1

I am making this simple code for authentication of a user. the page with the form is : >login.php. with the following code.

login.php : 

<html>    
<body>  

<div style="position:absolute;left:300px;top:300px;width:300px;height:100px;z-index:9;>  

<form name="form1" method="POST" action="check.php">  
Username:<br />  
  <input type="text" name="Username" />  
  <br /><br />   
  Password:<br />  
  <input type="password" name="Password" />  
  <br /><br /><br/>  
  <input type=button onClick="location.href='check.php'" value='Continue'       name='continue'/>  
  </form>  
</div>  
</body>  
</html>

the form field values are being used in the next php page with following code:

check.php : 

<?php
session_start();
$con = mysql_connect("localhost", "root", "");
mysql_select_db("aviation", $con) or die(mysql_error());
if (isset($_POST['continue'])) {
    $userName = $_POST[Username];
    $passWord = $_POST[Password];
    mysql_select_db('aviation');
    $query = "select * from users where Username='" . $userName . "'and     Password='" . $passWord . "'";
    $result = mysql_query($query, $con);
    if (!$result) {
        die('Could not enter data: ' . mysql_error());
    }
    $rows = mysql_num_rows($result);
    if ($rows == 1) {
        $_SESSION['Username'];
        $_SESSION['Password'];
        echo "Successful";
        echo "<BR>";
        echo "You are authorized to update the status of Bays.";
        echo "<BR>";
        $Msg = "Redirecting....";
        echo '<script type="text/javascript">  
         alert("' . $Msg . '");  
  </script>';
        header("location:upbstatus.php");
    } elseif ($userName == "" || $passWord == "") {
        $errorMsg = "Data was not entered <br/> Enter Username and Password";
        echo '<script type="text/javascript">  
         alert("' . $errorMsg . '");  
  </script>';
        else {
            $errorMsg = "Data Does Not Match <br/> Re-Enter Username and Password";
            $errorMsg = "Data was not entered <br/> Enter Username and Password";
            echo '<script type="text/javascript">  
         alert("' . $errorMsg . '");  
  </script>';
        }
    } else {
        echo ("  =============== not SET ===============");
    }
?>

It always return : =============== not SET ===============

I am so stuck at why is this happening.Can anybody help please? It'l be appreciated.
Thankyou.

Improve this question
2
  • 2
    Don't store your passwords in plain text. Commented Dec 29, 2012 at 17:36
  • Ma'am, where is the submit button? Commented Dec 29, 2012 at 19:41

4 Answers 4

Reset to default
2

Your onclick (onClick="location.href='check.php'") event handler is requesting check.php before the form can make a POST request. Once the button is clicked it redirects to check.php which sends a GET request to check.php NOT POST.

To fix it you need to change the button to a submit typed input. 

   <input type='submit' value='Continue' name='continue' />

Additional information:

  1. Quote array indices. Like $_POST['Username']
  2. Escape parameters in sql using mysql_real_escape_string. or Use prepared statements.
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Voted down for not using proper double quotes in your answer.
@frustratedtech you can omit quotation in certain cases. This is one of those cases.
1

There are a few issues with the code:

Weird form behaviour

<input type=button onClick="location.href='check.php'" value='Continue'       name='continue'/>

Why are you doing this? This wouldn't send the username and password fields at all, because the browser will redirect before the form is submitted. If you want to submit the form when clicked, use <input type="submit">

<input type="submit" value="Continue" name="continue" />

Quote array indices

$userName = $_POST[Username];  
$passWord = $_POST[Password];

This causes notices to be raised in PHP because the constant Username doesn't exist. Use this instead:

$userName = $_POST['Username'];
$passWord = $_POST['Password'];

I won't get into the scenario where $_POST['Username'] might not be set.

Escape variables in SQL

$query = "select * from users where Username='".$userName."'and     Password='".$passWord."'";

This is dangerous; you should escape the variables properly:

$query = sprintf("select * from users where Username='%s' and Password='%s'",
    mysql_real_escape_string($userName),
    mysql_real_escape_string($passWord)
);

Don't store passwords in plain text

Storing passwords in plain text is just asking for trouble. Use bcrypt to store a hash of the password instead.

See also: Secure hash and salt for PHP passwords

Don't use mysql_xx functions

This feature is deprecated in favour of PDO / mysqli and prepared statements.

Improve this answer

Comments

0

Remove on click in your submit button. While your at your it, fix your quotes.

Improve this answer

Comments

0 
<form name="form1" method="POST" action="check.php">  
Username:<br />  
  <input type="text" name="Username" />  
  <br /><br />   
  Password:<br />  
  <input type="password" name="Password" />  
  <br /><br /><br/>  
  <input type="submit" value="Continue" name="continue"/>  
  </form>
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.