-3
<?php      
    include('connection.php');  
    $username = $_POST['user'];  
    $password = $_POST['pass'];  
  
    //to prevent from mysqli injection  
    $username = stripcslashes($username);  
    $password = stripcslashes($password);  
    $username = mysqli_real_escape_string($con, $username);  
    $password = mysqli_real_escape_string($con, $password);  
  
    $sql = "select *from login where username = '$username' and password = '$password'";  
    $result = mysqli_query($con, $sql);  
    $row = mysqli_fetch_array($result, MYSQLI_ASSOC);  
    $count = mysqli_num_rows($result);  
      
    if($count == 1){  
        echo "<h1><center> Login successful </center></h1>";  
    }  
    else{  
        echo "<h1> Login failed. Invalid username or password.</h1>";  
    }     
?>

I have to do a website that works like google forms, for school. The thing is that in the signup form I get this error and I don t understand why I'm pretty new to the whole PHP stuff and I didn't find much about this error.Error message

The HTML file

     <html>
<head>
    <title>PHP Signup system</title>
    <link rel="stylesheet" type="text/css" href="style.css">
</head>
<body>
    <div id="frm">
        <h1>Signup</h1>
        <form name="f1" action="registration.php" onsubmit="return validation()" method="POST">
            <p>
                <label> UserName: </label>
                <input type="text" id="user" name="Username" />
            </p>
            <p>
                <label> Password: </label>
                <input type="password" id="pass" name="Password" />
            </p>
            <p>
                <label> Password: </label>
                <input type="password" id="passc" name="Confirm Password" />
            </p>
            <p>
                <label> Email: </label>
                <input type="text" id="email" name="Email" />
            </p>
            <p>
                <input type="submit" id="btn" value="Submit" />
            </p>
        </form>
    </div>
    <script>
        function validation() {
            var id = document.f1.user.value;
            var ps = document.f1.pass.value;
            var psc = document.f1.passc.value;
            var em = document.f1.email.value;
            if (id.length == "" && ps.length == "") {
                alert("User Name and Password fields are empty");
                return false;
            } else {
                if (id.length == "") {
                    alert("User Name is empty");
                    return false;
                }
                if (ps.length == "") {
                    alert("Password field is empty");
                    return false;
                }
                if (em.length == "") {
                    alert("Email field is empty");
                    return false;
                }
                if (ps != psc) {
                    alert("Passwords do not match");
                    return false;
                }
            }
        }
    </script>
</body>

</html>

It is pretty simple, and it doesn't have to look good, just to work.

EDIT: I got it, the problem was in fact that I misused the post method and names and that after that I forgot to make the connection with the database. credits to the guy in comments

Halil Simionca
  • 3
  • 4
  • Are you posting the form to the same page that contains the HTML form? – Professor Abronsius Apr 26 '21 at 07:08
  • no, it s a separate PHP file – Halil Simionca Apr 26 '21 at 07:17
  • 1
    Despite the use of `stripcslashes` and `mysqli_real_escape_string` you still have the potential for SQL injection attacks to succeed. Whenever dealing with user supplied data where there is database interaction you should use `prepared statements` - either `mysqli` or `PDO` – Professor Abronsius Apr 26 '21 at 07:17
  • Can you add the HTML form? – Professor Abronsius Apr 26 '21 at 07:18
  • 1
    OK - the problem becomes apparent now the HTML is here. The `ID` never gets sent in a POST/GET request - it is the `name` that is used so rather than `$_POST['user']` it should be `$_POST['Username']` etc – Professor Abronsius Apr 26 '21 at 07:27
  • 1
    Also, `email!==Email` ~ case is important! – Professor Abronsius Apr 26 '21 at 07:29
  • so in the PHP file, i have to replace user with username etc? – Halil Simionca Apr 26 '21 at 07:32
  • It is the name of the HTML form field that appears in the POST array so, Yes, replace `user` with `Username` and so on for all fields – Professor Abronsius Apr 26 '21 at 07:35
  • nevermind, the only problem now is with row and count for some reason , it gives this errors: Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, bool given in C:\xampp\htdocs\test\nou\registration.php on line 17 Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, bool given in C:\xampp\htdocs\test\nou\registration.php on line 18 – Halil Simionca Apr 26 '21 at 07:54
  • 2
    You have more serious matters than that particular error. Use `prepared statements` and never store plain text passwords - use `password_hash` to create a secure hash of the password and then `password_verify` to validate the hash when the user logs in – Professor Abronsius Apr 26 '21 at 08:44
  • 1
    **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Apr 26 '21 at 13:54
  • **Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) – Dharman Apr 26 '21 at 13:54

1 Answers1

0

Your post value is not set.

$_POST['foo'] // <== if not set or falsy, returns an undefined index warning

You must check if $_POST is populated before proceeding to execute you backend logic. Place the following at the top of your script and replace foo on your input's name.

if(!isset($_POST['foo']) || !$_POST['foo']){
    // $_POST is not set. Notify user then exit!
    echo 'Field "foo" is required!';
    exit;
}

Or if your submit functions are in the same file of your form, try this:

if(isset($_POST['foo']) && $_POST['foo']){
    // place your backend logic here to ensure that the required field(s) are field
}
jpneey
  • 620
  • 1
  • 9
  • 16
  • alright, i did that but I still don t understand, now I just get an error from that saying that in fact, the field is required – Halil Simionca Apr 26 '21 at 07:19
  • How are you trying to pass your form input's value? That error means that the $_POST value is not being passed – jpneey Apr 26 '21 at 07:33