undefined index error in login form

Question

I have started to learn php and mysql and I have created a login form. I want to show error when username or password is incorrect. But when the page is opened it shows Notice: Undefined index: user and Undefined index: pass, and i have included the php code below the password input box because I want to show the error below it, but I keep getting this error.And if I enter any wrong username and click on login then this error doesn't appear. Please help

<html>
<head>
</head>
<body>
<form action="login.php" method="post">
<label for="username">Username</label>
<input name="user" type="text" id="username" required="" >
<label for="password">Password</label>
<input name="pass" type="password" id="password" required="" >
<?php
// start session
session_start();
include'connect.php';
// Define $username and $password 
$username=$_POST['user']; 
$password=$_POST['pass']; 
$sql="SELECT * FROM table WHERE username='$username' and password='$password'";
$result=mysqli_query($con,$sql);
// Mysql_num_row is counting table row $count=mysqli_num_rows($result);
// If result matched $username and $password, table row must be 1 row
if($count==1){
$_SESSION['username'] = $_POST['user'];
// goto to welcome page
header('Location: welcome.php');
}
else {
// show error
echo "<div style='color:red;' class='errorbox'>Incorrect Username or Password</div><br>";
}
?>
<button type="submit">Log In</button>
</form>
</body>
</html>

When you load the page for the first time your post data does not contain user or pass . So you should check whether it exists before using it. — ck_arjun, Mar 16 '16 at 15:11
@ck_arjun I entered if(isset($_POST['user'])) below include connect.php not it doesn't shows undefined user error but shows the pass error and also one new error undefined username — , Mar 16 '16 at 15:24

score 0 · Answer 1 · answered Mar 16 '16 at 15:27

<?php
// start session
session_start();
include'connect.php';
if (!empty($_POST)) {
    // Define $username and $password 
    $username=$_POST['user']; 
    $password=$_POST['pass']; 
    $sql="SELECT * FROM table WHERE username='" . mysqli_real_escape_string($username) . "' and password='" . mysqli_real_escape_string($password) . "'";
    $result=mysqli_query($con,$sql);
    $count=mysqli_num_rows($result);
    // If result matched $username and $password, table row must be 1 row
    if($count){
        $_SESSION['username'] = $_POST['user'];
       // goto to welcome page
       header('Location: welcome.php');
    } else {
       // show error
echo "<div style='color:red;' class='errorbox'>Incorrect Username or Password</div><br>";
    }
} 
?>
<html>
<head>
</head>
<body>
<form method="post">
<label for="username">Username</label>
<input name="user" type="text" id="username" required>
<label for="password">Password</label>
<input name="pass" type="password" id="password" required>
<button type="submit">Log In</button>
</form>
</body>
</html>

Ramon Bakker · Answer 2 · 2016-03-16T16:07:20.230

The more safe solution, with anti session fixtation and anti SQL injection:

<?php
if (!isset($_SESSION)) { session_start(); }

include'connect.php';

if(isset($_POST["user"])) {

    $username = bin2hex(htmlspecialchars($_POST['user'])); 
    $password = bin2hex(htmlspecialchars($_POST['pass'])); 

    $query = mysqli_query($con, "SELECT id, username FROM table WHERE username=UNHEX('$username') AND password=UNHEX('$password')");

    if (mysqli_num_rows($query) === 1) {
        $result = mysqli_fetch_assoc($query);
        $_SESSION['username'] = $result['username'];
        $_SESSION['userid'] = $result['id'];
        session_regenerate_id();
        header('Location: welcome.php');
    } else {
        echo "<div style='color:red;' class='errorbox'>Incorrect Username or Password</div><br>";
    }
}
?>

<html>
<head>
</head>
<body>
<form action="" method="post">
<label for="username">Username</label>
<input name="user" type="text" id="username" required="" >
<label for="password">Password</label>
<input name="pass" type="password" id="password" required="" >
<button type="submit" name="login-now">Log In</button>
</form>
</body>
</html>

Remember to HASH your passwords (with a salt, and don't use md5)

ameenulla0007 · Accepted Answer · 2016-03-16T15:31:39.760

-1

you need to format your script like below.

<?php
//start session
session_start();
include'connect.php';
// Define $username and $password
if(isset($_POST["user"])) {
    $username   = mysqli_real_escape_string($_POST['user']); 
    $password   = mysqli_real_escape_string($_POST['pass']); 
    $sql        = "SELECT * FROM table WHERE username='$username' and password='$password'";
    $result = mysqli_query($con,$sql);
    $count      = mysqli_num_rows($result);
    if($count==1) {
        $_SESSION['username'] = $_POST['user'];
        // goto to welcome page
        header('Location: welcome.php');
    }
    else {
        // show error
        echo "<div style='color:red;' class='errorbox'>Incorrect Username or Password</div><br>";
    }
}
?>
<html>
<head>
</head>
<body>
<form action="login.php" method="post">
<label for="username">Username</label>
<input name="user" type="text" id="username" required="" >
<label for="password">Password</label>
<input name="pass" type="password" id="password" required="" >
<button type="submit" name="login-now">Log In</button>
</form>
</body>
</html>

points to be noted

session_start(); needs to be started before everything, there should not be any html code before it.
use of condition with isset which indicates the submit button is clicked and value of post is set, if it is set, it means the other requests of username and password is also ready to request.

(if you directly execute statements without isset, the requests won't be ready to request, and if requested, it returns with an error, undefined index)

As a reminder by @Alex, user of mysqli_real_escape_string, this protects your script with SQL injections.

edited Mar 16 '16 at 15:31

answered Mar 16 '16 at 15:21

ameenulla0007

2,663
1
12
15

1

never ever check with `isset($_POST["submit"])`, as it is not reliable. – Mar 16 '16 at 15:25
okay, what would be the better condition then @ksno? – ameenulla0007 Mar 16 '16 at 15:26
checking anything else.. in theory you wouldnt want to submit an empty form so there would always be a required field. – Mar 16 '16 at 15:28
it is not a safe solution. – Alex S Mar 16 '16 at 15:29
you mean `isset($_POST['user'])` ? – ameenulla0007 Mar 16 '16 at 15:29
thanks for the reminder @AlexS, i updated, yup it is required.. :) – ameenulla0007 Mar 16 '16 at 15:32
`mysqli_real_escape_string` is not safe and deprecated in PHP 5.5.0, and it was removed in PHP 7.0.0. Learn howto prevent against injection: http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php . I suggest to have a look at Zaffy's answer – Ramon Bakker Mar 16 '16 at 15:42
@ameenulla0007 now I am getting this error Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, boolean given – Mar 16 '16 at 15:56
@MahimParsai http://www.w3schools.com/php/func_mysqli_num_rows.asp check the link, you will get an idea, where you went wrong.. – ameenulla0007 Mar 16 '16 at 15:58
Often that error is due to a invalid query @MahimParsai – Ramon Bakker Mar 17 '16 at 09:34

undefined index error in login form

3 Answers3