-2

LOGINPAGE.html: This is where the user will input their username and password. PHP method is POST.

<html>
<head>
<title>
LOG IN
</title>
<style>
body {
text-align: center;
}

</style>

</head>

<body>

<form action = "loginDatabase.php" method = "POST">

<label>User name:</label>
<input type="text" id="userNameID" name="userNameName" required>
<br />

<label>Password:</label>
<input type="password" id="passwordID" name="passwordName" required>
<br />

<input type="submit" id="submitLoginID" name="submitLoginName">
</form>


</body>
</html>

LOGINDATABASE.php: This is the processing part where the mysql query will reference the record to be displayed on ADMINPAGE.php based on the username given on LOGINPAGE.php. I cannot figure out want went wrong in line 7 since I always get an error Notice: Undefined index: userNameName in /opt/lampp/htdocs/UsersDatabaseProgram/loginDatabase.php on line 7



<?php
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
include('connect.php');

session_start();

$result = mysqli_query($con, "SELECT * FROM addUsers WHERE userName = '" . $_GET['userNameName'] . "'");
if ($_SERVER ["REQUEST_METHOD"] == "POST") {
    

$userName = $_POST['userNameName'];
$password = $_POST['passwordName'];
/*
This doesnt work
$email = $row['email'];
$userlevel = $row['userLevel'];
*/
        $sql = "SELECT * FROM addUsers WHERE userName = '".$userName."' AND password = '".$password."'";
        
        $result = mysqli_query($con, $sql);
        $row = mysqli_fetch_array($result);
        $count = mysqli_num_rows($result);

if ($row["userLevel"] == "user") {
    $_SESSION["userName"] = $userName;
   header('location: userPage.php');

} elseif ($row["userLevel"] == "admin") {
    
    $_SESSION["userName"] = $userName;
header('location: adminPage.php');

} else {
echo "<h1> Login failed. Invalid username or password.</h1>";  

}
}

?>

ADMINPAGE.php: This is where the name of the user, user level, and user status will be displayed.


<?php
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
include('connect.php');
include('loginDatabase.php');




?>

<html>
<head>
<style>
body {
text-align: center;
}

</style>

</head>

<body>
<h2>Admin</h2>
<a href = "logOut.php">Log-out</a> <br />
<a href = "viewRecords.php">View records</a> <br />
<a href = "addUsers.html">Add Record</a> <br />

<label>Welcome</label><br />
<?php echo $_SESSION["userName"] ?>
<br />

<label>User level: </label> 
<?php 


while ($row = mysqli_fetch_array($result)) {
?>
<input type = "text" name = "userLevelName" value = " <?php echo $row['userLevel']; ?>"> <br />
<label>Email: </label>
<input type = "text" name = "userEmailName" value = " <?php echo $row['email']; ?>">
<?php

}


?>
<br />

</body>
</html>
Lan
  • 5
  • 3
  • 1
    **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/32391315) – Dharman Jul 10 '22 at 22:35
  • 1
    **Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) – Dharman Jul 10 '22 at 22:35

1 Answers1

-1

You're sending the data as a POST then trying to access it as GET (then retrieving it again on line 11 !!).

Change it to something like this:-

if ($_SERVER ["REQUEST_METHOD"] == "POST") {
$userName = $_POST['userNameName'];
$password = $_POST['passwordName'];
}
$result = mysqli_query($con, "SELECT * FROM addUsers WHERE userName = '$userName'");
deep64blue
  • 268
  • 4
  • 16