I am trying to relearn some PHP basics for making a simple login script, however I get an error I have not received before(I made the same script a little over a year ago and never had this error. I simplified the code as much as I could to test to see which area was problematic and here is the issue:
<?php
$user = $_POST["username"];
if($user != null)
{
echo $user;
echo " is your username";
}
else
{
echo "no username supplied";
}
?>
Now this code works fine when I send a variable to the script, but when no variable is supplied it spits out an error. In theory this will be fine because if no username/pass is supplied then an error is expected. I will be checking to make sure of this before the code is send to the script, however I fear that somehow a blank string may leak through and spit out some unknown error. Here is the error I get:
( ! ) Notice: Undefined index: username in C:\wamp\www\verify_login.php on line 2
Call Stack
Time Memory Function Location
1 0.0003 668576 {main}( ) ..\verify_login.php:0
no username supplied
as you can see the code registers that no variable was supplied, but it gives out and error that I assume means that a variable was not found were one was expected or something like that. Can someone please clarify this for me?
This question is related to
php
login
undefined-index
Prior to PHP 5.2.0 and above you should use filter_input() which is especially created for that to get a specific external user inputs such as get, post or cookie variables by name and optionally filters it to avoid any XSS/Injection attacks on your site. For example:
$user = filter_input(INPUT_POST, 'username');
You may use one of INPUT_GET, INPUT_POST, INPUT_COOKIE, INPUT_SERVER, or INPUT_ENV.
By using optional 3rd argument, you can extend it by variety of filters (for validating, sanitizing, filtering or other), e.g. FILTER_SANITIZE_SPECIAL_CHARS, FILTER_SANITIZE_ENCODED, etc.
For example:
<?php
$search_html = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_SPECIAL_CHARS);
$search_url = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_ENCODED);
echo "You have searched for $search_html.\n";
echo "<a href='?search=$search_url'>Search again.</a>";
?>
The syntax is:
mixed
filter_input( int $type , string $variable_name [, int $filter = FILTER_DEFAULT [, mixed $options ]] )(PHP 5 >= 5.2.0, PHP 7)
See also: Why is better to use filter_input()?
Instead of isset() you can use something shorter getting errors muted, it is @$_POST['field']. Then, if the field is not set, you'll get no error printed on a page.
Use:
if (isset($_POST['user'])) {
//do something
}
But you probably should be using some more proper validation. Try a simple regex or a rock-solid implementation from Zend Framework or Symfony.
http://framework.zend.com/manual/en/zend.validate.introduction.html
http://symfony.com/doc/current/book/validation.html
Or even the built-in filter extension:
http://php.net/manual/en/function.filter-var.php
Never trust user input, be smart. Don't trust anything. Always make sure what you receive is really what you expect. If it should be a number, make SURE it's a number.
Much improved code:
$user = filter_var($_POST['user'], FILTER_SANITIZE_STRING);
$isValid = filter_var($user, FILTER_VALIDATE_REGEXP, array('options' => array('regexp' => "/^[a-zA-Z0-9]+$/")));
if ($isValid) {
// do something
}
Sanitization and validation.
Your code assumes the existence of something:
$user = $_POST["username"];
PHP is letting you know that there is no "username" in the $_POST array. In this instance, you would be safer checking to see if the value isset() before attempting to access it:
if ( isset( $_POST["username"] ) ) {
/* ... proceed ... */
}
Alternatively, you could hi-jack the || operator to assign a default:
$user = $_POST["username"] || "visitor" ;
As long as the user's name isn't a falsy value, you can consider this method pretty reliable. A much safer route to default-assignment would be to use the ternary operator:
$user = isset( $_POST["username"] ) ? $_POST["username"] : "visitor" ;
Try this:
I use this everywhere where there is a $_POST request.
$username=isset($_POST['username']) ? $_POST['username'] : "";
This is just a short hand boolean, if isset it will set it to $_POST['username'], if not then it will set it to an empty string.
Usage example:
if($username===""){ echo "Field is blank" } else { echo "Success" };
When you say:
$user = $_POST["username"];
You're asking the PHP interpreter to assign $user the value of the $_POST array that has a key (or index) of username. If it doesn't exist, PHP throws a fit.
Use isset($_POST['user']) to check for the existence of that variable:
if (isset($_POST['user'])) {
$user = $_POST["username"];
...
try
if(isset($_POST['username']))
echo $_POST['username']." is your username";
else
echo "no username supplied";
I know that this is old post but someone can help:
function POST($index, $default=NULL){
if(isset($_POST[$index]))
{
if(!empty(trim($_POST[$index])))
return $_POST[$index];
}
return $default;
}
This code above are my basic POST function what I use anywhere. Here you can put filters, regular expressions, etc. Is faster and clean. My advanced POST function is more complicate to accept and check arrays, string type, default values etc. Let's your imagination work here.
You easy can check username like this:
$username = POST("username");
if($username!==null){
echo "{$username} is in the house.";
}
Also I added $default string that you can define some default value if POST is not active or content not exists.
echo "<h1>".POST("title", "Stack Overflow")."</h1>";
Play with it.
Related question: What is the best way to access unknown array elements without generating PHP notice?
Using the answer from the question above, you can safely get a value from $_POST without generating PHP notice if the key does not exists.
echo _arr($_POST, 'username', 'no username supplied');
// will print $_POST['username'] or 'no username supplied'
Source: Stackoverflow.com