StevenYoung Posted January 14, 2012 Share Posted January 14, 2012 Ok, I have been coding for a long time, but recently discovered I was doing things very sloppy and not very secure because register globals was on and I didn't know better. I am now in a globals off and having issues with a few scripts. In this case I am using post data and trying to retrieve data from a mysql db. The error is "Notice: Undefined variable: Item_Number in C:\wamp\www\MasterRetail\productupdate.php on line 8" I have searched and all the help I have found has not been of help, so I think I am probably over looking something fairly trivial. <?php $db = mysql_connect("localhost", "username here", ""); mysql_select_db("tablename",$db); // Get Variables Here. $_POST['Item_Number'] = '$Item_Number'; if ($Item_Number) { if ($submit) { $sql = "UPDATE products SET Item_Number='$Item_Number',Page_Number='$Page_Number',ShortDescription='$ShortDescription',LongDescription='$LongDescription',Units='$Units',WholesalePrice='$WholesalePrice',RetailPrice='$RetailPrice',Heading='$Heading',TOCListing='$TOCListing',CrossSell1='$CrossSell1',CrossSell2='$CrossSell2',SubCatalog1='$SubCatalog1',SubCatalog2='$SubCatalog2',SubCatalog3='$SubCatalog3',InStock='$InStock',DateVerified='$DateVerified',KeyWords='$KeyWords',SubCat1PN='$SubCat1PN',SubCat2PN='$SubCat2PN',SubCat3PN='$SubCat3PN',PublicView='$PublicView',PhoneOrderOnly='$PhoneOrderOnly',Active='$Active' WHERE Item_Number='$Item_Number'"; $result = mysql_query($sql) or die($sql.'failed because '.mysql_error()); echo "Client Updated."; } else { // query the DB $sql1 = "SELECT * FROM products WHERE Item_Number='$Item_Number'"; $result = mysql_query($sql1) or die($sql1.'failed because '.mysql_error()); $myrow = mysql_fetch_array($result); ?> And here is what the URL looks like "http://sandbox/masterretail/productupdate.php?Item_Number=34240" Please help so I can continue learning, I so far have fixed about 85% of the flaws I had in the application.. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted January 14, 2012 Share Posted January 14, 2012 // Get Variables Here. Assignment statements = assign the value on the right-hand side to the left-hand variable. Also, php variables are not parsed and replaced with their value when inside of single-quotes. Quote Link to comment Share on other sites More sharing options...
mikosiko Posted January 14, 2012 Share Posted January 14, 2012 This line: // Get Variables Here. $_POST['Item_Number'] = '$Item_Number'; should be at the bare minimum: // Get Variables Here. $Item_Number = $_POST['Item_Number'] ; however you should sanitize your $_POST['Item_Number'] before to assign/use it. Use the appropriated sanitation method depending of the data type of that item (mysql_real_escape_string, is_numeric(), ctype_digit(), etc..etc) Quote Link to comment Share on other sites More sharing options...
StevenYoung Posted January 14, 2012 Author Share Posted January 14, 2012 Ok Well that changed the error message now "Notice: Undefined index: Item_Number in C:\wamp\www\MasterRetail\productupdate.php on line 10" Not sure how you mean to Sanitize the $_POST['Item_Number'] before using it. This is a variable that is created by another web page and passed to this one. Sorry if I am acting like a newbie when not but I am still learning the global off programming. <?php error_reporting(E_ALL); ini_set("display_errors", 1); $db = mysql_connect("localhost", "Username", ""); mysql_select_db("dbname",$db); // Get Variables Here. $Item_Number = $_POST['Item_Number']; if ($Item_Number) { if ($submit) { $sql = "UPDATE products SET Item_Number='$Item_Number',Page_Number='$Page_Number',ShortDescription='$ShortDescription',LongDescription='$LongDescription',Units='$Units',WholesalePrice='$WholesalePrice',RetailPrice='$RetailPrice',Heading='$Heading',TOCListing='$TOCListing',CrossSell1='$CrossSell1',CrossSell2='$CrossSell2',SubCatalog1='$SubCatalog1',SubCatalog2='$SubCatalog2',SubCatalog3='$SubCatalog3',InStock='$InStock',DateVerified='$DateVerified',KeyWords='$KeyWords',SubCat1PN='$SubCat1PN',SubCat2PN='$SubCat2PN',SubCat3PN='$SubCat3PN',PublicView='$PublicView',PhoneOrderOnly='$PhoneOrderOnly',Active='$Active' WHERE Item_Number='$Item_Number'"; $result = mysql_query($sql) or die($sql.'failed because '.mysql_error()); echo "Client Updated."; } else { // query the DB $sql1 = "SELECT * FROM products WHERE Item_Number='$Item_Number'"; $result = mysql_query($sql1) or die($sql1.'failed because '.mysql_error()); $myrow = mysql_fetch_array($result); ?> Quote Link to comment Share on other sites More sharing options...
wolfcry Posted January 14, 2012 Share Posted January 14, 2012 And you should do some validation as well: if ($Item_Number) { /// } Should be: if (is_int($Item_Number)) { /// } To ensure that the $Item_number is in fact an integer if only integers is what you want. I'd also do the following with submit just for additional validation purposes: if (is_int($Item_Number)) { if (isset($submit)) { // do something } } As for your undefined index warning, define $Item_Number at the top like so: "$Item_Number = 0;". Either that, move "$Item_Number = $_POST['Item_Number'];" into the $submit if() statement. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted January 14, 2012 Share Posted January 14, 2012 is_int does NOT test if the value in the variable is an integer, it tests if the variable is of type integer. Note: To test if a variable is a number or a numeric string (such as form input, which is always a string), you must use is_numeric(). Quote Link to comment Share on other sites More sharing options...
wolfcry Posted January 14, 2012 Share Posted January 14, 2012 is_int does NOT test if the value in the variable is an integer, it tests if the variable is of type integer. Note: To test if a variable is a number or a numeric string (such as form input, which is always a string), you must use is_numeric(). I've always used it and never had an issue but then again, I use it with other conditionals as well. Quote Link to comment Share on other sites More sharing options...
StevenYoung Posted January 14, 2012 Author Share Posted January 14, 2012 Still yields same error message, So what have I done wrong??? <?php error_reporting(E_ALL); ini_set("display_errors", 1); $db = mysql_connect("localhost", "username", ""); mysql_select_db("dbname",$db); // Get Variables Here. $Item_Number = 0; // Hope this gets replaced right $Item_Number = $_POST['Item_Number']; if (is_int($Item_Number)) { if (isset($submit)) { $sql = "UPDATE products SET Item_Number='$Item_Number',Page_Number='$Page_Number',ShortDescription='$ShortDescription',LongDescription='$LongDescription',Units='$Units',WholesalePrice='$WholesalePrice',RetailPrice='$RetailPrice',Heading='$Heading',TOCListing='$TOCListing',CrossSell1='$CrossSell1',CrossSell2='$CrossSell2',SubCatalog1='$SubCatalog1',SubCatalog2='$SubCatalog2',SubCatalog3='$SubCatalog3',InStock='$InStock',DateVerified='$DateVerified',KeyWords='$KeyWords',SubCat1PN='$SubCat1PN',SubCat2PN='$SubCat2PN',SubCat3PN='$SubCat3PN',PublicView='$PublicView',PhoneOrderOnly='$PhoneOrderOnly',Active='$Active' WHERE Item_Number='$Item_Number'"; $result = mysql_query($sql) or die($sql.'failed because '.mysql_error()); echo "Client Updated."; } else { // query the DB $sql1 = "SELECT * FROM products WHERE Item_Number='$Item_Number'"; $result = mysql_query($sql1) or die($sql1.'failed because '.mysql_error()); $myrow = mysql_fetch_array($result); ?> Quote Link to comment Share on other sites More sharing options...
wolfcry Posted January 14, 2012 Share Posted January 14, 2012 Without seeing your actual form code, are you sure this: $_POST['Item_Number']; is spelled correctly or actually exists in the form? Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted January 14, 2012 Share Posted January 14, 2012 Your form processing code needs to be form processing code. You need a specific test and conditional statement around the block of code that you only want to execute when the form has been submitted. I'm going to guess that your form has a submit button or a hidden field named 'submit' - <?php if(isset($_POST['submit'])){ // ALL the code that processes the form's $_POST values goes here.... } The above will prevent undefined error messages that are due to the code being executed when the expected form has not been submitted, because all references to $_POST values will be inside that conditional statement. Any other undefined error messages are due to referencing the wrong or non-existent variable name and you would need to determine the correct variable name or why an expected variable does not exist. Quote Link to comment Share on other sites More sharing options...
laffin Posted January 14, 2012 Share Posted January 14, 2012 Did you even submit the form? if not use the form to get to this processing script or if it's a all in one form, check to see if this is a form submission if(!isset($_POST['submit'])) die('Form not submitted'); Wow, another post posted too late Nice going PFM Quote Link to comment Share on other sites More sharing options...
StevenYoung Posted January 14, 2012 Author Share Posted January 14, 2012 Now I feel stupid, I realized I wasnt even to the posting / updating yet, I am actually trying to get information that is posted from another page. using the said url with the productupdate.php?Item_Number=xxxxx (Actual Number exist). Like I said I unfortunately learned the bad way of doing all this and am trying now to relearn the right way.. So I should be working with this section of the if statement: // query the DB $sql1 = "SELECT * FROM products WHERE Item_Number='$Item_Number'"; $result = mysql_query($sql1) or die($sql1.'failed because '.mysql_error()); $myrow = mysql_fetch_array($result); Now The Error is Notice: Undefined index: Item_Number in C:\wamp\www\MasterRetail\productupdate.php on line 12 reposing the whole script as I have it now; Now the whole page is longer as it contains the form, but I don't believe we need that posted here right now <?php error_reporting(E_ALL); ini_set("display_errors", 1); $db = mysql_connect("localhost", "username", ""); mysql_select_db("dbname",$db); // Get Variables Here. $Item_Number = 0; // Hope this gets replaced right $Item_Number = $_GET['Item_Number']; $Item_Number = $_POST['Item_Number']; (This is really Line 12) if (is_int($Item_Number)) { if (isset($submit)) { $sql = "UPDATE products SET Item_Number='$Item_Number',Page_Number='$Page_Number',ShortDescription='$ShortDescription',LongDescription='$LongDescription',Units='$Units',WholesalePrice='$WholesalePrice',RetailPrice='$RetailPrice',Heading='$Heading',TOCListing='$TOCListing',CrossSell1='$CrossSell1',CrossSell2='$CrossSell2',SubCatalog1='$SubCatalog1',SubCatalog2='$SubCatalog2',SubCatalog3='$SubCatalog3',InStock='$InStock',DateVerified='$DateVerified',KeyWords='$KeyWords',SubCat1PN='$SubCat1PN',SubCat2PN='$SubCat2PN',SubCat3PN='$SubCat3PN',PublicView='$PublicView',PhoneOrderOnly='$PhoneOrderOnly',Active='$Active' WHERE Item_Number='$Item_Number'"; $result = mysql_query($sql) or die($sql.'failed because '.mysql_error()); echo "Client Updated."; } else { // query the DB $sql1 = "SELECT * FROM products WHERE Item_Number='$Item_Number'"; $result = mysql_query($sql1) or die($sql1.'failed because '.mysql_error()); $myrow = mysql_fetch_array($result); ?> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.