-2

I spent some minutes but I can't figure out this simple error. Here's is my index.php

<?php
session_start();
//error_reporting(0);
require_once('conn.php');
unset($_SESSION['userid']);
unset($_SESSION['username']);
?>
<html>
<head><title>Log-In Page</title></head>
<body>
<form action="login.php" method="post">
Username: <input type="text" name="username" /><br/>
Password: <input type="password" name="password"/><br/>
<input type="submit" value="Log In"/>
</form>
<?php
            if( isset($_SESSION['ERRMSG_ARR']) && is_array($_SESSION['ERRMSG_ARR']) && count($_SESSION['ERRMSG_ARR']) >0 ) {
            foreach($_SESSION['ERRMSG_ARR'] as $msg) {
                echo '<font color="#FF0000">',$msg,'</font>'; 
                }
            unset($_SESSION['ERRMSG_ARR']);
            }
        ?>
<br/>
<p>Not Yet Registered?Click <a href="regform.php">here</a>.</p>
</body>
</html>

I tried commenting the said line but the page went blank. Here is my login.php:

<?php
//error_reporting(0);//hide php error
session_start();

$con = mysql_connect("localhost","root","");//host connection
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("dblogin", $con);//select dbname

//Function to sanitize values received from the form. Prevents SQL injection
    function clean($str) {
        $str = @trim($str);
        if(get_magic_quotes_gpc()) {
            $str = stripslashes($str);
        }
        return mysql_real_escape_string($str);
    }

//variables
$userid= clean($_POST['userid']);
$username=clean(strtolower($_POST['username']));//transform username input into lower keys
$password= clean($_POST['password']);
date_default_timezone_set('Asia/Kuala_Lumpur');//time may varies
$datenow= date("Y/m/d H:i:s");//returns current date and time

$query=mysql_query("select *from itinerary_person where username='$username'");
$row=mysql_num_rows($query);//count row


//check if user exist   
if ($row == 1){
    $user = mysql_fetch_assoc($query);//fetch the related result from the query
    require('blowfish.class.php');
    $bcrypt = new Bcrypt(4);
    if ($bcrypt->verify($_POST['password'], $user['password'])) {
        session_regenerate_id();
        $_SESSION['userid']= $user['userid'];
        $_SESSION['username']= $user['username'];
        session_write_close();
        $filename=$_SESSION['username'];
        $myFile = "logs/$filename.txt";
        $fh = fopen($myFile, 'a') or die("can't open file");//save user's log in time and date
        $stringData ="\r\n". $username .' logged in at '. $datenow;//new line
        fwrite($fh, $stringData);
        fclose($fh);
        header("location:welcome.php");//redirect page if successful
    }
}

else{
    //redirect to index page if user not exist
    //Login failed
        $errmsg_arr[] = 'Invalid input';
        $errflag = true;
        if($errflag) {
            $_SESSION['ERRMSG_ARR'] = $errmsg_arr;
            session_write_close();
            header("location:index.php");
            exit();
            }
}

?>

I think it has something to do with the session variables but I can't debug it. I know that this error occur also if the name value is not present on the form. But in this case, I have no idea.

Sachi Tekina
  • 1,800
  • 5
  • 28
  • 50
  • 2
    `$_POST['userid']` does not exist (login.php:23, just like your error says). Probably because you're not posting that value. Look at your network tab what values you're actually posting or output `print_r($_POST)`. – h2ooooooo Jan 14 '15 at 14:25
  • You don't have any input on your form by the name of `userid`. – silentw Jan 14 '15 at 14:29
  • You must validate your form before accepting values. i.e. 1. Validate all fields that you are using in $_POST is same as you have defined in the form 2. Validate for them not being blank by using following code `if(isset($_POST['userid'])) { //your code here }` 3. Always check the form method is $_POST Hope this helps – Aadil Keshwani Jan 14 '15 at 14:36

1 Answers1

0

Remove the following line from your code since it doesn't make sense:

$userid = clean($_POST['userid']);

Add the following line to your code:

session_regenerate_id();
$_SESSION['userid']= $user['userid'];
$userid = clean($_SESSION['userid']); /* THIS LINE */
$_SESSION['username']= $user['username'];
session_write_close();
silentw
  • 4,835
  • 4
  • 25
  • 45
  • I tried that. It doesn't return an error but it doesn't redirect to `welcome.php` page. – Sachi Tekina Jan 14 '15 at 14:35
  • Are you sure that your code passes the bcrypt verification if statement? Probably that's your issue, and my solution works. Add a else and write something to the screen to see if it reaches the if statement. – silentw Jan 14 '15 at 14:47
  • 1
    Ok thanks, I found out that it doesn't get the password or it doesn't match. – Sachi Tekina Jan 14 '15 at 15:01