Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 13 of 13
  1. #1
    New Coder
    Join Date
    Nov 2009
    Posts
    29
    Thanks
    5
    Thanked 0 Times in 0 Posts

    Value is POSTED definitly but isset() says NO....

    Hi All
    See the code give given below. I was fighting with this code since last 5 hours to know why isset() is eveluating the condition as false if value is posted exactly what it shall POST.
    If I uncomment the line no. - 4,5,6,7,8 and put rest of the code from line no. 10 to 28 I can see the POSTED value .
    Can Anyone help in this by any guidance or suggestion. I will be thankful.

    PHP Code:
    <?php
        
    include 'dbconnection.php';
        include 
    'functions.php';
        
    //sec_session_start();
         //  $email = $_POST['logemail'];
         //  $password = $_POST['p'];
        //    echo $password;
        //    echo $email;
         // Our custom secure way of starting a php session. 
        
        
    if(isset($_POST['logemail'], $_POST['p'])) { 
           
    $email $_POST['logemail'];
           
    $password $_POST['p']; // The hashed password.
           
    if(login($email$password$mysqli) === true) {
              
    // Login success
              //$url = 'mwq';
            //echo '<META HTTP-EQUIV=Refresh CONTENT="0; URL='.$url.'">';  
            
    echo $password;
            echo 
    $email;
        
           } else {
              
    // Login failed
              
    header('Location: login.php?error=1');
           }
        } else { 
           
    // The correct POST variables were not sent to this page.
           
    echo 'Invalid Request Data Not POSTED';
        }
        
    ?>

  • #2
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,089
    Thanks
    51
    Thanked 506 Times in 493 Posts
    You need to do this and see what your $_POST data contains:

    print_r($_POST);

    Thats the only way to see what is actually being sent to your script.
    My helpful sig is on vacation trying to loose some weight. It got a bit fat and caused a few problems but it will be back at some point!

  • #3
    New Coder
    Join Date
    Nov 2009
    Posts
    29
    Thanks
    5
    Thanked 0 Times in 0 Posts
    Hello Tangoforce
    Thank you for consideration
    I used this just before isset() to test what $_POST is doing and output is -

    array(0) { }

    But interesting part of the code is if I remove the comment from these
    // $email = $_POST['logemail'];
    // $password = $_POST['p'];
    // echo $password;
    // echo $email;

    and rest of the code I commented then I get waht I expect from POST.

  • #4
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,089
    Thanks
    51
    Thanked 506 Times in 493 Posts
    Ok, print_r($_REQUEST) please.
    My helpful sig is on vacation trying to loose some weight. It got a bit fat and caused a few problems but it will be back at some point!

  • #5
    New Coder
    Join Date
    Nov 2009
    Posts
    29
    Thanks
    5
    Thanked 0 Times in 0 Posts
    Tested and output is - Array ( [error] => 1 )

  • #6
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,978
    Thanks
    4
    Thanked 2,659 Times in 2,628 Posts
    Is this page login.php? The only code we can see here indicates that you have issued a header redirect and passed it an querystring of error=1 which happens to be the same as your request. If this is the case, it indicates that the POST it passed upon an initial login attempt, but the login() function itself is not returning boolean true.
    Comment out that header() and try a var_dump($_POST); again.

  • #7
    New Coder
    Join Date
    Nov 2009
    Posts
    29
    Thanks
    5
    Thanked 0 Times in 0 Posts
    Here is my index.php code -
    Code:
    <td>
    <FORM ID="Login" ACTION="login.php" METHOD="POST">
    <h1>welcome to the login page</h1>
    please input the login details to create an account here<br />
    <table border="2">
    <tr>
    <td>email :</td><td><input id="logemail" name="logemail" type="text" size"30"></input></td>
    </tr>
    <tr>
    <td>password :</td><td><input id="logpass1" name="logpass1" type="password" size"20"></input></td>
    </tr>
    </table>
    <input type="button" value="Login" onClick="formhash2(this.form,this.form.logpass1);">
    </FORM>
    
    <FORM ID="Register" ACTION="register.php" METHOD="POST">
    <h1>welcome to the registration page</h1>
    please input the registration details to create an account here<br />
    <table border="2">
    <tr>
    <td>email :</td><td><input name="regemail" type="text" size"30"></input></td>
    </tr>
    <tr>
    <td>password :</td><td><input id="regpass1" name="regpass1" type="password" size"20"></input></td>
    </tr>
    </table>
    <input type="button" value="Register" onClick="formhash1(this.form,this.form.regpass1);">
    </FORM>
    </td>
    This is the code of formhash2() and formhash1() -
    Code:
    // JavaScript Document csnip
    function formhash2(form,password) {
    	 // Create a new element input, this will be out hashed password field.
       alert(form.id + " " + password.value);
       var p = document.createElement("input");
           // Add the new element to our form.
       
       p.name = "p";
       p.type = "hidden"
       p.value = hex_sha512(password.value);
       // Make sure the plaintext password doesn't get sent.
       password.value = "";
       // Finally submit the form.
       form.appendChild(p);
       form.submit();
    }
    
    function formhash1(form,password) {
    	alert(form.id + " " + password.value);
      // Create a new element input, this will be out hashed password field.
      var pl = document.createElement("input");
      // Add the new element to our form.
       
       pl.name = "pl";
       pl.type = "hidden"
       pl.value = hex_sha512(password.value);
       // Make sure the plaintext password doesn't get sent.
       password.value = "";
       // Finally submit the form.
       form.appendChild(pl);
       form.submit();
    
    }
    and finally this is the code for login() -
    PHP Code:
    function login($email$password$mysqli) {
       
    // Using prepared Statements means that SQL injection is not possible. 
       
    if ($stmt $mysqli->prepare("SELECT id, email, password, salt FROM members WHERE email = ? LIMIT 1")) { 
          
    $stmt->bind_param('s'$email); // Bind "$email" to parameter.
          
    $stmt->execute(); // Execute the prepared query.
          
    $stmt->store_result();
          
    $stmt->bind_result($user_id$username$db_password$salt); // get variables from result.
          
    printf("%s %s\n"$username$db_password);
          
    $stmt->fetch();
          
    $password hash('sha512'$password.$salt); // hash the password with the unique salt.
     
          
    if($stmt->num_rows == 1) { // If the user exists
             // We check if the account is locked from too many login attempts
             
    if(checkbrute($user_id$mysqli) == true) { 
                
    // Account is locked
                // Send an email to user saying their account is locked
                
    return false;
             } else {
             if(
    $db_password == $password) { // Check if the password in the database matches the password the user submitted. 
                // Password is correct!
     
                   
    $ip_address $_SERVER['REMOTE_ADDR']; // Get the IP address of the user. 
                   
    $user_browser $_SERVER['HTTP_USER_AGENT']; // Get the user-agent string of the user.
     
                   
    $user_id preg_replace("/[^0-9]+/"""$user_id); // XSS protection as we might print this value
                   
    $_SESSION['user_id'] = $user_id
                   
    $username preg_replace("/[^a-zA-Z0-9_\-]+/"""$username); // XSS protection as we might print this value
                   
    $_SESSION['username'] = $username;
                   
    $_SESSION['login_string'] = hash('sha512'$password.$ip_address.$user_browser);
                   
    // Login successful.
                   
    return true;    
             } else {
                
    // Password is not correct
                // We record this attempt in the database
                
    $now time();
                
    $mysqli->query("INSERT INTO login_attempts (user_id, time) VALUES ('$user_id', '$now')");
                return 
    false;
             }
          }
          } else {
             
    // No user exists. 
             
    return false;
          }
       }

    which is functions.php and this file include in login.php file which is mentioned in previous post

  • #8
    New to the CF scene
    Join Date
    Oct 2012
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    If you delete the comments it works? Try it like this see if it works:



    Code:
    <?php 
        include 'dbconnection.php'; 
        include 'functions.php'; 
        /* sec_session_start(); 
          $email = $_POST['logemail']; 
           $password = $_POST['p']; 
            echo $password; 
            echo $email; 
         Our custom secure way of starting a php session. */ 
         
        if(isset($_POST['logemail'], $_POST['p'])) {  
           $email = $_POST['logemail']; 
           $password = $_POST['p']; // The hashed password. 
           if(login($email, $password, $mysqli) === true) { 
              // Login success 
              //$url = 'mwq'; 
            //echo '<META HTTP-EQUIV=Refresh CONTENT="0; URL='.$url.'">';   
            echo $password; 
            echo $email; 
         
           } else { 
              // Login failed 
              header('Location: login.php?error=1'); 
           } 
        } else {  
           // The correct POST variables were not sent to this page. 
           echo 'Invalid Request Data Not POSTED'; 
        } 
        ?>

  • #9
    New Coder
    Join Date
    Nov 2009
    Posts
    29
    Thanks
    5
    Thanked 0 Times in 0 Posts
    No I mean to say if I only keep this part in login.php then why the value of _POST is displaying correctly
    sec_session_start();
    $email = $_POST['logemail'];
    $password = $_POST['p'];
    echo $password;
    echo $email;
    Then why isset() is not getting the posted value on page?

  • #10
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,978
    Thanks
    4
    Thanked 2,659 Times in 2,628 Posts
    The initial page is login.php then.

    Remove the header() call from there and at the top enable your error reporting:
    PHP Code:
    ini_set('display_errors'1);
    error_reporting(E_ALL E_STRICT); 
    If that runs with no errors, and the var_dump($_POST) produces the results as expected, then you need to debug this login() function.

    Edit:
    To answer your question just above here, it looks to me that your login() function hasn't been verified as working before this point. Since you force a redirection header you have no way to evaluate the $_POST as it has now become $_GET.

  • #11
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,089
    Thanks
    51
    Thanked 506 Times in 493 Posts
    If you're using firefox, try a plugin called HttpFox. This will allow you to see the request and response headers. More importantly it will allow you to see what post data is being sent (if any).
    My helpful sig is on vacation trying to loose some weight. It got a bit fat and caused a few problems but it will be back at some point!

  • #12
    New Coder
    Join Date
    Nov 2009
    Posts
    29
    Thanks
    5
    Thanked 0 Times in 0 Posts
    @TangoForce
    If I delete the entire code from isset to the bottom and leave only this part in login.php file -
    PHP Code:
    <?php
    include 'dbconnection.php';
    include 
    'functions.php';

    sec_session_start();
    echo 
    var_dump($_POST);
    print_r($_REQUEST);

    ?>
    See the ouptout -
    array(3) { ["logemail"]=> string(6) "ankush" ["logpass1"]=> string(0) "" ["p"]=> string(128) "704d3e76a26e1c6e99e8ca31237eb400cf2cb38b9712f22ee49ec4831bd974a37ef68fd3a8ee265b9a90cb2c07006c114db 59fccd93cc0a36458f9d3f04773ea" } Array ( [logemail] => ankush [logpass1] => [p] => 704d3e76a26e1c6e99e8ca31237eb400cf2cb38b9712f22ee49ec4831bd974a37ef68fd3a8ee265b9a90cb2c07006c114db5 9fccd93cc0a36458f9d3f04773ea )

  • #13
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,089
    Thanks
    51
    Thanked 506 Times in 493 Posts
    So that only confirms then that your call to header() (as Fou keeps saying) is being called and your script is redirecting the browser back to login.php with a fresh http request. At that point, all of your $_POST data is lost. THAT is your problem.

    This is how your logic is running:

    Submit form to login.php
    login.php runs (with $_POST data) isset code, calls header('Location: login.php?error=1')
    Browser is redirected to login.php?error=1 - No $_POST data.

    $_POST is only valid for the page it is sent to. By issuing a redirect, your browser is making a completely fresh http request. Because its a request via url and not a form submission, $_POST is gone / deleted / blackholed. This is because you issued a header() and THAT instance of the script was terminated.
    My helpful sig is on vacation trying to loose some weight. It got a bit fat and caused a few problems but it will be back at some point!


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •