$_POST not working in a login form

Question

I've spent hours over this code (i'm a php newbie) but I just can't figure out why it doesn't work. I have 2 webpages: the main one, and the login handler. The login one should take the values I put in the login form (placed in the main page) and then execute operations such as checking whether the user exists or not, whether he is an admin or not and whatsoever. Turns out the starting postgres query is wrong for some reasons -or maybe I should say the values taken from the form are not recognized correctly -, even though I tried to use it on another test.php page using actual values instead of the $_POST variables and it worked flawlessly

MainPage

<?php
ini_set ("display_errors", "1");
error_reporting(E_ALL);
$host        = "host=127.0.0.1";
$port        = "port=5432";
$dbname      = "dbname=Library";
$credentials = "user=john password=doe";

 $db = pg_connect( "$host $port $dbname $credentials"  ) or die('Could not  connect');
 ?>

      <title>Welcome</title>
      <head><font size="16" color="black">Library</font></head>
            <br />
            <br />
            <br />
    <body>
            <form action="LoginHandler.php" method="POST">
            ID:<input type="string" name="UserID">
            Password:<input type="string" name="Password">
            <input type="submit" value="Login">
            </form>
            <form action="createUser.html" method="get">
            <input type="submit" value="Sign Up"><br>

    </body>

LoginHandler

<?php
$UserID=$_POST["UserID"];
$Password=$_POST["Password"];
$user=pg_query($db, "SELECT UserID, Password, Privileges
            FROM Library.Users
            WHERE UserID='$UserID' AND Password='$Password'");
$val = pg_fetch_result($user, 0, 0);
echo $val;
?>

I just tried the code on a text page again so I'm 100% sure the query is correct. Any suggestions?

Is it possible you forgot to `pg_connect` on your LoginHandler? Are you getting any errors? Try running `echo pg_last_error()` after your query and see the result. — uri2x, Sep 12 '15 at 14:00
Please edit and add the test page code and the result of `echo $val`. I have the suspect that in `LoginHandler.php` your variable `$db` is just empty, so there is no connection to perform the query on. Also check if `$user === false` before fetching the result. With these information I think it would be easy to formulate an answer. — Pietro Saccardi, Sep 12 '15 at 14:03
pg_connect( "$host $port $dbname $credentials" ) - shouldn't his have comma separators? — durbnpoisn, Sep 12 '15 at 14:04
change both `type="string"` to `type="text"`, I am pretty sure that `type="string"` isn't a valid type. edit: the one for the password should be `type="password"` — Funk Forty Niner, Sep 12 '15 at 14:07
@durbnpoisn that was deprecated, now it just has a connection string: http://php.net/manual/en/function.pg-connect.php — Pietro Saccardi, Sep 12 '15 at 14:08
well someone obviously saw my comment above and adjusted their answer - lol — Funk Forty Niner, Sep 12 '15 at 14:14
Error reporting http://php.net/manual/en/function.error-reporting.php should be throwing you undefined index notices. — Funk Forty Niner, Sep 12 '15 at 14:20

Mohamed Omer · Answer 1 · 2015-09-12T14:13:22.267

0

my friend there couple of issues here can blow up ur code 1- the form html code is missed up.it should look like that:

<form action="LoginHandler.php" method="POST">
            ID:<input type="text" name="UserID">
            Password:<input type="password" name="Password">
            <input type="submit" value="Login">
            </form>
            <form action="createUser.html" method="get">
            <input type="submit" value="Sign Up"><br>
</form>

2- you should learn the difference between using single quote and double quote , they are not the same in PHP so your query should look like that

$user=pg_query($db, 'SELECT UserID, Password, Privileges
            FROM Library.Users
            WHERE UserID="$UserID" AND Password="$Password"');

3- i want to tell u that this code can work for practicing or testing but it is not a real world code , u should hash the password use $password = sha1($password); at least, also u should filter the $_POST and $_GET inputs using htmlspecialchars() and filter_var(), check the php manual for best explanation for this functions.

edited Sep 12 '15 at 14:13

answered Sep 12 '15 at 14:08

Mohamed Omer

11
1

*"you should learn the difference between using single quote and double quote , they are not the same in PHP so your query should look like that"* - what they have now is fine. – Funk Forty Niner Sep 12 '15 at 14:09
*"u should hash the password use $password = sha1($password);"* - No, `sha1` isn't considered safe to use anymore. – Funk Forty Niner Sep 12 '15 at 14:12
at least for a beginner then he can use advanced salt blow fish one – Mohamed Omer Sep 12 '15 at 14:15
why should they? they should be using a "safe" password hashing right away. – Funk Forty Niner Sep 12 '15 at 14:15
I don't think the initial question was about writing secure code... – Fanis Despoudis Sep 12 '15 at 14:18
about quotes i think he will inter the identifier into the database not the value when using single quotes check this $xyz = "something"; print "$xyz"; print '$xyz'; – Mohamed Omer Sep 12 '15 at 14:19
@FanisDespoudis agreed – Mohamed Omer Sep 12 '15 at 14:20
@Fred-ii- agreed about using secure code – Mohamed Omer Sep 12 '15 at 14:20

$_POST not working in a login form

1 Answers1