How to resolve this issue. If I type localhost/login.php/ I should redirect localhost/login.php. If PHP_SELF is used in your page then a user can enter a slash (/) and then some Cross Site Scripting (XSS) commands to execute. How to solve this issue. Php more secure.
login.php/
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>/">
<script>
alert('hacked')
</script>
<input class="form-control" type="text" name="email" placeholder="E-mail Address" required>
<input class="form-control" type="password" name="password" placeholder="Password" required>
<div class="form-group form-check">
<label class="form-check-label">
<input class="form-check-input" type="checkbox" name="remember">Remember me
</label>
</div>
<div class="form-button">
<button id="submit" type="submit" class="ibtn">Login</button> Forget password?
</div>
</form>
Related
I would like to work on registration process for which with the help of Google and Youtube i have created "Sign-in & Sing-up" page togather with toggle option however unable to run registration.php file once user provide registration info at login.html file. Codes are as follows :
<form id="login" class="input-group">
<input type="text" class="input-field" placeholder="User Id" required>
<input type="password" class="input-field" placeholder="Enter Password" required>
<input type="checkbox" class="check-box"><span>Remember Password</span>
<button type="submit" class="submit-btn">Sign-In</button>
</form>
<form Id="register" class="input-group">
<input type="text" class="input-field" placeholder="User Id" required>
<input type="email" class="input-field" placeholder="Email Id" required>
<input type="password" class="input-field" placeholder="Enter Password" required>
<input type="password" class="input-field" placeholder="Confirm Password" required>
<input type="phone-number" class="input-field" placeholder="Mobile Number" required>
<input type="checkbox" class="check-box"><span>I agree to the terms & conditions</span>
<button type="submit" class="submit-btn">Sign-Up</button>
</form>
How to execute registration.php file when Sign-up button clicked at login.html file? Same goes for login option too.
Make sure to add method="POST" and action="path/function.php" and name="desiredName"in your forms like this:
<form id="login" class="input-group" method="POST" action="file_path/login.php">
<input type="text" class="input-field" placeholder="User Id" name ="user" required>
<input type="password" class="input-field" placeholder="Enter Password" name="password" required>
<input type="checkbox" class="check-box"><span>Remember Password</span>
<button type="submit" class="submit-btn">Sign-In</button>
</form>
And then in PHP to "catch" the data from the post, you'll use something like this:
$this->getpost['user'];
Or
$_POST['user'];
The method attribute specifies how to send form-data (the form-data is sent to the page specified in the action attribute).
The form-data can be sent as URL variables (with method="get") or as HTTP post transaction (with method="post").
check here for more details w3schools
<form id="login" class="input-group" method="POST" action="file_path/login.php">
<input type="text" class="input-field" placeholder="User Id" required>
<input type="password" class="input-field" placeholder="Enter Password" required>
<input type="checkbox" class="check-box"><span>Remember Password</span>
<input type="submit" class="submit-btn" value="Sign-In">
</form>
<form Id="register" class="input-group" method="POST" action="file_path/register.php">
<input type="text" class="input-field" placeholder="User Id" required>
<input type="email" class="input-field" placeholder="Email Id" required>
<input type="password" class="input-field" placeholder="Enter Password" required>
<input type="password" class="input-field" placeholder="Confirm Password" required>
<input type="phone-number" class="input-field" placeholder="Mobile Number" required>
<input type="checkbox" class="check-box"><span>I agree to the terms & conditions</span>
<input type="submit" class="submit-btn" value="Sign-Up">
</form>
EDIT according to your comment
replace button with input type="submit"
and place # before the php variable so you wont get undefined error notice(# is used to avoid error notice)
<div class="header">
<h2>Register here</h2>
</div>
<form method="post" action="register.php">
<?php include('errors.php'); ?>
<div class="input-group">
<label>Username</label>
<input type="text" name="username" value="<?php echo #$username; ?>">
</div>
<div class="input-group">
<label>Email</label>
<input type="email" name="email" value="<?php echo #$email; ?>">
</div>
<div class="input-group">
<label>Password</label>
<input type="password" name="password_1">
</div>
<div class="input-group">
<label>Confirm Password</label>
<input type="password" name="password_2">
</div>
<div class="input-group">
<label>Mobile number</label>
<input type="number" name="mobile" value="<?php echo #$mobile; ?>">
</div>
<div class="input-group">
<input type="submit" class="btn" name="reg_user" value="Sign-Up">
</div>
</form>
create register.php file
and in register.php
<?php
$con = mysqli_connect("localhost", "username", "password", "dbname") or trigger_error("Unable to connect to the database");
if(isset($_POST['reg_user'])){
$name = $_POST['username']; //here "username" is what you defined in the "name" field of input form
//define other variables
//write your own sql query , here is an example
$query = "INSERT INTO table(name) VALUES(?)";
$stmt = mysqli_stmt_init($con);
if(!mysqli_stmt_prepare($stmt,$query)){
echo "Error";
}else{
mysqli_stmt_bind_param($stmt,"s",$name);
mysqli_stmt_execute($stmt);
}
}
?>
This is my first go at trying to create a secure login feature.
Right now I have a mysql database storing a few usernames and passwords.
I also have a bootstrap template for a login page.
Here is some of the html:
<form>
<div class="form-group">
<div class="form-label-group">
<input type="email" id="inputEmail" class="form-control" placeholder="Email address" required="required" autofocus="autofocus">
<label for="inputEmail">Email address</label>
</div>
</div>
<div class="form-group">
<div class="form-label-group">
<input type="password" id="inputPassword" class="form-control" placeholder="Password" required="required">
<label for="inputPassword">Password</label>
</div>
</div>
<a class="btn btn-primary btn-block" href="connect.php" method="post">Login</a>
</form>
I added the method and changed the action for the login button/link.
I would like to be able to click the login link and have the input values sent to an external php program connect.php shown below:
<!DOCTYPE html>
<html lang="en">
<body>
<div>
<?php
$user = $_POST["inputEmail"];
$pass = $_POST["inputPassword"];
echo "<h1>Hello: ".$user." also:".$pass"</h1>";
?>
</div>
</body>
</html>
Once I can get the values to send to the external script, I can then start to check the values against those in my database.
Solutions I have seen are mostly dealing with the form action and not a link. Those that are dealing with a link use get and hard code the values being sent rather than input.
EDIT 1:
I realized my html page was launching outside of my server. I made some changes to my html:
<form method="post">
<div class="form-group">
<div class="form-label-group">
<input type="email" id="inputEmail" name="inputEmail" class="form-control" placeholder="Email address" required="required" autofocus="autofocus">
<label for="inputEmail">Email address</label>
</div>
</div>
<div class="form-group">
<div class="form-label-group">
<input type="password" id="inputPassword" name="inputPassword" class="form-control" placeholder="Password" required="required">
<label for="inputPassword">Password</label>
</div>
</div>
<a class="btn btn-primary btn-block" href="connect.php" method="post" name="submit">Login</a>
</form>
after these changes its telling me my inputs are Unidentified index's
SOLUTION
change submit link to submit button & make sure to run on a server
<form action="connect.php" method="POST">
<div class="form-group">
<div class="form-label-group">
<input type="email" id="inputEmail" name="inputEmail" class="form-control" placeholder="Email address" required="required" autofocus="autofocus">
<label for="inputEmail">Email address</label>
</div>
</div>
<div class="form-group">
<div class="form-label-group">
<input type="password" id="inputPassword" name="inputPassword" class="form-control" placeholder="Password" required="required">
<label for="inputPassword">Password</label>
</div>
</div>
<button class="btn btn-primary btn-block" name="submit" type="submit">Login</button>
</form>
We were doing a project which involved a website and a database. We decided to host it using 000webhost.
So, we have 2 different forms, and both should redirect to different PHPs, but both end up redirecting to the same php.
I have attached the code of the forms here:
<!-- Modal content -->
<div class="modal-content">
<span class="close">×</span>
<form action="csignup.php">
<div class="container">
<label><b>NAME<b></label><br>
<input type="text" placeholder="Enter Fullname" name="fname" required>
<br><label><b>email</b></label><br>
<input type="text" placeholder="Enter email" name="email" required><br>
<br><label><b>USERNAME</b></label><br>
<input type="text" placeholder="Enter username" name="uname" required><br>
<br><label><b>password</b></label><br>
<input type="password" placeholder="Enter password" name="pass" required><br>
<br><label><b>Re-password</b></label><br>
<input type="password" placeholder="Enter password" name="rpass" required><br>
<button type="SUBMIT">SUBMIT</button>
</div>
</form>
</div>
</div>
<!-- Modal content -->
<div class="modal1-content">
<span class="close1">×</span>
<form action="asignup.php">
<div class="container">
<label><b>NAME<b></label><br>
<input type="text" placeholder="Enter Fullname" name="fname" required>
<br><label><b>email</b></label><br>
<input type="text" placeholder="Enter email" name="email" required><br>
<br><label><b>USERNAME</b></label><br>
<input type="text" placeholder="Enter username" name="uname" required><br>
<br><label><b>password</b></label><br>
<input type="password" placeholder="Enter password" name="pass" required><br>
<br><label><b>Re-password</b></label><br>
<input type="password" placeholder="Enter password" name="rpass" required><br>
<button type="SUBMIT">SUBMIT</button>
</div>
</form>
</div>
</div>
We have mainly 2 PHPs for the signup option. "asignup.php" and "csignup.php".
But on clicking submit, on either of the forms, redirects and uses the "asignup.php".
We are not able to redirect to "csignup.php", even though we have specified it as the form action for one of the forms. Please take a look through it, and help us out.
Thanks
I have been trying to figure out why Chrome auto fills the wrong fields. Every tutorial I have seen says to shut off but that is not a good idea since my users would have to turn off their auto-fill and that is just no a solution. Here is the code I am using.
<form class="form" action="login.php" method="post" enctype="multipart/form-data" autocomplete="off">
<div style="margin-top: 60px;margin-bottom: 20px;color: #b30000;" class="alert alert-error"></div>
<center>
<?php echo($_SESSION['loginerror']);?>
<input style="margin-top: -40px;" type="text" placeholder="Email Address" name="email" required />
<br>
<input style="margin-top: 0px;" type="password" placeholder="Password" name="password" required>
<br>
<input type="submit" value="Log-In" name="submit" style="width: 50%;margin-left: 20px;margin-top: 15px;" class="btn btn-block btn-primary" />
<p style="margin-top: 10px;font-size: 12px;">Forgot your password? Click Here</p>
</center>
<br>
Here is a screen shot of how it appears to the user. It is my street address.
You can use type="email" to give the browser a hint.
<input type="email" name="email">
<input type="password" name="password">
Add autofill attribute to input, will solve this issue
<input ..... autocomplete="off">
P.N: As i know Firefox will not respond to this
check browser compatibility
You can change it to the following
<input ... type="text" name="email" required>
<input ... type="password" name="password" autocomplete="new-password">
or
<input ... type="email" name="email" required>
<input ... type="password" name="password" autocomplete="new-password">
I already set the token in the form:
<form action="{{ route('user.store') }}" method="post">
<input type="hidden" name="_token" value="{!! csrf_token() !!}">
<legend>Agregar nuevo usuario.</legend>
<div class="form-group">
<label>Código empresa</label>
<input type="number" class="form-control input-sm" name="enterprise" id="enterprise">
</div>
<div class="form-group">
<label>Nombre</label>
<input type="text" class="form-control input-sm" name="name" id="name">
</div>
<div class="form-group">
<label>Email</label>
<input type="email" class="form-control input-sm" name="email" id="email">
</div>
<div class="form-group">
<label>Usuario</label>
<input type="text" class="form-control input-sm" name="username" id="username">
</div>
<div class="form-group">
<label>Password</label>
<input type="password" class="form-control input-sm" name="password" id="password">
</div>
<div class="form-group">
<label class="checkbox-inline">
<input type="checkbox" name="create_content" id="create_content"> Crea contenido
</label>
<label class="checkbox-inline">
<input type="checkbox" name="active" id="active"> Activo
</label>
</div>
<button type="submit" class="btn btn-sm btn-primary" id="btn_Crear">Create</button>
</form>
Occasionally I'm receiving the TokenmismathException, and I'm not able to post anymore, If I comment out the line //'App\Http\Middleware\VerifyCsrfToken', in the Kernel.php file and try to post, it works, And if I uncomment the same line again 'App\Http\Middleware\VerifyCsrfToken',, now I don't receive the TokenmismatchException, until it stops working.
I'm not using ajax
Does anyone know why this is happening.
We had the exact same problem and never found a good solution. We did find a workaround although.
In your .env file, set the Session storage to Redis (yap, you have to install Redis on your server than). This worked for us, never encountered the same problem again.
Note, this works for us, but it of course is not a solution, merely a work-around until someone found the right solution.