I'm trying just to validate, on submitting the form that the username and password aren't empty.
Form:
<form action="usercheck.php" method="post">
User: <input type="text" name="username" maxlength="10" />
Pass: <input type="password" name="password" maxlength="10" />
<input type="submit" value="Submit" />
</form>
usercheck.php
<?php
class Vuln{
public $username = $_POST['username'];
public $password = $_POST['password'];
public function ShowErrors(){
if($this->username == '' || $this->password == ''){
return 'username or password field blank';
}
else{
echo stripslashes('we\'re good');
}
}
$entered = new Vuln;
echo $entered->ShowErrors();
}
?>
When I test, it says:
Parse error: syntax error, unexpected
T_VARIABLE, expectingT_FUNCTIONon line :$entered = new Vuln;
You can't have code inside a class definition like that
class Vuln {
//> Your class definition
}
//> Outside of the class
$entered = new Vuln;
echo $entered->ShowErrors();
I strongly suggest you to read all the basics from PHP Doc
Part of your code is placed directly in the class:
$entered = new Vuln;
echo $entered->ShowErrors();
Those should be placed outside the class definition. As mentioned below, change:
public $username = $_POST['username'];
public $password = $_POST['password'];
to
public $username;
public $password;
and initiate variables in constructor or outside the class.
something like
$entered = new Vuln;
$entered->username = $_POST['username'];
$entered->password = $_POST['password'];
$entered->ShowErrors();
you are currently instantiating your class from within your class.
edit: added for more clarification - this instantiates the class and should be outside the class. remove the instantiation that is within the class.
another edit changed the variable name to match example
The code for execution of an object shouldn't be found inside of the class definition.
You probably meant this:
<?php
class Vuln{
public $username = $_POST['username'];
public $password = $_POST['password'];
public function ShowErrors(){
if($this->username == '' || $this->password == ''){
return 'username or password field blank';
}
else{
echo stripslashes('we\'re good');
}
}
}
$entered = new Vuln;
echo $entered->ShowErrors();
Whats stopping you using
<form action="usercheck()" id="form" method="post">
and using the following JS
var theForm = document.forms["form"];
var user = theForm.elements["user"];
var pass = theForm.elements["pass"];
if(user.value==null || user.value=="")
{
alert("First name(s) must be filled out");
return false;
}
else if(pass.value==null || pass.value=="")
{
alert("Last name must be filled out");
return false;
}
else
{
return true;
}
You can't create object of the class from within the class itself. You must call the class when the form is submitted. Also change the class filename to something like vuln.php and update the usercheck.php to the following code.
if($_POST){
include("Vuln.php");
$entered = new Vuln;
echo $entered->ShowErrors();
}
Hope it may help you.