User details not getting passed in different page

I have a login.html where form is defined as follows. The user information doesn’t seem to be getting available in dbconn.php and I believe that’s why I keep on getting the NoticeNotice: Undefined index: user in C:\wamp\www on line #6 in dbconn.php. This is the line $user = $_POST["user"];

<form method="post" action= "user.php"  name="lform">
  <span class="style1">User Name :</span>  
    <input type="text" name="user" size="25">
	<input type="submit" value="login">
</form>

My user.php is as follows:

<?php
session_start();

require('dbconn.php');

$user = $_POST["user"]; 

$_SESSION['username'] = $user;

$sql="SELECT * FROM $table_name_users WHERE username = \"$user\"";

var_dump("SQL Check : " . $sql);

$result=mysqli_query($connection,$sql) or trigger_error("Couldn't Execute Query in do_authuser.php: ". mysqli_error($sql));

//var_dump("Result Check: " . $result);

$num = mysqli_num_rows($result);

var_dump("Number variable check: " . $num);


if ($num != 0) {


    print "<script>";
	print "self.location='somethingelse.php';";
	print "</script>";

} else {
echo "<p>you're not authorized";
}


?>

And dbconn.php is as follows:

<?php
if(!isset($_SESSION)) 
    { 
        session_start(); 
    } 
$user			  = $_POST["user"]; 
$_SESSION['username']=$user;

var_dump("Check for user in dbconn.php:". $user);

$db_server		= "localhost"; 
$db_name		= "PracticeDB"; 
$db_user		= $user;
$db_password		= 'abc';

var_dump("Test for db user variable in dbconn.php:". $db_user);


$connection = mysqli_connect($db_server,$db_user,$db_password) or trigger_error("Could Not Connect to the Database :   ". mysqli_connect_error(), E_USER_ERROR);
//var_dump("Connection Dump for Connection: ". $connection);

$db = mysqli_select_db($connection , $db_name) or trigger_error("Could Not Select the Database : " . $db_name . ':' .mysqli_error($connection));
var_dump("Check for db variable in dbconn.php:". $db);


?>

You really shouldn’t be giving a user the ability to login into a MySQL database. I would use constants that way you can have better control over them.

Here’s what I do:

if (filter_input(INPUT_SERVER, 'SERVER_NAME', FILTER_SANITIZE_URL) == "localhost") {
    define('DATABASE_HOST', 'localhost');
    define('DATABASE_NAME', 'database name');
    define('DATABASE_USERNAME', 'local user name --- usually root');
    define('DATABASE_PASSWORD', 'local_password');
    define('DATABASE_TABLE', 'database table');
} else {
    define('DATABASE_HOST', 'Internet Provider');
    define('DATABASE_NAME', 'remote database name');
    define('DATABASE_USERNAME', 'remote_username');
    define('DATABASE_PASSWORD', 'remote_password');
    define('DATABASE_TABLE', 'database table');
}

This is probably the reason you can’t get the user to login and you should also have error reporting turn on (locally).

Thanks @Pepster64 . Actually, user can log in into the database if I hard code the user name in dbconn.php. In my case, if I change $db_user = $user; to $db_user = 'peter';, user can successfully log in. What I was not able to figure out is the value for user is not coming into dbconn.php page even though session has been started in user.php page.

I don’t see that the session side of it is relevant at this point. If you var_dump($_POST); at the start of user.php, and again at the start of dbconn.php, what do you see?

In any case you’re a sitting duck for SQL Injection attacks with that code as you’re letting user submitted data near the database without any sort of escaping or validation. At the very minimum you should be using a prepared statement to prevent SQL Injection.

1 Like

I placed var_dump("Check for user in user.php:". $_POST); at the start of user.php just below the session_start() line.

I did’t see the dump getting printed

I also placed the code in dbconn.php

var_dump("Check for user in dbconn.php:". $_POST);

I saw the following:

string 'Check for user in dbconn.php:Array' (length=34)

Error which were there before as well:

Notice: Undefined index: user in C:\wamp\www on line #6 where $user = $_POST["user"]; is line #6

Notice: Array to string conversion in C:\wamp\www\ on line #11 where var_dump("Check for user in dbconn.php:". $_POST); is line #11

Doesn’t look as if the var_dump() is outputting what you want it to, though. Try separating it:

echo "check for user in dbconn.php: ";
var_dump($_POST);

If it’s not appearing in user.php, are you 100% sure it’s running the same version you’re editing?

It’s printing now on both the pages( the first page was redirecting to another so I was unable to see it, I stopped it and I can see):

array (size=1)
  'user' => string 'peter'

How can I resolve the problem?

Well, you’ve got me. I created three files on my local WAMP server and pasted your code into them, adding var_dumps as well, and I get this:

array (size=1)
  'user' => string 'fred' (length=4)

array (size=1)
  'user' => string 'fred' (length=4)

string 'Check for user in dbconn.php:fred' (length=33)

string 'Test for db user variable in dbconn.php:fred' (length=44)

Obviously then it gives me database errors because I don’t have your tables configured, but it’s not giving me the index error that you’re getting. Did you copy/paste your code into the forum, or type it out separately? Is there a reason for all the white space in the middle of that line?

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.