Im having problems creating a login script that lets me access a members area

hi,

im having problems creating a login script that lets me access a members area. i have created the registration script, that works and connects to the db. its the login side that im having trouble with. here are the files

index.php http://pastebin.com/WUyTnvJQ

connectivity.php http://pastebin.com/j3PaSj1W

1 Like

Your login form has “connectivity.php” as its action, yet the form processing is in the form itself.

ok, ive removed this http://pastebin.com/UUj1iVY2. what do i do now?

i get these errors too. Notice: Undefined index: name in /home/xxxxxxxxxx.xxx/www/index.php on line 32

Notice: Undefined index: pass in /homexxxxxxxxxxxxx.xxx/www/index.php on line 33

Notice: Undefined index: sublogin in /xxxxxxxxxxxx.xxx/www/index.php on line 34

Notice: Undefined index: pass in /xxxxxxxxxxxx.xxx/www/index.php on line 37
SQLSTATE[42S02]: Base table or view not found: 1146 Table ‘xxxxxxxxxxxxxx.name’ doesn’t exist

also now the login button doent work at all…

There are a lot of security vulnerabilities in your login script. If you are using PDO, you should be using prepared statements where ever you have the WHERE clause or any user input. Using prepared statements doesn’t “magically” protect yourself from SQL Injections, but it will lessen the vulnerabilities.

Database connections should always be at the top of the page. Including session_start().

These errors are telling you that the $_POST or $_REQUEST variables aren’t assigned. You should also use $_POST instead of $_REQUEST because you are getting information that is from a form. Using $_REQUEST will lead to security vulnerabilities because it contains both $_POST and $_GET values and they might not come from the same origin.

Next, you need to rename 'xxxxxxxxxxxxxx` as your actual database.


Now, looking at your index file, I see there are a lot of security problems. You’re using MD5 for the password, MD5 isn’t a password algorithm and isn’t intended to be one. You should use PHP’s default password_hash.

When looking to see if the account exist, don’t compare both email and password together. You should compare to see if the email exists. If it exists, then pull up the password from the selected email. From there, use the password_verify function to check if the user submitted password is the same as the one that you just pulled. This should all be done through a different set of files since redirecting to the same file multiple times could cause an infinite loop.


Then there are more. Don’t use if(isset($_POST['submit'])), if(isset($_POST['btn'])), if(isset($_POST)), .etc. All of these are amateur hacks that are from tutorials that are from the 90’s. The proper way to check if the form was submitted is by using if($_SERVER['REQUEST_METHOD'] == 'POST'). And don’t let anyone else tell you otherwise. People who support if(isset($_POST['submit'])), if(isset($_POST['btn])), if(isset($_POST)), .etc are the people who want to keep legacy codes a live.


Simple doesn’t always mean secure and not hackable.

1 Like

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.