I am trying to create my test login plugin here with the following code which isn't giving me any error but doesn't want to work. I am a beginner can somebody help point me to the right direction here. Thanks

<?php
/**
 * Plugin Name:       LD Login Form 
 * Plugin URI:        
 * Description:       Empire Investment Login Form
 * Version:           1.0
 * Author:            Luthando
 * Author URI:        
 */

function luecustom_form() {
 ?>
<form action="<?php echo $_SERVER['REQUEST_URI']; ?>" method="post" style="color: #fff">
  <div class="form-group">
    <label for="email">Email address:</label>
    <input name="email" type="email" class="form-control" id="email">
  </div>
  <div class="form-group">
    <label for="pwd">Password:</label>
    <input name="pass" type="password" class="form-control" id="pwd">
  </div>
  <div class="form-group form-check">
    <label class="form-check-label">
     <a style="color: #08a873" href="#"> Forgot Password? </a>    </label>
  </div>
  <input style="background: #08a873; margin-top: 5px; width: 100%" type="submit" class="btn btn-primary btn-lg active" role="button" aria-pressed="true" value="Login"/>

  <div class="alert alert-danger" role="alert">
     <?php echo $errMessage; ?>
</div>

</form>
 <?php
}
add_shortcode('luthandoLog', 'luecustom_form');
$errMessage = "";

if(isset($_POST['submit'])) {


 global $wpdb;

 $errMessage = "";
 $email = $_POST['email'];
 $pass = $_POST['pass']; 

 $check = $wpdb->get_col("SELECT email.users , pass.users FROM users WHERE email.users = $email && pass.users = $pass"); 


    if($check->num_rows == 1){

    header("Location: /?page_id=5");
    exit;

    }else{
        $errMessage = "Incorrect username/password";
    }

}
?>

I am trying to create my test login plugin here with the following code which isn't giving me any error but doesn't want to work. I am a beginner can somebody help point me to the right direction here. Thanks

<?php
/**
 * Plugin Name:       LD Login Form 
 * Plugin URI:        https://testsite.co.za
 * Description:       Empire Investment Login Form
 * Version:           1.0
 * Author:            Luthando
 * Author URI:        https://testsite.co.za
 */

function luecustom_form() {
 ?>
<form action="<?php echo $_SERVER['REQUEST_URI']; ?>" method="post" style="color: #fff">
  <div class="form-group">
    <label for="email">Email address:</label>
    <input name="email" type="email" class="form-control" id="email">
  </div>
  <div class="form-group">
    <label for="pwd">Password:</label>
    <input name="pass" type="password" class="form-control" id="pwd">
  </div>
  <div class="form-group form-check">
    <label class="form-check-label">
     <a style="color: #08a873" href="#"> Forgot Password? </a>    </label>
  </div>
  <input style="background: #08a873; margin-top: 5px; width: 100%" type="submit" class="btn btn-primary btn-lg active" role="button" aria-pressed="true" value="Login"/>

  <div class="alert alert-danger" role="alert">
     <?php echo $errMessage; ?>
</div>

</form>
 <?php
}
add_shortcode('luthandoLog', 'luecustom_form');
$errMessage = "";

if(isset($_POST['submit'])) {


 global $wpdb;

 $errMessage = "";
 $email = $_POST['email'];
 $pass = $_POST['pass']; 

 $check = $wpdb->get_col("SELECT email.users , pass.users FROM users WHERE email.users = $email && pass.users = $pass"); 


    if($check->num_rows == 1){

    header("Location: https://dhetcodesigns.000webhostapp/?page_id=5");
    exit;

    }else{
        $errMessage = "Incorrect username/password";
    }

}
?>

• php
• plugin-development
• html

Share Improve this question asked Oct 19, 2019 at 5:44 Luthando DlaminiLuthando Dlamini 111 bronze badge 1

• This cannot work. Password in db is hashed. Use wp_signon() function. – KAGG Design Commented Oct 19, 2019 at 6:14

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 0

You have a number of problems that have to be corrected for this to work.

1. Shortcodes should return content - not echo/print it to the screen.
2. You should sanitize your retrieved $_POST values before use.
3. You can't query the db for a plain text password. Passwords are hashed.
4. Don't do your form processing outside of a function. Setup a function for it and hook that function to something like init.
5. Your "error" message $errMessage is defined outside of your shortcode function so its value is unavailable inside the function unless declared as a global.
6. Don't close your file with a closing PHP delimiter ('?>'). It can cause problems if you get unintended whitespace after it.
7. Don't simply check if $_POST['submit'] is set. Check its value as well. Otherwise, you're running your check for any submit button.

The following is your code addressing each of the items mentioned above:

/**
 * Plugin Name:       LD Login Form 
 * Plugin URI:        https://testsite.co.za
 * Description:       Empire Investment Login Form
 * Version:           1.0
 * Author:            Luthando
 * Author URI:        https://testsite.co.za
 */

// Hooks, etc.
add_action( 'init', 'luecustom_form_process' );
add_shortcode('luthandoLog', 'luecustom_form');


function luecustom_form( $atts, $content, $tag ) {

    // Make sure you pick up the global $errMessage
    global $errMessage;

    // Don't echo/print your HTML in a shortcode. 
    // Instead put your HTML into $content to return at the end.
    $content = '<form action="' . $_SERVER['REQUEST_URI'] . '" method="post" style="color: #fff">
      <div class="form-group">
        <label for="email">Email address:</label>
        <input name="email" type="email" class="form-control" id="email">
      </div>
      <div class="form-group">
        <label for="pwd">Password:</label>
        <input name="pass" type="password" class="form-control" id="pwd">
      </div>
      <div class="form-group form-check">
        <label class="form-check-label">
         <a style="color: #08a873" href="#"> Forgot Password? </a>    </label>
      </div>
      <input style="background: #08a873; margin-top: 5px; width: 100%" type="submit" class="btn btn-primary btn-lg active" role="button" aria-pressed="true" value="Login" />

      <div class="alert alert-danger" role="alert">' . $errMessage . '</div>

    </form>';

    return $content;
}


function luecustom_form_process() {

    /*
     * You don't need $wpdb because you don't need to query the db directly
     * You DO need to globalize $errMessage so it can be used in your shortcode.
     * Do this before the "if" so that you have a defined variable
     * regardless of whether post is submitted or not. Otherwise
     * you may get an undefined variable notice in the shortcode result.
     */ 
    global $errMessage;
    $errMessage = "";

    if(isset($_POST['submit']) && 'Login' == $_POST['submit'] ) {

        // Sanitize email
        $email = sanitize_email( $_POST['email'] );
        // Don't sanitize password because it may contain characters that would be removed. 
        // It's going to be hashed for comparison anyway.
        $pass = $_POST['pass']; 

        // Get the user by their email address
        $user = get_user_by( 'email', $email );

        // Check if the posted password is the same as the user's hashed password.
        $validate_pass = wp_check_password( $pass, $user->user_pass );

        // If the user validates (wp_check_password() returns true), then...
        if( $validate_pass ){

            header("Location: https://dhetcodesigns.000webhostapp/?page_id=5");
            exit;

        }else{
            $errMessage = "Incorrect username/password";
        }

    }
}