one. – hDDen May 10 '18 at 12:43
  • @Juan I did, everything is fine – hDDen May 10 '18 at 12:44
  • 3
    Except your script is wide open to [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) in either the `MYSQLI_` or `PDO` API's – RiggsFolly May 10 '18 at 12:51
  • @hDDen there's your problem, either define it outside the conditional statement or define it in both condition statements – treyBake May 10 '18 at 13:00
  • @ThisGuyHasTwoThumbs alright so I added `$_SESSION['email'] = ' ';` at the top of the page. Yet the value from the first if does not stay inside the session. I can't assign `$_POST` to `$_SESSION['email']` at the top of the page since `$_POST` doesn't exist yet. – hDDen May 10 '18 at 13:03
  • 1
    Dump the `$_POST` and `$_SESSION` data to the screen and show us what you see. When in doubt, print it out. – mickmackusa May 10 '18 at 13:04
  • @hDDen did you do that before or after `session_start()`? – treyBake May 10 '18 at 13:05
  • @mickmackusa I always use print to debug $_POST shows the value assigned to it and so does session in the FIRST if statement. Then in the second one its empty.. – hDDen May 10 '18 at 13:07
  • I added full code in pastebin, maybe this will be easier now. – hDDen May 10 '18 at 13:11
  • Your `for` is not using `=` and that value is bound the `id` attribute of your target element. https://www.w3schools.com/tags/tag_label.asp – mickmackusa May 10 '18 at 22:37
  • I think it only makes sense to commit unsafe user-input (`$_POST['email']`) to `$_SESSION['email']` ONLY after it has been confirmed to exist in the database. Currently, you are blindly accepting the submitted data -- not good. – mickmackusa May 10 '18 at 22:46
  • Why are you INNER JOINing anyhow? Please show us some sample data (check points) as you run through your seemingly convoluted process so that we can isolate the earliest point of failure. And, or course, show us that you will be using prepared statements with placeholders and parameter binding -- like a good programmer. – mickmackusa May 10 '18 at 22:47

1 Answers1

0
<?php
if ( isset( $_POST['submit'] ) ) {
    $emailid = $_POST['email'];
    echo "email - ". $emailid;
}
?>
<form class="form-horizontal" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<input type="email" name="email" class="form-control" placeholder="Email"> 
<button type="submit" name="submit" class="btn btn-primary">submit</button>
</form>
Mani Nagarajan
  • 52
  • 5
  • 5
    It's always a good idea to explain your code, rather than just dump it. This serves as a fairly poor answer. – Adam May 10 '18 at 13:13
  • This doesn't really make any sense to me since in my submit form I have only password input. Email is in the first form. – hDDen May 10 '18 at 13:22
  • actually it just post for one field alone, so it works fine. so you can add fields as you need – Mani Nagarajan May 10 '18 at 13:26