1

I'm creating a php login system. I can't understand where's the problem. I've tried to google it, but my lack of knowledge wouldn't allow me to understand where's the problem. Here's the code & error. Thanks

"Notice: Undefined index: password in D:\xampp\htdocs\demo\last_project\includes\server.php on line 49"

   if(isset($_POST['login'])) {
    $username = mysqli_real_escape_string($db, $_POST['username']);
    $password = mysqli_real_escape_string($db, $_POST['password']);

    // Ensure that form fields are filled properly
if(empty($username)) {
        array_push($errors, "Username is required!");
    }

if(empty($password)) {
        array_push($errors, "Password is required!");
    }
    if(count($errors) == 0){
        $password = md5($password); // Encrypt password before comparing this one with the one in database
        $query = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
        $result = mysqli_query($db, $query);
        if (mysqli_num_rows($result) == 1) {
        $_SESSION['username'] = $username;
        $_SESSION['success'] = "You are now logged in";
        header('location: ../system.php'); // Redirect to main page location
        } else {
            array_push($errors, "Wrong username/password combination");
                header('location: ../php/login.php');
        }
    }
}
Nigel Ren
  • 56,122
  • 11
  • 43
  • 55
HenrikasB
  • 321
  • 1
  • 9
  • 1
    It seems that : $_POST['password'] don't exists. Did you try to var_dump your $_POST to check posted values ? – André DS Mar 16 '18 at 16:10
  • 2
    MD5 is considered broken for security purposes and is not sufficient for password hashing. Use [`password_hash()`](http://us3.php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://us3.php.net/manual/en/function.password-verify.php) instead. If you're using a version of PHP prior to 5.5, you can use [this compatibility pack](https://github.com/ircmaxell/password_compat). – Alex Howansky Mar 16 '18 at 16:12
  • 2
    Don't rely on the `real_escape_string()` functions to prevent SQL injection, [they alone are not sufficient](https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string). You should use prepared statements with bound parameters, via either the [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) driver. [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. – Alex Howansky Mar 16 '18 at 16:13
  • [Duplicate Issue]( https://stackoverflow.com/questions/4261133/php-notice-undefined-variable-notice-undefined-index-and-notice-undef) – mcv Mar 16 '18 at 16:20

0 Answers0