-4

I want to connect login.php and index_user.php , but there are 3 mistakes. I don't understand what's wrong

Tried to search for fix on YouTube :

<div class="modal" id="mymodal" role="dialog">
<div class="modal-dialog modal-sm">
  <div class="modal-content">
    <div class="modal-header">
         <h4 class="modal-title">Login</h4>
      <button type="button" class="close" data-dismiss="modal">&times;</button>
     
    </div>
    <div class="modal-body">
      <form action="login.php">
          <div class="form-group" method="POST">
            <input type="text" name="username" placeholder="Username" class="form-control">
        </div>
        <div class="form-group">
            <input type="password" name="password" placeholder="Password" class="form-control">
            <button type="submit" name="submit" value="submit" >submit</button>
        </div>
      </form>
    </div>
    <div class="modal-footer">
      <button type="button" class="btn btn-default" data-dismiss="modal">Close</button>
  </div>
</div>

The result is :

Notice: Undefined index: username in D:\laragon\www\mbl1\web_mbl1\login.php on line 2

Notice: Undefined index: password in D:\laragon\www\mbl1\web_mbl1\login.php on line 3

Fatal error: Uncaught Error: Call to undefined function mysql_real_escape_string() in D:\laragon\www\mbl1\web_mbl1\login.php:7 Stack trace: #0 {main} thrown in D:\laragon\www\mbl1\web_mbl1\login.php on line 7

Here is login.php:

<?php
$username=$_POST['username'];
$password=$_POST['password'];

$username=stripcslashes($username);
$password=stripcslashes($password);
$username=mysql_real_escape_string($username);
$password=mysql_real_escape_string($password);

mysql_connect("localhost","root","root");
mysql_select_db("mobile1");

$result = mysql_query("SELECT *from register where username ='$username' and password ='password'") 
    or die ("FAILED".mysql_error());
    $row = mysql_fetch_array($result);
    if ($row['username']==$username&&$row['password']==$password){
        echo "login success ,welcome" .$row['username'];
    }else {
            echo "failed to login";
    }
?>
Community
  • 1
  • 1
Andreas S
  • 49
  • 6
  • 2
    Don't link your code to another site, please post it here – catcon Aug 06 '19 at 06:25
  • the `method="POST"` should belong to the form, not the div, i.e: `
    `
     – catcon Aug 06 '19 at 06:27
  • 1
    You have a typo in your query. password="$password". and please read [https://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php](https://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php) – Sfili_81 Aug 06 '19 at 06:28
  • use method='POST' or use $_REQUEST['username'] insted of $_POST['username'] –  Aug 06 '19 at 06:36
  • 1
    Possible duplicate of ["Notice: Undefined variable", "Notice: Undefined index", and "Notice: Undefined offset" using PHP](https://stackoverflow.com/questions/4261133/notice-undefined-variable-notice-undefined-index-and-notice-undefined) – Dharman Aug 06 '19 at 07:38
  • **Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) – Dharman Aug 09 '19 at 17:55

2 Answers2

3

There are several problems in your code.

  1. You put method="POST" attribute in wrong place and your HTML looks invalid. Your modal should look like this:
<div class="modal" id="mymodal" role="dialog">
    <div class="modal-dialog modal-sm">
        <div class="modal-content">
            <div class="modal-header">
                <h4 class="modal-title">Login</h4>
                <button type="button" class="close" data-dismiss="modal">&times;</button>
            </div>
        </div>
        <div class="modal-body">
            <form action="login.php" method="post">
                <div class="form-group">
                    <input type="text" name="username" placeholder="Username" class="form-control">
                </div>
                <div class="form-group">
                    <input type="password" name="password" placeholder="Password" class="form-control">
                    <button type="submit" name="submit" value="submit" >submit</button>
                </div>
            </form>
        </div>
        <div class="modal-footer">
            <button type="button" class="btn btn-default" data-dismiss="modal">Close</button>
        </div>
    </div>
</div>
  1. mysql is deprecated. Instead, use PDO (PHP Data Objects) or mysqli. And I highly recommend using prepared statements. Your login.php will look like this:
<?php
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $username = stripcslashes($_POST['username']);
    $password = stripcslashes($_POST['password']);

    $db = new mysqli('localhost', '<username>', '<password>', '<database_name>');

    $username = $db->real_escape_string($username);
    $password = $db->real_escape_string($password);

    $stmt = $db->prepare('SELECT * FROM register WHERE username = ? AND password = ?');

    if ($stmt && $stmt->bind_param('ss', $username, $password) && $stmt->execute() && $row = $stmt->get_result()->fetch_assoc()) {
        echo ($row['username'] == $username && $row['password'] == $password) ? "Login success, welcome {$row['username']}" : "Failed to login.";
    }

    $stmt->close();
}
N'Bayramberdiyev
  • 5,936
  • 7
  • 27
  • 47
  • Why do you use `real_escape_string`? – Dharman Aug 09 '19 at 17:53
  • I did some modification based on the code in question. Actually, no need to use `real_escape_string` as long as I use prepared statements. – N'Bayramberdiyev Aug 09 '19 at 19:58
  • There is probably also no need to use `stripcslashes` and you should use `mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);` instead of having this long and complex `if` statement. – Dharman Aug 09 '19 at 19:59
-1

1.put POST method in the form action

<form action="login.php" method="POST"> instead of <form action="login.php">

2.use mysqli or PDO because mysql is deprecated( i will show you mysqli ) 

<?php

$username=$_POST['username'];
$password=$_POST['password'];

//connect to your database mysqli
$con = mysqli_connect("localhost","root","root","mobile1");

//check username and pass from register
$user = mysqli_query($con,"select * from register where
        username = '$username' and 
        password = '$password' 
    ");

//count the result
$num_rows = mysqli_num_rows($user);

//if >0 then save your data to session and go to your next php
if($num_rows>0){
    session_start();
    while($row = mysqli_fetch_assoc($user)){
        //save session here
    }
    //go to your target
    header("location:admin/index.php");
}
else {
    //if failed 
    $message = "Username / Pass Wrong";
    echo "<script type='text/javascript'>window.alert('$message');</script>";
    header("location:default.php");
}
?>
catcon
  • 1,295
  • 1
  • 9
  • 18
Gerardo Arya
  • 1
  • thanks for you answer ! i tested it , even with right username & password , its goes to (failed) default.php – Andreas S Aug 06 '19 at 16:10