-2

I'm still new and trying to learn php. I have a form and everytime I run it I get an error displaying that the variable were not set when they should be. I'm definately missing something. Kindly explain what why is the variable $_POST['login_button'] not set the first time i run the page?

Code can be found below:

<?php

require 'connect.inc.php';

    if (isset($_POST['login_button']) && isset($_POST['username']) && isset($_POST['password'])){

        $login_button = $_POST['login_button'];             
        $username = $_POST['username']          ;
        $password = $_POST['password'];         
        $password_hash = md5($_POST['password']);           

            if(!empty($username)&&!empty($password)){                   
            $sql = "SELECT `id` FROM `golden_acres_username` WHERE `uname`='$username' AND '".$password_hash."'";               
                if($sql_run = mysql_query($sql)){           
                    $query_num_rows = mysql_num_rows($sql_run);
                }       
                    if($query_num_rows==0){     
                        echo'User name and password are incorrect';     
                        }               
                    else if($query_num_rows==1)
                        {
                        echo 'Username and password are correct';
                        }
                    }   

            else                                                
            {                       
            echo 'Please fill in user name and password';                       
            }   
    }       
    else
    {                           
    echo'Fields are not set';                           
    }                           
?>                                      
<form class="home_logon_area" action="test.php" method="POST">
    Username: 
    <input type="text" name="username" />
    Password:
    <input type="password" type="password" name="password"/>
    <input type="submit" name="login_button">
</form>

Thanks in advance,

Joseph

joebegborg07
  • 709
  • 3
  • 8
  • 25
  • If the form is not submitted, it echos correctly, that you should fill in someting. At least the code is like this. Put an `if (!isset($_POST['login_button'])) { ...` at the right lines. But I fear you can't. – djot Sep 27 '13 at 22:16
  • On the first time I run the code I get the message saying 'Fields are not set (last line of my php code), however I would like to remove this and have the variables set in the first place. – joebegborg07 Sep 27 '13 at 22:17
  • **By building SQL statements with outside variables, you are leaving yourself wide open to SQL injection attacks.** Also, any input data with single quotes in it, like a name of "O'Malley", will blow up your SQL query. Please learn about using parametrized queries, preferably with the PDO module, to protect your web app. http://bobby-tables.com/php has examples to get you started, and [this question](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has many examples in detail. – Andy Lester Sep 27 '13 at 22:21
  • Also, if you were using parametrized queries, you would not have the problem you're having now where you're not comparing the value of `$password_hash` to anything. – Andy Lester Sep 27 '13 at 22:23
  • @AndyLester Not sure about that last bit. You can just as easily write `AND :hash` as `AND '$hash'`, with pretty much identical results. – IMSoP Sep 27 '13 at 22:29
  • You can, but he hasn't, and that would have been obvious if he was parametrizing queries. He's got it as `$sql = "SELECT id FROM golden_acres_username WHERE uname='$username' AND '".$password_hash."'";` and is not comparing the password hash to anything. – Andy Lester Sep 27 '13 at 22:37
  • @AndyLester Why would that be any more obvious with parameterized queries? Whether it's `"AND '".$password_hash."'"` or `"AND '$password_hash'"` or `"AND :password_hash"`, you either spot the SQL error or you don't. – IMSoP Sep 27 '13 at 22:41
  • In OP's version, and in all three of yours, `$password_hash` is not getting compared to anything. – Andy Lester Sep 28 '13 at 14:10

4 Answers4

2

$_POST contains the result of submitting a form. If no form has been submitted yet, it will not contain anything.

Your script is working just fine; remove echo 'Fields are not set';, or use that line for code that should only run when the form hasn't been submitted yet.

IMSoP
  • 65,743
  • 7
  • 83
  • 127
1

The $_POST variable is set by the server to capture the data content sent by the browser as part of the form POST action. When the page is initially loaded, the browser has only executed/requested a GET call for the content of the page without sending the POST request.

Hope that helps!

sparq
  • 41
  • 2
1

This is simple to understand ;-)

  • First time the phpscript is executed to get the Form

    So there will be no information at all (the visitor is new and have not seen the form before)

  • Then the User fills the form and press Submit button

    The form is linked to the same side so the same phpscript gets executed again

  • Now you have the Formular values transmitted and you can acess them over $_POST

For more information look at php.net

pknoe3lh
  • 362
  • 3
  • 10
0

Remove last else from your code and update the form with this one

<form class="home_logon_area" action="test.php" method="POST">
    Username: 
    <input type="text" name="username" required />
    Password:
    <input type="password" type="password" name="password" required/>
    <input type="submit" name="login_button">
</form>
Mubin
  • 3,597
  • 4
  • 28
  • 49