You have a number of problems that have to be corrected for this to work.
- Shortcodes should return content – not echo/print it to the screen.
- You should sanitize your retrieved $_POST values before use.
- You can’t query the db for a plain text password. Passwords are hashed.
- Don’t do your form processing outside of a function. Setup a function for it and hook that function to something like
init
. - Your “error” message
$errMessage
is defined outside of your shortcode function so its value is unavailable inside the function unless declared as a global. - Don’t close your file with a closing PHP delimiter (‘?>’). It can cause problems if you get unintended whitespace after it.
- Don’t simply check if
$_POST['submit']
is set. Check its value as well. Otherwise, you’re running your check for any submit button.
The following is your code addressing each of the items mentioned above:
/**
* Plugin Name: LD Login Form
* Plugin URI: https://testsite.co.za
* Description: Empire Investment Login Form
* Version: 1.0
* Author: Luthando
* Author URI: https://testsite.co.za
*/
// Hooks, etc.
add_action( 'init', 'luecustom_form_process' );
add_shortcode('luthandoLog', 'luecustom_form');
function luecustom_form( $atts, $content, $tag ) {
// Make sure you pick up the global $errMessage
global $errMessage;
// Don't echo/print your HTML in a shortcode.
// Instead put your HTML into $content to return at the end.
$content="<form action="" . $_SERVER['REQUEST_URI'] . '" method="post" style="color: #fff">
<div class="form-group">
<label for="email">Email address:</label>
<input name="email" type="email" class="form-control" id="email">
</div>
<div class="form-group">
<label for="pwd">Password:</label>
<input name="pass" type="password" class="form-control" id="pwd">
</div>
<div class="form-group form-check">
<label class="form-check-label">
<a style="color: #08a873" href="#"> Forgot Password? </a> </label>
</div>
<input style="background: #08a873; margin-top: 5px; width: 100%" type="submit" class="btn btn-primary btn-lg active" role="button" aria-pressed="true" value="Login" />
<div class="alert alert-danger" role="alert">' . $errMessage . '</div>
</form>';
return $content;
}
function luecustom_form_process() {
/*
* You don't need $wpdb because you don't need to query the db directly
* You DO need to globalize $errMessage so it can be used in your shortcode.
* Do this before the "if" so that you have a defined variable
* regardless of whether post is submitted or not. Otherwise
* you may get an undefined variable notice in the shortcode result.
*/
global $errMessage;
$errMessage = "";
if(isset($_POST['submit']) && 'Login' == $_POST['submit'] ) {
// Sanitize email
$email = sanitize_email( $_POST['email'] );
// Don't sanitize password because it may contain characters that would be removed.
// It's going to be hashed for comparison anyway.
$pass = $_POST['pass'];
// Get the user by their email address
$user = get_user_by( 'email', $email );
// Check if the posted password is the same as the user's hashed password.
$validate_pass = wp_check_password( $pass, $user->user_pass );
// If the user validates (wp_check_password() returns true), then...
if( $validate_pass ){
header("Location: https://dhetcodesigns.000webhostapp.com/?page_id=5");
exit;
}else{
$errMessage = "Incorrect username/password";
}
}
}