Click here to Skip to main content
14,766,261 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
I've been trying to make a login page with 000webhost, and this error keeps popping up, and i know there are tons of these king of questions everywhere but i still cant fix it

this is the error

Notice: Undefined index: active in /storage/ssd1/326/5052326/public_html/login.php on line 14

Warning: Cannot modify header information - headers already sent by (output started at /storage/ssd1/326/5052326/public_html/login.php:14) in /storage/ssd1/326/5052326/public_html/login.php on line 23

and this is the code

      // username and password sent from form 
    if($_SERVER["REQUEST_METHOD"] == "POST") {
      $myusername = mysqli_real_escape_string($db,$_POST['username']);
      $mypassword = mysqli_real_escape_string($db,$_POST['password']); 
      $sql = "SELECT * FROM admin WHERE username = '$myusername' and password = '$mypassword'";
      $result = mysqli_query($db, $sql);
      $row = mysqli_fetch_array($result,MYSQLI_ASSOC);
      $active = $row['active'];
      $count = mysqli_num_rows($result);
      // If result matched $myusername and $mypassword, table row must be 1 row
      if($count == 1) {
         $_SESSION['login_user'] = $myusername;
         header("location: welcome.php");
      }else {
         $error = "Your Login Name or Password is invalid";

What I have tried:

even my teacher couldnt fix it
Updated 13-Mar-18 3:27am
Richard Deeming 13-Mar-18 10:09am
In addition to the SQL Injection vulnerability mentioned in the solutions, you're also storing passwords in plain text.

I understand that this is just a school project, and not something that's going to be used in real life. But I hope your teacher will explain why storing passwords like that is a terrible idea. :)

Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]

Line 14 is
$active = $row['active'];
The most probable reason for the error is that your SQL table does not contain a column named "active".

You should also check if the query was successful (see the example code at PHP: mysqli::query - Manual[^] ) and rows are returned (calling mysqli_num_rows() before fetching). Otherwise accessing $result and $row will fail too.

Finally I hope that your teacher will tell you soon about SQL injection - Wikipedia[^].
Member 13723570 13-Mar-18 7:07am
thank you! We weren't told that it should be a column in a table, so I was confused by it, but I added an ID to our table, and changed active to ID instead and it worked! Thank you so much!
Jochen Arndt 13-Mar-18 7:34am
You are welcome and thank you for accepting my solution.
In case username or password is wrong, the query return nothing, you have to check if a row was returned or not before trying to read it.

$sql = "SELECT * FROM admin WHERE username = '$myusername' and password = '$mypassword'";

Not a solution to your question, but another problem you have.
Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]
SQL Injection Attacks by Example[^]
PHP: SQL Injection - Manual[^]
SQL Injection Prevention Cheat Sheet - OWASP[^]

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900