When you press login on my site, the script uses mysqli_real_escape_string and than process the login.
When you are for example at the homepage and you press the login button there, the site goes to this file. if everything goes well, you will be redirected to the begin page but when something goes wrong, you will stay at this page and see a form. The form contains the data you entered before your pressed login. THAT data contains a slash at the end.
I want to remove the slashes by using stripslashes so I created a function called slash to remove them but when you enter the wrong things I still see the slashes.
//the slash function is placed in a previous loaded file
function slash($username, $password){
$password = stripslashes($password);
$username = stripslashes($username);
return $username;
return $password;
}
if(empty($_POST === false)){
$username = $_POST['username'];
$password = $_POST['password'];
//check if the fields are empty
if (empty($username) || empty($password)){
$errors[] = 'You need to enter a username and password';
//check if the username exists
}else if(user_exists($username) === false){
$errors[] = 'We can\'t find that username';
slash($username, $password);
//check if the username is active
}else if(user_active($username) === false){
$errors[] = 'You haven\'t activated your account';
slash($username, $password);
//if none of the previous checks are false, log in
}else{
$login = login($username, $password);
//if username or password is incorrect, display error
if($login === false){
$errors[] = 'That username or password combination is incorrect';
slash($username, $password);
//if everthing is fine, log in
}else{
//set the user session
$_SESSION['user_id'] = $login;
//redirect user to home
header('Location: index.php');
exit();
}
}
}
?>
<html>
<head>
<link rel="stylesheet" href="css/error_login.css"/>
</head>
<body>
<?php
include 'templates/menu/menu.php';
?>
<div class="error_login">
<h3>Login</h3>
<form action="login.php" method="POST">
<div id="login">
username:<br>
<input type="text" name="username" value=<?php echo $username; ?>/><br><br>
password:<br>
<input type="password" name="password" value=<?php echo $password; ?>/><br><br>
<input type="submit" value="Log In"/><br><br>
<a href="register.php">Register</a>
<ul>
<?php
error_output($errors);
?>
</ul>
</div>
</form>
</div>
<?php
include 'templates/footer/footer.php';
?>
</body>
</html>
edit
input:
username: test
password:
The input is invalid like your see because there is no password so the site will reshow a form with the userinput + an added slash
output:
username: test/
password: ●
In your HTML:
<input type="text" name="username" value=<?php echo $username; ?>/>
You missed the double-quotes to the value attribute:
<input type="text" name="username" value="<?php echo $username; ?>"/>
This is the same for password.