-2

while executing my code, getting error like

Notice: Undefined index: username.

my query is not executing.

my code is as below:

include "connection.php";
mysqli_select_db($conn,"login");
$un=$_POST["username"];
$ps=$_POST["password"];

    $result=mysqli_query($conn,"SELECT username FROM login where username=$un" );   
    //$row = mysqli_fetch_array($result);

    if(!$result)
    {
        echo "error";
    }else{
        while($row=mysqli_fetch_array($result)){
            if($row["username"]==$un && $row["password"]==$ps){
                echo "success";
            }else{
                echo "invalid";
            }
        }
    }

?>
Cœur
  • 37,241
  • 25
  • 195
  • 267
user3881054
  • 15
  • 4
  • 1
    Please show us a code for a form. And read http://stackoverflow.com/questions/4261133/php-notice-undefined-variable-and-notice-undefined-index – u_mulder Jan 25 '16 at 07:49
  • Use php isset when defining $un e $ps to get rid of the error. But this code will check the db if you are reaching this page from the form where you will enter username and password. The error says you are executing it without data coming from a form. Also your code is vulnerable to sql injection. At last, if you are a newbie, use Pdo and prepared statements instead of mysqli api – Lelio Faieta Jan 25 '16 at 07:50
  • As you are just `a beginner` - try learning now to use `prepared statements`rather than embedding variables directly in the sql – Professor Abronsius Jan 25 '16 at 07:52
  • Why are you using a loop to loop through username and password as for a login you just need to match one row for username and one for password so the while loop is not needed – Adam Hull Jan 25 '16 at 07:57
  • Username : Password :
    – user3881054 Jan 25 '16 at 07:57
  • Also you are not checking if the session is set you should have a if (isset($un) && isset($ps)) and then continue with script execution – Adam Hull Jan 25 '16 at 07:59
  • sorry, i am not able to understand, can you give me the example..? or show me by editing my code by correcting the mistakes i m doing – user3881054 Jan 25 '16 at 08:03

3 Answers3

1
include "connection.php"; 
mysqli_select_db($conn,"login");

if(isset($_POST["username"]) && isset($_POST["password"])){
    $un=$_POST["username"];
    $ps= $_POST["password"];
    $result=mysqli_query($conn,"SELECT username, password FROM login where username='".$un."'"); 
   $row = mysqli_fetch_array($result); 
   if(!$result){ 
       echo "error";
   }else{ 
       if($row["username"]==$un && $row["password"]==$ps){
           echo "success";
       }else{
           echo "invalid"; 
       }
   }
}else{ 
    echo "You forgot to enter a username or password";
}

This is very rough idea of what I mean, there is other issues like it is vulnerable to sql injections and plain text passwords

Adam Hull
  • 214
  • 2
  • 10
  • You don't get rid of OP error with your code. You need to use `if(isset($_POST['username'])){$un=$_POST['username'];}else{echo "You didn't provide a username";}` – Lelio Faieta Jan 25 '16 at 08:34
0

To begin with, how did you execute the script? If you tried executing the script directly by pointing your browser to something like http://localhost:8080/login.php where localhost:8080 is assumed to be your server amd login.php is assumed to be your login script, then you have made few mistakes.

To begin with, direct executions like the one mentioned above takes place as GET request. Whenever the client (browser) requests the server for a resource, it always issues a GET request. In that case, you can try something like http://localhost:8080/login.php?username=root&password=root

Then, in your script, as you are using GET, use $_GET global array. Something like

<?php
    var_dump($_GET['username']);
    var_dump($_GET['password']);
?>

Should show root as username and password.

As you can see, this is a very insecure idea. Your username and password is available in the wild. To reduce this, enter POST.

POST has more capacity (it can transfer more data) than GET. Also, the data transfered by POST is hidden (not available as query strings) as in the case of GET.

Before going further, create a simple login form like

<form method="POST">
    <input type="text" name="username">
    <input type="password" name="password">
</form>

and save it as login.php Now, you might have noticed that I have not mentioned the action attribute. This is because by default action attribute refers to the same page - which is exactly what we want.

Now, add the following to login.php

<?php
    var_dump($_POST['username']);
    var_dump($_POST['password']);
?>

You might have noticed that the name attribute used for input elements in the form matches exactly with the keys used to access the $_POST global array. This is no coincidence. This is because the values send via POST request to the server is allocated in the $_POST global array based on the name to it using the name attribute.

Also, the method attribute of form element had to specified to POST because, as already mentioned, the browser uses GET to send requests to the server by default.

aliasm2k
  • 883
  • 6
  • 12
0

My suggestion is that you replace the line

$result=mysqli_query($conn,"SELECT username, password FROM login where username=$un" );

with

$result=mysqli_query($conn,"SELECT username, password FROM login where username='".$un."'" );

ie. you don't want the 3 characters "$ u n" in your query text, but you want the contents of the variable $un as the text in your query.

SteveLC777
  • 1
  • 1