3 
Notice: Undefined variable: username in C:\xampp\htdocs\test_class.php
        on line 20
Notice: Undefined variable: password in C:\xampp\htdocs\test_class.php
        on line 20

I get the above error when i use this piece of code for checking down my username and password with my database. 

<?php
    class test_class {

        public function __construct() { 

        }
        public function doLogin() {

            include("connection.php");

            if (isset($_POST['username']))
                {
                $username= $_POST['username'];
                }
                if (isset($_POST['password']))
                {
                $password= $_POST['password'];
                } 

            $query = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
            $result = mysql_fetch_array(mysql_query($query));
            if(!$result)

            {

            return 'assa';

            }else{

            return 'assa112121212';

            }

                }
        }
?>
Improve this question
7
  • 14
    "Little Bobby Tables, we call him". ;) Commented May 26, 2009 at 12:46
  • 1
    I think those return values are awesome! Commented May 26, 2009 at 12:49
  • Never do things like this "SELECT * FROM users WHERE username = '$username' AND password = '$password'"! Commented May 26, 2009 at 12:50
  • 4
    Macbirdie is pointing out that this code is subject to SQL injection attacks. As soon as you have a user/pass in the db, try logging in with the username ' or 1=1 -- Fix this by using bound parameters in your sql query and not by appending strings. Commented May 26, 2009 at 12:52
  • wrt sql injection, this script might help: programanddesign.com/php/sql-injection-safe-queries-redux Commented Jun 30, 2009 at 23:45

6 Answers 6

Reset to default
11

This means, most likely, that your form hasn't been submitted. You should make sure that you only use the variables if they exist. Furthermore, you should never ever use the input from users without validating it. Try the following, for example:

if (isset($_POST['username']) && isset($_POST['password']))
{
    $username= $_POST['username'];
    $password= $_POST['password'];
    $query = "SELECT *
                      FROM users
                      WHERE username = '".mysql_real_escape_string($username)."'
                      AND password = '".mysql_real_escape_string($password)."'";
    $result = mysql_fetch_array(mysql_query($query));
    # ...
}
else
{
    return NULL;
}
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

He fixed the problem and brought some extra security issues to his attention. Whoever assassinated this post should be banned for having such a stupid opinion on it.
10

This is just a notice that the variables are being referenced in the query without being in scope.

Define $username and $password at the top of doLogin() and initialized them to Null or similar. Then check for them later.

You also seem to be executing the query regardless of $username and $password being set. You should do something more like:

if( isset($_POST['username']) && isset($_POST['password'])){
     //create vars, do query
}else{
     // Nothing to process
}

Both errors occur on line 20, which I assume is the query string interpolation. The issues here are:

  1. inconsistent scope/referencing (which sucks in PHP anyway)
  2. Your ifs need to be a bit more orderly. This error is small, but worse ones will bite you in the bum later if you handle variables like this :)

Also: escape your variables before dumping them like hot coals into your SQL see PDO (which I would go for) or mysql_escape_string()

good luck!

Improve this answer

2 Comments

@Mike: A salt is used when hashing a password, which isnt mentioned in the question. Good answer though +1
@Sam152, Thanks :) Also, I now have 1,234 points which is cool.
3

One more happy class and bug free :)

<?php
class test_class
{
    private $post = array();
    public function __construct ()
    {
    }
    public function doLogin ()
    {
        $this->post = $_POST;
        include ("connection.php");
        if ($this->post['username'] && $this->post['password']) {
            $username = $this->post['username'];
            $password = $this->post['password'];
            $query = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
            $result = mysql_fetch_array(mysql_query($query));
            if (! $result) {
                return 'assa';
            } else {
                return 'assa112121212';
            }
        }
    }
}
?>
Improve this answer

Comments

1 
<?php
class test_class {

    public function doLogin() {
        include("connection.php");

        if (isset($_POST['username']) && isset($_POST['password']) {
            $username = $_POST['username'];
            $password = $_POST['password'];

            $query = "SELECT * ".
                     "FROM users " .
                     "WHERE username = '$username' ".
                     "  AND password = '$password'";
            $result = mysql_fetch_array(mysql_query($query));
            if(!$result) {
               return 'assa';
            } else {
               return 'assa112121212';
            }
        } else {
            echo "Missing parameter 'username' and/or 'password'";
        }
    }
}

Also, you should escape $username and $password to avoid sql injection attacks.

Improve this answer

Comments

1

You are also checking the database whether or not a username and password are supplied.

Perhaps something like this;

public function doLogin() {

    include("connection.php");
    $username = (isset($_POST['username'])) ? $_POST['username'] : NULL ;
    $password = (isset($_POST['password'])) ? $_POST['password'] : NULL ;
        if ( $username !== NULL && $password !== NULL )  {
                    $query = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
                    $result = mysql_fetch_array(mysql_query($query));
            /* auth code here */

        } else {
        return false; // no u/p provided    
    }

    }

You should also be escaping your inputs before putting them anywhere near your database, either by using mysql_real_escape_string or PDO (PHP Data Objects)

Improve this answer

Comments

-1

You're going to want to use error_reporting(E_ALL ^ E_NOTICE); from the page Sam linked to. Notices are really unnecessary, and are like using WALL and WERROR flags with gcc.

Improve this answer

2 Comments

-Wall and E_NOTICE are very necessary. They warn you when you are being a moron, which can potentially lead to an hour over a hot debugger :) for a bit of extra output, for me, it is worth it.
but in this case, E_NOTICE completely stops something from working when really it shouldn't. at least a program with -Wall complaining.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.