1

First, the project that I am working on: Creating a website where users can login and record the number of volunteer hours they have done.

I looked at a similar question here: PHP login error "Undefined Variable"

I tried the solution that was in the post above but it did not work for me. The undefined variable only occurs when the wrong username/password is entered, but works perfectly fine when the right username and password are entered. I am not sure as to why this is happening but I would like some help finding the solution. Here is the code to the pages that I am having trouble with. Thanks.

The login html form:

<!DOCTYPE html>     
<html>
  <head>
    <meta charset="UTF-8">
    <title>Simple login form</title>
    <link rel="stylesheet" href="css/reset.css">
    <link rel="stylesheet" href="css/style.css"/>
  </head>

  <body>
    <div class="container">
    <div class="login">
      <h1 class="login-heading">
      <strong>Welcome.</strong> Please login.</h1>
      <form method="post" action="login.php">
        <input type="text" name="uname" placeholder="Username" required="required" class="input-txt" />
        <input type="password" name="pword" placeholder="Password"    required="required" class="input-txt" />
        <div class="login-footer">
          <a href="forgot.html" class="lnk">
          <span class="icon icon--min">ಠ╭╮ಠ</span> 
          <span class="register">I've forgotten something</span></a> 
          <input name="submit" value="Login" type="submit" class="btn btn--right"><br>
          <a href="register.html" class="lnk">
          <span class="register">Not a member? Click here to register!</span></a>
        </div>
      </form>
    </div>
  </div>
  <script src="js/index.js"></script>
</body>
</html>

The PHP form that processes the info from the form:

<?php

include("encrypt_decrypt.php");

$username="root";
$password="";
$server="localhost";
$db_name="userauthentication";

$uname="";
$pword="";
$error_msg="";

if(isset($_POST["submit"])){

    $db_handle = mysqli_connect($server, $username, $password);
    $db_found = mysqli_select_db($db_handle, $db_name);

    $uname = $_POST["uname"];
    $uname = htmlspecialchars($uname);
    $uname = mysqli_real_escape_string($db_handle, $uname);

    $pword = $_POST["pword"];
    $pword = htmlspecialchars($pword);
    $pword = mysqli_real_escape_string($db_handle, $pword);
    $pword = encrypt_decrypt("encrypt", $pword);

        if($db_found){
            if($uname == "admin"){
                $SQL = "SELECT * FROM  WHERE username = '$uname' AND pword = '$pword'";
                $result = mysqli_query($db_handle, $SQL);

                $num_rows = mysqli_num_rows($result);

                    if($num_rows > 0){
                        session_start();
                        $_SESSION['login'] = "2";
                        header("Location: adminpage.html");
                    }else{
                        print("error");
                    }
            }else if($uname != "admin"){
                $SQL = "SELECT * FROM login WHERE username = '$uname' AND password = '$pword'";
                $result = mysqli_query($db_handle, $SQL);

                $num_rows = mysqli_num_rows($result);

                if($num_rows > 0){
                    session_start();
                    $_SESSION['login'] = "1";
                    header("Location: mainpage.html");
                }else{
                    $uname = '';
                    $pword = '';
                    print("error");
                }
            }
        }
    }
?>

And last but not least, the encrypt_decrypt function that I am using for password security. This is the actual page where I am getting the undefined variable problem on lines 6 & 7.

<?php       
    function encrypt_decrypt($action, $string) {
    $output = false;

    $encrypt_method = "AES-256-CBC";
    **$secret_key = $pword;**
    **$secret_iv = $pword;**

    // hash
    $key = hash('sha256', $secret_key);

    // iv - encrypt method AES-256-CBC expects 16 bytes - else you will get a warning
    $iv = substr(hash('sha256', $secret_iv), 0, 16);

    if( $action == 'encrypt' ) {
        $output = openssl_encrypt($string, $encrypt_method, $key, 0, $iv);
        $output = base64_encode($output);
    }
    else if( $action == 'decrypt' ){
        $output = openssl_decrypt(base64_decode($string), $encrypt_method, $key, 0, $iv);
    }

    return $output;
}
?>

This is a picture after I entered in the right username but wrong password

Community
  • 1
  • 1
nitish mallavarapu
  • 25
  • 6
  • 1
    Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). – Jay Blanchard Jan 29 '16 at 20:39
  • 2
    The error message must have shown *what* is undefined. – Rajdeep Paul Jan 29 '16 at 20:39
  • Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). – Jay Blanchard Jan 29 '16 at 20:40
  • Are these `**$secret_key = $pword;**` and `**$secret_iv = $pword;**` on 6th and 7th line? – Rajdeep Paul Jan 29 '16 at 20:41
  • yes, that is correct Rajdeep – nitish mallavarapu Jan 29 '16 at 20:41
  • Don't you think this is *incorrect*? Remove `*` from these two lines, and if they're not required, comment them out. – Rajdeep Paul Jan 29 '16 at 20:43
  • Hi Jay, the reason why I am not using the password_hash() function is because it is a one way hash. I needed a two way hash because I also created a retrieve credentials page that sends an email to the user with their info. – nitish mallavarapu Jan 29 '16 at 20:46
  • Hi Rajdeep, sorry for the confusion, the reason why I starred them was because those are the two lines that are giving me undefined variable issues, but in the real code I will remove them. – nitish mallavarapu Jan 29 '16 at 20:48

2 Answers2

0

You pass in a variable named $pword but it is called $string within the function. Update the code as below. 

$secret_key = $string;
$secret_iv = $string;
benni_mac_b
  • 8,803
  • 5
  • 39
  • 59
  • That fixed the undefined variable problem but now I am getting an error even when I enter in the right credentials xD – nitish mallavarapu Jan 29 '16 at 20:54
  • Cool, I suggest you open another question if you have a different issue now otherwise it can become a little confusing for those coming to the question late. – benni_mac_b Jan 29 '16 at 20:55
  • 1
    I realized that I was submitting a new hash every time and checking the new hash with the old hash for comparison. This is why I am getting an error message even when the right credentials are entered! But your solution helped me get rid of the undefined variable problem so thanks :) – nitish mallavarapu Jan 29 '16 at 21:32
0

The error always occurs. But in case of successful login you are doing a header redirect either to adminpage.html or to mainpage.html. That is why you don't see the errors in case of using right username/password combination. The error is the result of using the unknown variable pword in encrypt_decrypt(). Replace it with $string or use global statement to import $pword into the scope of encrypt_decrypt().

Izzet Beltir
  • 126
  • 4