First, the project that I am working on: Creating a website where users can login and record the number of volunteer hours they have done.
I looked at a similar question here: PHP login error "Undefined Variable"
I tried the solution that was in the post above but it did not work for me. The undefined variable only occurs when the wrong username/password is entered, but works perfectly fine when the right username and password are entered. I am not sure as to why this is happening but I would like some help finding the solution. Here is the code to the pages that I am having trouble with. Thanks.
The login html form:
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>Simple login form</title>
<link rel="stylesheet" href="css/reset.css">
<link rel="stylesheet" href="css/style.css"/>
</head>
<body>
<div class="container">
<div class="login">
<h1 class="login-heading">
<strong>Welcome.</strong> Please login.</h1>
<form method="post" action="login.php">
<input type="text" name="uname" placeholder="Username" required="required" class="input-txt" />
<input type="password" name="pword" placeholder="Password" required="required" class="input-txt" />
<div class="login-footer">
<a href="forgot.html" class="lnk">
<span class="icon icon--min">ಠ╭╮ಠ</span>
<span class="register">I've forgotten something</span></a>
<input name="submit" value="Login" type="submit" class="btn btn--right"><br>
<a href="register.html" class="lnk">
<span class="register">Not a member? Click here to register!</span></a>
</div>
</form>
</div>
</div>
<script src="js/index.js"></script>
</body>
</html>
The PHP form that processes the info from the form:
<?php
include("encrypt_decrypt.php");
$username="root";
$password="";
$server="localhost";
$db_name="userauthentication";
$uname="";
$pword="";
$error_msg="";
if(isset($_POST["submit"])){
$db_handle = mysqli_connect($server, $username, $password);
$db_found = mysqli_select_db($db_handle, $db_name);
$uname = $_POST["uname"];
$uname = htmlspecialchars($uname);
$uname = mysqli_real_escape_string($db_handle, $uname);
$pword = $_POST["pword"];
$pword = htmlspecialchars($pword);
$pword = mysqli_real_escape_string($db_handle, $pword);
$pword = encrypt_decrypt("encrypt", $pword);
if($db_found){
if($uname == "admin"){
$SQL = "SELECT * FROM WHERE username = '$uname' AND pword = '$pword'";
$result = mysqli_query($db_handle, $SQL);
$num_rows = mysqli_num_rows($result);
if($num_rows > 0){
session_start();
$_SESSION['login'] = "2";
header("Location: adminpage.html");
}else{
print("error");
}
}else if($uname != "admin"){
$SQL = "SELECT * FROM login WHERE username = '$uname' AND password = '$pword'";
$result = mysqli_query($db_handle, $SQL);
$num_rows = mysqli_num_rows($result);
if($num_rows > 0){
session_start();
$_SESSION['login'] = "1";
header("Location: mainpage.html");
}else{
$uname = '';
$pword = '';
print("error");
}
}
}
}
?>
And last but not least, the encrypt_decrypt function that I am using for password security. This is the actual page where I am getting the undefined variable problem on lines 6 & 7.
<?php
function encrypt_decrypt($action, $string) {
$output = false;
$encrypt_method = "AES-256-CBC";
**$secret_key = $pword;**
**$secret_iv = $pword;**
// hash
$key = hash('sha256', $secret_key);
// iv - encrypt method AES-256-CBC expects 16 bytes - else you will get a warning
$iv = substr(hash('sha256', $secret_iv), 0, 16);
if( $action == 'encrypt' ) {
$output = openssl_encrypt($string, $encrypt_method, $key, 0, $iv);
$output = base64_encode($output);
}
else if( $action == 'decrypt' ){
$output = openssl_decrypt(base64_decode($string), $encrypt_method, $key, 0, $iv);
}
return $output;
}
?>
This is a picture after I entered in the right username but wrong password
You pass in a variable named $pword but it is called $string within the function. Update the code as below.
$secret_key = $string;
$secret_iv = $string;
The error always occurs. But in case of successful login you are doing a header redirect either to adminpage.html or to mainpage.html. That is why you don't see the errors in case of using right username/password combination. The error is the result of using the unknown variable pword in encrypt_decrypt(). Replace it with $string or use global statement to import $pword into the scope of encrypt_decrypt().