ansaurus

Question

Answer 1

+9 A:

This is just a notice that the variables are being referenced in the query without being in scope.

Define $username and $password at the top of doLogin() and initialized them to Null or similar. Then check for them later.

You also seem to be executing the query regardless of $username and $password being set. You should do something more like:

if( isset($_POST['username']) && isset($_POST['password'])){
     //create vars, do query
}else{
     // Nothing to process
}

Both errors occur on line 20, which I assume is the query string interpolation. The issues here are:

inconsistent scope/referencing (which sucks in PHP anyway)
Your ifs need to be a bit more orderly. This error is small, but worse ones will bite you in the bum later if you handle variables like this :)

Also: escape your variables before dumping them like hot coals into your SQL see PDO (which I would go for) or mysql_escape_string()

good luck!

Aiden Bell 2009-05-26 12:39:43

adding a Salt to that password would be a good thing also.

Mike Curry 2009-05-26 12:56:07

@Mike: A salt is used when hashing a password, which isnt mentioned in the question. Good answer though +1

Sam152 2009-05-26 12:59:43

Oh, that is pretty cool

Sam152 2009-05-26 13:06:42

@Sam152, Thanks :) Also, I now have 1,234 points which is cool.

Aiden Bell 2009-05-26 13:07:19

Answer 2

A:

You're going to want to use error_reporting(E_ALL ^ E_NOTICE); from the page Sam linked to. Notices are really unnecessary, and are like using WALL and WERROR flags with gcc.

contagious 2009-05-26 12:42:15

-Wall and E_NOTICE are very necessary. They warn you when you are being a moron, which can potentially lead to an hour over a hot debugger :) for a bit of extra output, for me, it is worth it.

Aiden Bell 2009-05-26 13:22:06

but in this case, E_NOTICE completely stops something from working when really it shouldn't. at least a program with -Wall complaining.

contagious 2009-05-26 13:49:35

Answer 3

+8 A:

This means, most likely, that your form hasn't been submitted. You should make sure that you only use the variables if they exist. Furthermore, you should never ever use the input from users without validating it. Try the following, for example:

if (isset($_POST['username']) && isset($_POST['password']))
{
 $username= $_POST['username'];
 $password= $_POST['password'];
 $query = "SELECT *
                      FROM users
                      WHERE username = '".mysql_real_escape_string($username)."'
                      AND password = '".mysql_real_escape_string($password)."'";
 $result = mysql_fetch_array(mysql_query($query));
 # ...
}
else
{
 return NULL;
}

soulmerge 2009-05-26 12:43:04

Just code it for him ;)

Aiden Bell 2009-05-26 12:45:55

the -1 wasn't me :S

Aiden Bell 2009-05-26 12:47:13

He fixed the problem and brought some extra security issues to his attention. Whoever assassinated this post should be banned for having such a stupid opinion on it.

Sam152 2009-05-26 12:48:10

@Sam152, I agree 100%.

Aiden Bell 2009-05-26 12:50:14

Thanks for your comments.

2009-05-27 08:26:23

Answer 4

+1 A:

<?php
class test_class {

    public function doLogin() {
        include("connection.php");

        if (isset($_POST['username']) && isset($_POST['password']) {
            $username = $_POST['username'];
            $password = $_POST['password'];

            $query = "SELECT * ".
                     "FROM users " .
                     "WHERE username = '$username' ".
                     "  AND password = '$password'";
            $result = mysql_fetch_array(mysql_query($query));
            if(!$result) {
               return 'assa';
            } else {
               return 'assa112121212';
            }
        } else {
            echo "Missing parameter 'username' and/or 'password'";
        }
    }
}

Also, you should escape $username and $password to avoid sql injection attacks.

PatrikAkerstrand 2009-05-26 12:44:59

Answer 5

+1 A:

You are also checking the database whether or not a username and password are supplied.

Perhaps something like this;

public function doLogin() {

 include("connection.php");
 $username = (isset($_POST['username'])) ? $_POST['username'] : NULL ;
 $password = (isset($_POST['password'])) ? $_POST['password'] : NULL ;
  if ( $username !== NULL && $password !== NULL )  {
                 $query = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
                 $result = mysql_fetch_array(mysql_query($query));
   /* auth code here */

  } else {
  return false; // no u/p provided 
 }

    }

You should also be escaping your inputs before putting them anywhere near your database, either by using mysql_real_escape_string or PDO (PHP Data Objects)

garrow 2009-05-26 12:51:25

Answer 6

+3 A:

One more happy class and bug free :)

<?php
class test_class
{
    private $post = array();
    public function __construct ()
    {
    }
    public function doLogin ()
    {
        $this->post = $_POST;
        include ("connection.php");
        if ($this->post['username'] && $this->post['password']) {
            $username = $this->post['username'];
            $password = $this->post['password'];
            $query = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
            $result = mysql_fetch_array(mysql_query($query));
            if (! $result) {
                return 'assa';
            } else {
                return 'assa112121212';
            }
        }
    }
}
?>

Iman Samizadeh 2009-05-26 13:00:48

ansaurus

tags:

views:

answers:

Undefined variable error in PHP

related questions