Hi All
See the code give given below. I was fighting with this code since last 5 hours to know why isset() is eveluating the condition as false if value is posted exactly what it shall POST.
If I uncomment the line no. - 4,5,6,7,8 and put rest of the code from line no. 10 to 28 I can see the POSTED value .
Can Anyone help in this by any guidance or suggestion. I will be thankful.
PHP Code:
<?php
include 'dbconnection.php';
include 'functions.php';
//sec_session_start();
// $email = $_POST['logemail'];
// $password = $_POST['p'];
// echo $password;
// echo $email;
// Our custom secure way of starting a php session.
} else {
// Login failed
header('Location: login.php?error=1');
}
} else {
// The correct POST variables were not sent to this page.
echo 'Invalid Request Data Not POSTED';
}
?>
//Please don't use this for your form processing:
if (isset($_POST['submit']))
//Internet explorer has a bug and does not always send the submit value.
Hello Tangoforce
Thank you for consideration
I used this just before isset() to test what $_POST is doing and output is -
array(0) { }
But interesting part of the code is if I remove the comment from these
// $email = $_POST['logemail'];
// $password = $_POST['p'];
// echo $password;
// echo $email;
and rest of the code I commented then I get waht I expect from POST.
//Please don't use this for your form processing:
if (isset($_POST['submit']))
//Internet explorer has a bug and does not always send the submit value.
Is this page login.php? The only code we can see here indicates that you have issued a header redirect and passed it an querystring of error=1 which happens to be the same as your request. If this is the case, it indicates that the POST it passed upon an initial login attempt, but the login() function itself is not returning boolean true.
Comment out that header() and try a var_dump($_POST); again.
<td>
<FORM ID="Login" ACTION="login.php" METHOD="POST">
<h1>welcome to the login page</h1>
please input the login details to create an account here<br />
<table border="2">
<tr>
<td>email :</td><td><input id="logemail" name="logemail" type="text" size"30"></input></td>
</tr>
<tr>
<td>password :</td><td><input id="logpass1" name="logpass1" type="password" size"20"></input></td>
</tr>
</table>
<input type="button" value="Login" onClick="formhash2(this.form,this.form.logpass1);">
</FORM>
<FORM ID="Register" ACTION="register.php" METHOD="POST">
<h1>welcome to the registration page</h1>
please input the registration details to create an account here<br />
<table border="2">
<tr>
<td>email :</td><td><input name="regemail" type="text" size"30"></input></td>
</tr>
<tr>
<td>password :</td><td><input id="regpass1" name="regpass1" type="password" size"20"></input></td>
</tr>
</table>
<input type="button" value="Register" onClick="formhash1(this.form,this.form.regpass1);">
</FORM>
</td>
This is the code of formhash2() and formhash1() -
Code:
// JavaScript Document csnip
function formhash2(form,password) {
// Create a new element input, this will be out hashed password field.
alert(form.id + " " + password.value);
var p = document.createElement("input");
// Add the new element to our form.
p.name = "p";
p.type = "hidden"
p.value = hex_sha512(password.value);
// Make sure the plaintext password doesn't get sent.
password.value = "";
// Finally submit the form.
form.appendChild(p);
form.submit();
}
function formhash1(form,password) {
alert(form.id + " " + password.value);
// Create a new element input, this will be out hashed password field.
var pl = document.createElement("input");
// Add the new element to our form.
pl.name = "pl";
pl.type = "hidden"
pl.value = hex_sha512(password.value);
// Make sure the plaintext password doesn't get sent.
password.value = "";
// Finally submit the form.
form.appendChild(pl);
form.submit();
}
and finally this is the code for login() -
PHP Code:
function login($email, $password, $mysqli) {
// Using prepared Statements means that SQL injection is not possible.
if ($stmt = $mysqli->prepare("SELECT id, email, password, salt FROM members WHERE email = ? LIMIT 1")) {
$stmt->bind_param('s', $email); // Bind "$email" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
$stmt->bind_result($user_id, $username, $db_password, $salt); // get variables from result.
printf("%s %s\n", $username, $db_password);
$stmt->fetch();
$password = hash('sha512', $password.$salt); // hash the password with the unique salt.
if($stmt->num_rows == 1) { // If the user exists
// We check if the account is locked from too many login attempts
if(checkbrute($user_id, $mysqli) == true) {
// Account is locked
// Send an email to user saying their account is locked
return false;
} else {
if($db_password == $password) { // Check if the password in the database matches the password the user submitted.
// Password is correct!
$ip_address = $_SERVER['REMOTE_ADDR']; // Get the IP address of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT']; // Get the user-agent string of the user.
$user_id = preg_replace("/[^0-9]+/", "", $user_id); // XSS protection as we might print this value
$_SESSION['user_id'] = $user_id;
$username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $username); // XSS protection as we might print this value
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512', $password.$ip_address.$user_browser);
// Login successful.
return true;
} else {
// Password is not correct
// We record this attempt in the database
$now = time();
$mysqli->query("INSERT INTO login_attempts (user_id, time) VALUES ('$user_id', '$now')");
return false;
}
}
} else {
// No user exists.
return false;
}
}
}
which is functions.php and this file include in login.php file which is mentioned in previous post
If that runs with no errors, and the var_dump($_POST) produces the results as expected, then you need to debug this login() function.
Edit:
To answer your question just above here, it looks to me that your login() function hasn't been verified as working before this point. Since you force a redirection header you have no way to evaluate the $_POST as it has now become $_GET.
If you're using firefox, try a plugin called HttpFox. This will allow you to see the request and response headers. More importantly it will allow you to see what post data is being sent (if any).
//Please don't use this for your form processing:
if (isset($_POST['submit']))
//Internet explorer has a bug and does not always send the submit value.
So that only confirms then that your call to header() (as Fou keeps saying) is being called and your script is redirecting the browser back to login.php with a fresh http request. At that point, all of your $_POST data is lost. THAT is your problem.
This is how your logic is running:
Submit form to login.php
login.php runs (with $_POST data) isset code, calls header('Location: login.php?error=1')
Browser is redirected to login.php?error=1 - No $_POST data.
$_POST is only valid for the page it is sent to. By issuing a redirect, your browser is making a completely fresh http request. Because its a request via url and not a form submission, $_POST is gone / deleted / blackholed. This is because you issued a header() and THAT instance of the script was terminated.
//Please don't use this for your form processing:
if (isset($_POST['submit']))
//Internet explorer has a bug and does not always send the submit value.
Before you post, read our: 
