1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Undefined variable error in array

Discussion in 'PHP' started by Perantine, Apr 26, 2021.

0
  1. #1
    I have a collection of check boxes all with the name c[] but different values. From php8 the code below works but gives me an 'Undefined variable $sql_c’ warning (perhaps this error was just suppressed in earlier versions?). I was given the code years back and have now updated it with numerous 'if isset()' functions, but if I do that to the $sql_c function, I get no results. Any help would be appreciated.

    if (isset($_POST['submit']) && isset($_POST['c'])) {
   
$sql="stuno,fname,lname";

if(isset($_POST['c']) && $_POST['c']=="") {$c = array(); }

foreach ($_POST['c'] as $cID) {

$sql_c .= ",".$cID; << "Undefined variable $sql_c" warning

if (isset($numCat)) {$numCat = $numCat + 1;}

}

$sql = $sql . $sql_c;        

$sql="SELECT"." ".$sql." "."FROM records ORDER BY fname";

$result=@mysqli_query($dbcnx, $sql);
    PHP:

     
    Perantine, Apr 26, 2021 IP
  2. hdewantara

    hdewantara Well-Known Member

    Messages:
    536
    Likes Received:
    47
    Best Answers:
    25
    Trophy Points:
    155
    #2
    Maybe this line:
    or equally:
    
$sql_c = $sql_c . "," . $cID;
    PHP:
    requests your machine to assume the 1st $sql_c value is empty string... or probably something else? The warning tries to tell you this. So I guess this var is better initialized before the foreach() loop:
    
$sql_c = '';
    Code (markup):
     
    hdewantara, Apr 26, 2021 IP
  3. SpacePhoenix

    SpacePhoenix Well-Known Member

    Messages:
    196
    Likes Received:
    28
    Best Answers:
    2
    Trophy Points:
    155
    #3
    Be aware that the code that you posted is vulnerable to SQL Injection attacks
     
    SpacePhoenix, Apr 26, 2021 IP
  4. sarahk

    sarahk iTamer Staff

    Messages:
    28,500
    Likes Received:
    4,460
    Best Answers:
    123
    Trophy Points:
    665
    #4
    something like this will be more secure, easier to maintain, and less prone to SQL injection

    <?php
$submit = filter_input(INPUT_POST, 'submit');
$c = filter_input(INPUT_POST, 'c');

if ($submit && $c) {
    $columns =['stuno','fname','lname'];
    if ($c){
        foreach ($c as $cID) {
            $columns[] = $cID; 
            if (isset($numCat)) {$numCat = $numCat + 1;}
        }
    }
    $sql="SELECT ".implode(',',$columns) . " FROM `records` ORDER BY `fname`";
    // don't use @ for error suppression. 
    $result = mysqli_query($dbcnx, $sql);
}
    PHP:
     
    sarahk, Apr 26, 2021 IP
  5. JEET

    JEET Notable Member

    Messages:
    3,825
    Likes Received:
    502
    Best Answers:
    19
    Trophy Points:
    265
    #5
    Change this line:
    if(isset($_POST['c']) && $_POST['c']=="") {$c = array(); }

    Do this:

    $sql_c="";
    if( isset($_POST['c']) ){
    //your rest of code

    }//check ends

    The error is coming because you are adding to a variable which is not previously defined.
    The ".=" is PHP's way to add two strings.
     
    JEET, Apr 27, 2021 IP
  6. deathshadow

    deathshadow Acclaimed Member

    Messages:
    9,732
    Likes Received:
    1,998
    Best Answers:
    253
    Trophy Points:
    515
    #6
    1) do NOT suppress errors with the @ sign. EVER!

    2) filter_input doesn't work on arrays.

    3) You shouldn't be blindly plugging variables into your query strings. That you're choosing what fields based on user input is... sketchy. Unless you're building your own PHPMyAdmin tool, this is NOT good practice. In particular I'd be running a query to verify that the user input values are in fact in the table in the first place before even thinking about adding them to the query.

    4) not sure why you'd be checking the submit button.

    
<?php

if (
	!array_key_exists('c', $_POST) ||
	!is_array($_POST['c'])
) echo 'Form Submit Failed, invalid or missing values'
	
else {

	if (array_diff( $_POST['c'], [
		 // approval list
		'sanfu', 'fubar', 'tarfu', 'bohica'
	])) echo '
			<p>
				Possible hacking attempt detected, fields posted to not match those approved for access.
			<p>';
			
	else {

		if (isset($numCat)) $numCat += count($_POST['c']);
	
		$result = $dbcnx->query('
			SELECT stuno, fname, lname, ' . implode(', ', $_POST['c']) . '
			FROM records
			ORDER BY fname
		');
		
		// process $result here
		
	}

}
    Code (markup):
    By making a list of approved values you can reject hacking attempts (people bullshitting $_POST values) and not even need to sanitize anything. With those three fields always present, there is no reason for them to be in your form client-side.

    NEVER blindly trust the contents of a request array. Whenever possible check them against a list of valid values.
     
    deathshadow, May 6, 2021 IP