Why are my variables coming up as undefined, des?

Question

User registration works fine. After registration, this login page is opened and the message comes up that password, username and hash are undefined variables on my select line and when I echo the hash. When trying to login "Invalid login credentials" error pops up, but also "Password is valid", and the hash is printed as well.

if (isset($_POST['username']) and isset($_POST['password'])){
// Assigning posted values to variables.
$username = cleanData($_POST['username']);
$password = cleanData($_POST['password']);
$hash = password_hash($password, PASSWORD_DEFAULT);
$verify = password_verify($password, $hash);
    if(password_verify($password, $hash)) {
    echo 'Password is valid!';
} else {
    echo 'Invalid password.';
}
    }

// Checking if the values exist in the database or not
$query = "SELECT * FROM `user` WHERE (username='$username') AND (password='$password')";
echo $hash;
$result = mysqli_query($connection, $query) or die(mysqli_error($connection));
$count = mysqli_num_rows($result);

 // If the posted values are equal to the database values, then session 
is created for the user.
if ($count == 1){
  $_SESSION["loggedIn"] = true;
$_SESSION['username'] = $username;
}else{
// error for not matching credentials
$fmsg = "Invalid Login Credentials.";

I suspect that I have done something horribly wrong with the placement and requirements of my SELECT statement , but it still does not explain why these variables are coming up as undefined. Perhaps I can move the SELECT statement to replace the "password is valid" message and go from there? CleanData is a function to sanitise input.

**All that stuff**. Everything that needs username and password variables to be set. — AbraCadaver, Feb 11 '19 at 20:42

score 0 · Answer 1 · answered Feb 11 '19 at 20:44

So, the issue is you're kind of doing this:

if (username and password are set) {
 username = xxx
 password = xxx
 hash password
 verify password
 display results
}

do sql query based on username and password

So, you've got code outside of your original IF trying to utilize variables that might not have been created.

Your SQL query and all code after that will be called even if you did not pass username and password to the php page.

You might be better off doing something like this at the beginning of your script:

if (username and password are not both set in post vars)
  display error
  exit
}
username = xxx
password = xxx

Then you can be sure that those vars definitely are defined without having to check over and over in the page.

Also, the pseudocode is on purpose. Trying to get my message across in layman's terms :)

score 0 · Answer 2 · answered Feb 11 '19 at 20:48

With this code, you will always receive the "password is valid" message, because you are verifying the password that the user entered against the hash that you just generated from that same password!

<!-- Incorrect code: This always determines the password is valid! -->
$hash = password_hash($password, PASSWORD_DEFAULT);
if (password_verify($password, $hash)) { 
  echo 'Password is valid!';
}

You are supposed to use password_hash when you are first inserting the password into the database (that way, you aren't storing the actual password, just a hash). Then, when your user logs in with their username, look in the database for a user with that username. If you find a user with that username, then you use password_verify to check that the $password variable matches the hash that was stored in the database with that user.

Check out this answer to a similar question to see a fleshed out example of login code.

Why are my variables coming up as undefined, des?

2 Answers2