0
if(isset($_POST["email"]))
{
$email = mysql_real_escape_string($_POST["email"]); /* Line 10 */
$password = mysql_real_escape_string($_POST["password"]);

$result = mysql_query("SELECT password, id FROM users WHERE email = '$email'");

if (!$result)
    {
        die('Invalid query: ' . mysql_error());
    }

$row = mysql_fetch_assoc($result);

if($row['password'] == $password)
    {
        ini_set("session.cookie_lifetime","360000");
        session_start();
        $_SESSION['valid_user'] = $row['id'];
        $_SESSION['email'] = $row['email'];
        mysql_close($link);
        header('Location: index.php');
    }


mysql_close($link);
}

I'm not making any posts but it says that $email is not defined at line 10. Why? I use EasyPHP.

Notice: Undefined index: email in C:\Program Files\EasyPHP-5.3.5.0\www\v0.3\model\login.php on line 10

ilhan
  • 8,700
  • 35
  • 117
  • 201
  • 1
    Is the code snippet you posted located on lines 9 and 10 of the file login.php? Or is it somewhere else? – Mark Eirich Mar 08 '11 at 01:13
  • @deceze, sorry, code updated. – ilhan Mar 08 '11 at 01:28
  • 1
    Are you sure this is copy-pasted 100% correctly? There are no weird unicode characters or other invisibles in there? If everything is typed correctly this should not happen... – deceze Mar 08 '11 at 01:30
  • 1
    Hey ilhan, you should read this article about storing passwords safely: http://codahale.com/how-to-safely-store-a-password/ – davidtbernal Mar 19 '11 at 20:38

3 Answers3

5

The most reliable method for checking if a POST was done is via

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
   ... you're in a post ...
}

Checking for a particular form field is risky - you might rename/delete the field and forget to update the form. But checking for that $_SERVER value is 100% reliable - it's always available, regardless of what method the script was invoked via.

Marc B
  • 356,200
  • 43
  • 426
  • 500
0

It says that because the $_POST array is empty (of course, you are not posting) and you are trying to access the email index of that array if(isset($_POST["email"])), which doesn't exist.

You could fix this by doing:

if (isset($_POST['email']))
$email = mysql_real_escape_string($_POST["email"]);

Note: that this is only a notice, and it won't affect your application, so i would suggest you don't worry too much about it and you will have a cleaner code. This is a personal opinion check out why you should not here: How to avoid isset() and empty()

UPDATE

Added isset function to prevent notice. Thanks to deceze.

Community
  • 1
  • 1
amosrivera
  • 26,114
  • 9
  • 67
  • 76
  • This ain't Javascript, *this* will certainly throw a notice if `email` isn't set. `isset` is the correct thing to use! And you **must** worry about notices. -1 – deceze Mar 08 '11 at 01:14
  • the notices won't effect my application but the visitor has to scroll down several pages – ilhan Mar 08 '11 at 01:17
  • @deceze i worry about getting my answer right, not about other users answers, regardingthe notices, i have several years ignoring them, never had a problem but i guess that is just a personal opinion – amosrivera Mar 08 '11 at 01:19
  • @ilhan if you show notices and errors in production code that is considered a security breach, you should only show errors during development – amosrivera Mar 08 '11 at 01:20
  • Please see [Why should I fix E_NOTICE errors?](http://stackoverflow.com/questions/5073642/why-should-i-fix-e-notice-errors) and [isset() and empty() make code ugly](http://stackoverflow.com/questions/1960509/isset-and-empty-make-code-ugly/). – deceze Mar 08 '11 at 01:22
  • that was quite an answer, i will read more on this (added the link my post here). – amosrivera Mar 08 '11 at 01:29
  • Thank yo deceze, error_reporting = E_ALL & ~E_NOTICE in php.ini solved my problem. – ilhan Mar 08 '11 at 01:47
  • @ilhan Noooooooo~! You're taking my advise completely backwards! ( > < ;)// – deceze Mar 08 '11 at 02:04
0

array() == false, so why not:

if($_POST)
{
    // stuff
}

Some people won't like this, but I say if you're using a dynamic language, you might as well take advantage of it.

davidtbernal
  • 13,434
  • 9
  • 44
  • 60
  • 1
    [Click here to see an answer](http://stackoverflow.com/questions/409351/post-vs-serverrequest-method-post#answer-409417) that helps clarify the exact difference in function between `if($_SERVER['REQUEST_METHOD'] == 'POST') {...}` and `if($_POST){...}` – plaidcorp Mar 29 '16 at 02:44