I'm creating a site that uses sessions to store login details - I know its a bad security practice but that'll be dealt with later; for now I just need to fix this issue. Page 1 gets the login details from a login form and stores them in a session. Page 2 is meant to display those variables, but I get these errors when trying to access the variables:
Notice: Undefined index: email in /customers/0/4/0/my-domain.com/httpd.www/upload-photo.php on line 10
Notice: Undefined index: password in /customers/0/4/0/my-domain.com/httpd.www/upload-photo.php on line 11
Here is the code - I've left off the unrelated parts:
Page 1
session_start();
var_dump($_SESSION);
ini_set('display_errors',1);
error_reporting(E_ALL);
// Just logged in
if($_POST["email"] != "" || $_POST["password"] != ""){
$email = strtolower($_POST["email"]);
$password = md5($_POST["password"]);
$_SESSION["email"] = $email;
$_SESSION["password"] = $password;
//echo "setting details from http post";
}else{
// Just redirected to this page
$email = $_SESSION["email"];
$password = $_SESSION["password"];
}
And page 2 where I'm getting the errors mentioned above:
session_start();
ini_set('display_errors',1);
error_reporting(E_ALL);
var_dump($_SESSION);
$_SESSION["advert"] = $_GET['id'];
echo $_SESSION["email"];
echo $_SESSION["password"];
I've searched SO and have made sure there are no spaces or whatever before my session_start();
By the way, if it helps my domain company that I'm using is One.com
$_SESSION["email"] and $_SESSION["password"] are set in the if, so in the case it is skipped you get this undefined indexes error (as elements with this indexes were not defined anywhere before).To get rid of this Notice you can use isset() function(also use it to validate $_POST user input). Example :
echo isset($_SESSION["email"]) ? $_SESSION["email"] : 'There is no element with key "email"';
P.S. Validating your POST input :
if(isset($_POST["email"]) && isset($_POST["password"])){}
Change condition to:
if(isset($_POST['email']) && isset($_POST['password'])){
//do login
}
else {
echo " Plese enter email and password";
}
For full:
Login.php
<?php
//here must be totaly clear, nothing can't be here
session_start();
if(isset($_POST['email']) && isset($_POST['password'])){
$_SESSION['email'] = $_POST['email'];
$_SESSION['password'] = $_POST['password'];
}
else {
echo "Please enter email and password";
}
//here must be form to login
Logged.php:
<?php
//here must be totaly clear, nothing can't be here
session_start();
if(!isset($_SESSION['email']) && !isset($_SESSION['password'])){
header("Location: Login.php?err=Please login to use members area");
}
else {
echo "You are logged in as:". $_SESSION['email'];
}
I solved the problem. When I was on one page I was on www.domain.com/page1 but when I was on the other page there was no www - domain.com/page2. This meant that session variables were not persisting. To fox this, I need to edit the htaccess file to redirect to www if there is no www in the URL.
Related
When a user is successfully authenticated, s/he is either redirected to register.php if the user has not yet signed up for training.
If the user has already signed up for training, s/he is redirected to registered.php to view/modify his or her training classes.
So far, this works fine.
Problem is if user attempts to go directly to register.php or registered.php, s/he gets into any of the web pages without logging in first.
This is what I am trying to prevent but I keep getting the following error message:
Notice: Undefined index: loggedin in .... on line 3
Please log in first to see this page
Here is what I am using so far and thanks for your help.
//login.php
$user = trim($_POST['user']);
$pass = trim($_POST['pass']);
// hash to sanitize the input further
$pass = md5($pass);
$tSQL = "SELECT u.empl_first, u.username FROM users u inner join Training t on u.Employee_Id = t.Employee_ID WHERE USERNAME = ?
and PASSWORD = ? ";
$params = array($user, $pass, $params);
$sqll = sqlsrv_query($con, $tSQL);
if ($objResult = sqlsrv_fetch_array($sqll, SQLSRV_FETCH_ASSOC)) {
$firstname = $objResult["empl_first"];
$_SESSION["firstname"] = $objResult["empl_first"];
$_SESSION['loggedin'] = true;
$_SESSION['username'] = $user;
header('location:registered.php');
}
else
header("location:register.php?user='".ms_escape_string($user)."'&pass='".ms_escape_string($pass)."' ");
sqlsrv_close($con);
?>
//register.php
<?php
session_start();
if (!isset($_SESSION['loggedin']) && $_SESSION['loggedin'] != true) {
echo "Please log in first to see this page";
}
There are 2 mistakes:-
In login.php start the session using session_start(); at the top of the script, so that the code that sets variables in $_SESSION will work.
In register.php change the IF statement from
if (!isset($_SESSION['loggedin']) && $_SESSION['loggedin'] != true)
To
if (!isset($_SESSION['loggedin']) || $_SESSION['loggedin'] != true)
then the IF will not test $_SESSION['loggedin'] != true if the variable is found to not exist by the first part of the IF i.e. !isset($_SESSION['loggedin'])
On login.php have session_start(); somewhere on the top.
On each script that you use the session you must have it.
I'm trying to get a user on my web shop to enter a username which will then be displayed on each page. I've started the session here in header.php and set the username variable:
session_start();
$_SESSION['username'] = $username;
$username = ''; //set blank variable to be filled in index
I'm then calling header.php in index.php using:
<?php
include "header.php";
?>
Inside of the logIn div I'm then asking for the username to be entered (no form to submit it yet, haven't gotten that far without running into the problem below). The script should show a message if the user isn't logged in alongside a form to log in, but if they have submitted a username to use then the form should display a welcome message:
<div class="logIn">
<?php
if (!isset($_SESSION['username'])) {
echo 'Welcome, '.$_SESSION['username'];
} else {
echo 'Sorry, You are not logged in.';
}
?>
</div>
I'm currently getting this error:
Notice: Undefined variable: username in /header.php on line 13
but I can't figure out why. I thought I'd declared it as empty, but even when I give it a value the if statement in index.php isn't working as intended.
How can I set up a simple session and accept a username variable (no password) which will then be displayed on index.php?
Your error is simple .
$_SESSION['username'] = $username;
$username = '';
You are trying to use $username before assigning it.
$username = '';
$_SESSION['username'] = $username;
Should be better !
I guess line 13 is this one $_SESSION['username'] = $username; ?
If you are assigning $username to $_SESSION['username'] it must be set somewhere before, I can't see that in your example.
Your code has to look something like this:
//declare $username
$username = "somename";
$_SESSION['username'] = $username;
Or if you set $username in a condition or something else you can try this:
$_SESSION['username'] = ( isset( $username ) ) ? $username : '';
So basically its creating a session using the users email and password. Checking whether it has an email and password entered and if not redirecting them back to the login page. Hence:
<!DOCTYPE html>
<?php
session_start();
include 'connect.php';
if(!isset($_SESSION['email']) || !isset($_SESSION['password']))
{
header("location:loginTemplate.php");
}
else
{
$_SESSION['email'] = $email;
}
?>
So I then want to use the $email variable to essentially welcome the users. Hence:
<h2>Welcome <?php echo $email; ?></h2>
But I am getting an error saying the variable is undefined
if(!isset($_SESSION['email']) && !isset($_SESSION['password']))
{
header("location:loginTemplate.php");
}
else
{
$email = $_SESSION['email'];
}
You have not defined $email anywhere.
Correct the line:
$_SESSION['email'] = $email;
To
$email = $_SESSION['email'];
You need to get email value from Session, and you are trying to assign value to session variable.
Thats it.
Try to change your logic to:
if(!isset($_SESSION['email']) && !isset($_SESSION['password']))
Probably, your session was not set because you wasn't redirected to loginTemplate.php, so with OR option, it will fail to enter the desired condition but will work with && condition.
If anyone can make a better title, please edit it.
The issue I am having is being unable to show the users name in their post. Quick snip of code.
if (isset($_SESSION['username']) )
{
$name = $_SESSION['username'];
}
else
{
$name = $_POST['name'];
}
How can I make it when the user posts it check to see if there is a session and then displays their name in their post.
There's nothing particularly wrong with what you've done here. Does $_SESSION['username'] actually have a value?
Also, make sure when you are working with sessions that you call session_start() before saving or pulling session data.
<?php
session_start();
$_SESSION['username'] = 'Greg';
if (isset($_SESSION['username']) )
{
$name = $_SESSION['username'];
}
Please try the following
session_start();
if (isset($_SESSION['username']) )
{
$name = $_SESSION['username'];
}
else
{
$name = $_POST['name'];
$_SESSION['username'] = $name;
}
Then reload the page, $_SESSION['username'] now should contain the user name
Garrett am i right in thinking your route is create $_SESSION['name'] first and regardless unless they have logged in if so the $_SESSION['name'] becomes $_SESSION['username']
If I am right and you are creating $_SESSION['username'] on login all you need to do is check if $_SESSION['name'] = $_SESSION['username'] and if it does unset it example:
// YOUR LOGIN CODE TO CHECK ASSUME SQL QUERY OF SOME DESCRIPTION AND 'true' IS YOUR RESULT and 'false' NOT A USER
if(true) {
$_SESSION['username'] = $result;
if($_SESSION['name'] && $_SESSION['name'] == $_SESSION['username'] ){
unset($_SESSION['name'])
}
// ACTION TO GO TO PAGE
} else {
// YOUR ERROR ACTION
}
I am trying to log in using this code :
session_start();
require "connect.php";
$username = $_POST['username'];
$password = $_POST['password'];
if($username&&$password)
{
$query = mysql_query("SELECT * FROM users WHERE username='$username'");
$numrow = mysql_num_rows($query);
if($numrow!=0)
{
while($row = mysql_fetch_assoc($query))
{
$db_username = $row['username'];
$db_password = $row['password'];
}
if($username==$db_username&&$password==$db_password)
{
//echo 1;
header("Location: members.php");
$_SESSION['username']=$db_username;
}
else echo 0;
}
else die("That user doesn't exist");
}
else die("Please enter a username and password");
upon successful log in it should take me to members.php :
session_start();
if($_SESSION['username']) <------ this is line 5
{
echo "20730312";
echo " You are logged in as: ".$_SESSION['username'];
echo "<p><a href='logout.php'>Click here to logout</a>";
}
but when i request members.php in my application it gives me :
Notice: Undefined index: username in E:\Program Files\xampp\htdocs\adddrop\members.php on line 5
note that i am using android webview to request members.php after successful log in, is this right ? what am i doing wrong ?
On a side note: you have an SQL injection there. Might want to read more: http://en.wikipedia.org/wiki/SQL_injection
The problem you are facing is that the username is not always POST'd (when you just load the page first time):
$username = isset($_POST['username']) ? $_POST['username'] : null;
$password = isset($_POST['password']) ? $_POST['password'] : null;
That should fix it. Basically, I check if the POST index is set, and only if it is I try to access it, otherwise I set it to null.
Also, you might want to do it like this:
$query = mysql_query("SELECT * FROM users WHERE username='" . mysql_real_escape_string($username) . "'");
That prevents the SQL injection vulnerability.
And also add exit;:
header("Location: members.php");
$_SESSION['username']=$db_username;
exit; // Add this.
Same as always. You're not POSTing to the URL. Verify the URL you're attempting to POST to.
perhaps this:
header("Location: members.php");
$_SESSION['username']=$db_username;
should be changed to (reverse):
$_SESSION['username']=$db_username;
header("Location: members.php");
As it says, you don't have the specified data from POST. Make sure your form action is right and you're filling out the username.
Also, you might want to consider hashing your passwords. From what I can see here you compare plain text passwords (or you're already getting hashed passwords to your script, which would be ok).