PHP undefined variable error

jamesmorris86

jamesmorris86

jamesmorris86

Associate
Joined
11 Oct 2008
Posts
268
Hello everyone. Please could some shed some light onto why I am getting this undefined variable error. Thanks for any tips :)

I have cobbled together a login script using the new php hashing and verify functions.

I am getting this error:
PHP: 
Undefined variable: db_password in C:\wamp\www\login\index.php on line 207

Line 207 is the following:
PHP: 
if(password_verify($password, $db_password)) {

And here is the full code:

PHP: 
    $username = '';
    if(isset($_POST['username']))
    $username = htmlentities($_POST['username']);

    $password = '';
    if(isset($_POST['password']))
    $password = $_POST['password'];    

	$sql = "SELECT * FROM login WHERE username=?"; 
	$get = $connect->prepare($sql);
	$get->execute(array($username)); 
	
	if($get->rowCount() === 1)
	{
		$row = $get->fetch(PDO::FETCH_ASSOC); // Fetch the result
		
		$db_username = $row['username'];
		$db_password = $row['password']; 

	}  

	if(password_verify($password, $db_password)) { 
 
`	$_SESSION['username'] = $db_username;
      
	$sql = "UPDATE login SET last_login=?, ip=? WHERE username=?";
	$statement = $connect->prepare($sql);
	$statement->execute(array($dt,$ip,$username)); 
	
	}
 

jamesmorris86

jamesmorris86

jamesmorris86

Associate
OP
Joined
11 Oct 2008
Posts
268
ah ok. thanks.

I have removed if($get->rowCount() === 1) and it seems to be working now.

is it okay that I have removed that. Was it doing anything important?

if i echo the row count its coming up 0 but there is a row in the table, and the login works. Just spits out the error
 
Last edited:

moogle

moogle

moogle

Soldato
Joined
4 Nov 2006
Posts
2,944
Location
London
jamesmorris86 said:
ah ok. thanks.

I have removed if($get->rowCount() === 1) and it seems to be working now.

is it okay that I have removed that. Was it doing anything important?

if i echo the row count its coming up 0 but there is a row in the table, and the login works. Just spits out the error
Click to expand...

You shouldn't remove it, it was there to check if the username exists. Just declare the variable $db_password = null; at the start of the script (do the same for $db_username) that way if rowCount() isn't 1 it will still exists as a variable and won't throw up an error.
 

jamesmorris86

jamesmorris86

jamesmorris86

Associate
OP
Joined
11 Oct 2008
Posts
268
okay I put it back in.

But if the rowcount is 0 is it actually worth putting back in? is it doing anything?

From what I have read, it only returns a row number if I do something that effects the table, so only checking the posted username against the database one shouldnt return anything?
 

moogle

moogle

moogle

Soldato
Joined
4 Nov 2006
Posts
2,944
Location
London
from what I see, it's checking if the username exists before it even checks if the password is correct.

whatever username you're running it against isn't bringing back any rows from the table.

I'm guessing you didn't write the code but you're just using it in your script?

Either way the error you were getting was because the variables $db_username and $db_password were uninitialized due to rowCount() being 0

If you look at the top part of your code where it initializes $username and $password = ''; then you can see the same thing has been done for those variables.
 

fez

fez

fez

Caporegime
Joined
22 Aug 2008
Posts
25,798
Location
Tunbridge Wells
Just move the final if statement block inside the one that checks if a user was found in the database for the given username.


PHP: 
    $username = '';
    if(isset($_POST['username']))
    $username = htmlentities($_POST['username']);

    $password = '';
    if(isset($_POST['password']))
    $password = $_POST['password'];    

	$sql = "SELECT * FROM login WHERE username=?"; 
	$get = $connect->prepare($sql);
	$get->execute(array($username)); 
	
	if($get->rowCount() === 1)
	{
		$row = $get->fetch(PDO::FETCH_ASSOC); // Fetch the result
		
		$db_username = $row['username'];
		$db_password = $row['password']; 

            if(password_verify($password, $db_password)) { 
 
	        $_SESSION['username'] = $db_username;
      
	        $sql = "UPDATE login SET last_login=?, ip=? WHERE username=?";
	        $statement = $connect->prepare($sql);
	        $statement->execute(array($dt,$ip,$username)); 
	
	    }

	}

Ignore the **** indentation
 
Last edited:

visibleman

visibleman

visibleman

Soldato
Joined
3 Jun 2005
Posts
3,117
Location
The South
Do as above, Fez's solution, however you should be catching the errors (and scrubbing sessions) on both no user existing (first IF condition) and when the user exists but the password doesn't match (second IF condition).


jamesmorris86 said:
okay I put it back in.
From what I have read, it only returns a row number if I do something that effects the table...
Click to expand...

It returns the number of rows based on the query (it's worth limiting the returned results, ie - use LIMIT 1 in the query).

So in this case, if the input username exists in the table then it'll return a value greater than zero (unless you allow multiple users with same username, then it'll return '1'); if not then zero.
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom