Can't login using php

Question

I can't find any problem in my code.. but when I tried to login using the account in my databse, it said that:

undefined index blah blah..

Please help me.. below is my whole php code:

<?php
            $admin_id = $_POST['admin_id'];//It says undefined index: admin_id
            $password = $_POST['password'];//It says undefined index: password

            $found_flag=0;

            $con=@mysql_connect("localhost","root","");

            if(!$con)
            {
                die('There is problem on your connection!'.mysql.error());
            }

            mysql_select_db("dictionary", $con);

            if(!empty($_POST['admin_id'])&&($_POST['password']))
            {
                $result = mysql_query("SELECT admin_id, password FROM admin_acc where admin_id = $admin_id and password = $password");

                while($row = mysql_fetch_array($result)) {
                    $found_flag=$found_flag+1;
                }

                if($found_flag>0)
                {
                    echo '<p class="clearfix">';
                    echo '<input type="submit" name="submit" value="Sign in">';
                    echo  '</p>';
                }

                else    {
                    echo "Sorry,<br>This seemed to be embarrassing but, you might have missing one of the following:"."<br>"."<ul><li>Administrative privilege.</li><li>Correct username.</li><li>Correct password.</li>"."<br><br>";
                    echo '<form action="admin_login.php" style="margin-left:100px;"><input type="submit" value="Back"></form>';
                }
            }
            mysql_close($con);
    ?>

This is form tag

<form class="form-3" action="" method="post">
                <p class="clearfix">
                    <label for="login">Username</label>
                    <input type="text" name="admin_id" id="login" placeholder="Username" required>
                </p>
                <p class="clearfix">
                    <label for="password">Password</label>
                    <input type="password" name="password" id="password" placeholder="Password" required> 
                </p>
                <div style="float: center; align-text: center;">
                </div>      
             </form>

It indicates that there are no form elements with these names being posted. Also, in your sql you will need to use quotes around the variables `'$admin_id'` and `'$password'` — Professor Abronsius, Nov 30 '15 at 08:00
oops.. wait I'll try to add add post ni my form.. tnx anyway — yumi, Nov 30 '15 at 08:00
Use isset and try http://stackoverflow.com/questions/13045279/if-isset-post — saravana, Nov 30 '15 at 08:07
if(!empty($_POST['admin_id'])&&($_POST['password'])) ;;;; Why have you used " $_POST['admin_id']" and "$_POST['password']"? You already have $admin_id and $password — Aniruddha Sinha, Nov 30 '15 at 08:23

Professor Abronsius · Accepted Answer · 2015-11-30T08:39:51.643

The error message you received indicates that the required form elements were not present in the form submission. As you didn't show the form it might be a simple case of them not having the name attribute set ~ form submissions need the name rather than the id! As it stands your code is vulnerable to sql injection - use mysqli ( prepared statements ) or PDO instead - or at least try some filtering to remove unpleasant surprises.

<?php
    if( $_SERVER['REQUEST_METHOD']=='POST' ){

        /* basic checking of POSTed variables - with some filtering */
        $admin_id = isset( $_POST['admin_id'] ) && !empty( $_POST['admin_id'] ) ? filter_input( INPUT_POST, 'admin_id', FILTER_SANITIZE_STRING ) : false;
        $password = isset( $_POST['password'] ) && !empty( $_POST['password'] ) ? filter_input( INPUT_POST, 'password', FILTER_SANITIZE_STRING ) : false;

        /* Only proceed with the sql if there is both admin_id & pwd */
        if( $admin_id && $password ){

            $con=@mysql_connect('localhost','root','') or die('There is problem on your connection!');/* Don't reveal too much information */
            mysql_select_db( 'dictionary', $con ) or die('poor choice for database');

            /* If you insist on using mysql_* then try to prevent sql injection. Escape strings */
            $admin_id=strip_tags( mysql_real_escape_string( $admin_id, $con ) );
            $password=strip_tags( mysql_real_escape_string( $password, $con ) );

            /* set the sql statement - using quotes around values if they are strings */
            $sql="SELECT `admin_id`, `password` FROM `admin_acc` where `admin_id` = '$admin_id' and `password` = '$password';";

            $result = mysql_query($sql,$con);

            /* Alternative to the counter you used before */
            if( mysql_num_rows( $result ) == 1 ){/* Only one can match */

                echo '
                    <p class="clearfix">
                        <input type="submit" name="submit" value="Sign in">
                    </p>';/* This button has no form??? Does this use javascript or something - what does it do?  */


            } else {

                echo "Sorry,
                    <br>This seemed to be embarrassing but, you might have missing one of the following:
                    <br>
                    <ul>
                        <li>Administrative privilege.</li>
                        <li>Correct username.</li>
                        <li>Correct password.</li>
                    </ul>
                    <br><br>
                    <form action='admin_login.php' style='margin-left:100px;'>
                        <input type='submit' value='Back'>
                    </form>";/* This form has no fields????  */
            }
            mysql_close( $con );


        } else {
            /* admin_id &/or password are either missing or empty */
            echo '<h1>Missing meaningful input</h1>';
        }
    } else {
        /* display the form perhaps */
        echo 'COntent seen only when the page is loaded by GET';    
    }
?>

Can't login using php

1 Answers1