I have a collection of check boxes all with the name c[] but different values. From php8 the code below works but gives me an 'Undefined variable $sql_c’ warning (perhaps this error was just suppressed in earlier versions?). I was given the code years back and have now updated it with numerous 'if isset()' functions, but if I do that to the $sql_c function, I get no results. Any help would be appreciated. if (isset($_POST['submit']) && isset($_POST['c'])) { $sql="stuno,fname,lname"; if(isset($_POST['c']) && $_POST['c']=="") {$c = array(); } foreach ($_POST['c'] as $cID) { $sql_c .= ",".$cID; << "Undefined variable $sql_c" warning if (isset($numCat)) {$numCat = $numCat + 1;} } $sql = $sql . $sql_c; $sql="SELECT"." ".$sql." "."FROM records ORDER BY fname"; $result=@mysqli_query($dbcnx, $sql); PHP:
Maybe this line: or equally: $sql_c = $sql_c . "," . $cID; PHP: requests your machine to assume the 1st $sql_c value is empty string... or probably something else? The warning tries to tell you this. So I guess this var is better initialized before the foreach() loop: $sql_c = ''; Code (markup):
something like this will be more secure, easier to maintain, and less prone to SQL injection <?php $submit = filter_input(INPUT_POST, 'submit'); $c = filter_input(INPUT_POST, 'c'); if ($submit && $c) { $columns =['stuno','fname','lname']; if ($c){ foreach ($c as $cID) { $columns[] = $cID; if (isset($numCat)) {$numCat = $numCat + 1;} } } $sql="SELECT ".implode(',',$columns) . " FROM `records` ORDER BY `fname`"; // don't use @ for error suppression. $result = mysqli_query($dbcnx, $sql); } PHP:
Change this line: if(isset($_POST['c']) && $_POST['c']=="") {$c = array(); } Do this: $sql_c=""; if( isset($_POST['c']) ){ //your rest of code }//check ends The error is coming because you are adding to a variable which is not previously defined. The ".=" is PHP's way to add two strings.
1) do NOT suppress errors with the @ sign. EVER! 2) filter_input doesn't work on arrays. 3) You shouldn't be blindly plugging variables into your query strings. That you're choosing what fields based on user input is... sketchy. Unless you're building your own PHPMyAdmin tool, this is NOT good practice. In particular I'd be running a query to verify that the user input values are in fact in the table in the first place before even thinking about adding them to the query. 4) not sure why you'd be checking the submit button. <?php if ( !array_key_exists('c', $_POST) || !is_array($_POST['c']) ) echo 'Form Submit Failed, invalid or missing values' else { if (array_diff( $_POST['c'], [ // approval list 'sanfu', 'fubar', 'tarfu', 'bohica' ])) echo ' <p> Possible hacking attempt detected, fields posted to not match those approved for access. <p>'; else { if (isset($numCat)) $numCat += count($_POST['c']); $result = $dbcnx->query(' SELECT stuno, fname, lname, ' . implode(', ', $_POST['c']) . ' FROM records ORDER BY fname '); // process $result here } } Code (markup): By making a list of approved values you can reject hacking attempts (people bullshitting $_POST values) and not even need to sanitize anything. With those three fields always present, there is no reason for them to be in your form client-side. NEVER blindly trust the contents of a request array. Whenever possible check them against a list of valid values.