1

let me start by mentioning that i am very new to php i have this code

<?php
$phone=$_POST['phone'];
 $tagline=$_POST['tagline'];
 $activity=$_POST['activity'];
$about=$_POST['about'];
$date=date(d-m-y);
$status='ok';
$con=mysqli_connect("localhost","root","","database");
mysqli_query($con,"UPDATE owners set    phone='$phone',tagline='$tagline',status='$status',activity='$activity',about='$about',date='$    date' where username='deiin'");
mysqli_close($con);

?>

it is suppost to update a table but it returns Notice: Undefined index: phone in E:\EasyPHP-5.3.5.0\www\register\finishing\index.php on line 3 any help ?

pohqpyne
  • 19
  • 1
  • 2
  • 1
    can you show your html form code – Srikanth Kolli Jun 01 '13 at 11:08
  • if the user doesn't fill the form or the form is broken, this script will fail. You have to verify that user put those data there, and verify that those data are "good" data you really want. Otherwise bad things will happen – enrey Jun 01 '13 at 11:08
  • 3
    do a print_r($_POST); do see what is coming really in .. @enry you are talking about GET not POST! – Langusten Gustel Jun 01 '13 at 11:08
  • 1
    Your code is vulnerable to sql injections, please read [how to prevent sql injections in php](http://stackoverflow.com/questions/60174/how-to-prevent-sql-injection-in-php), you are new to it so now is the perfect time to learn it the proper way ! Have fun coding – Lepidosteus Jun 01 '13 at 11:10
  • 1
    Notice: Undefined index: phone in E:\EasyPHP-5.3.5.0\www\register\finishing\index.php on line 3 //prove you are not getting phone value – Ankur Saxena Jun 01 '13 at 11:39

4 Answers4

2

You must always check for array has index what you ask for. So, use isset() function in your code like this:

<?php
$phone = isset($_POST['phone']) ? $_POST['phone'] : null;
$tagline = isset($_POST['tagline']) ? $_POST['tagline'] : null;
$activity = isset($_POST['activity']) ? $_POST['activity'] : null;
$about = isset($_POST['about']) ? $_POST['about'] : null;
$date = date('d-m-y');
$status='ok';
$con=mysqli_connect("localhost","root","","database");
mysqli_query($con,"UPDATE owners set    phone='$phone',tagline='$tagline',status='$status',activity='$activity',about='$about',date='$    date' where username='deiin'");
mysqli_close($con);
?>

It can help with notice, but I strongly recomend you to use PDO object to querying DB, and mysqli_real_escape_string function to escape possible SQL injections.

Stanislav Terletskyi
  • 2,072
  • 20
  • 17
1

You probably want to debug your code because a PHP-Notice is not stopping your code from executing.

If your Database is not updated you should try mysql_error() to see if there is an error in your mysql syntax.

Do see what $_POST parameters coming in do print_r($_POST)

edit:

Yes (as Lepidosteus said) : Your code is vulnerable from mysql injections. Look here what an injection is and look here how to prevent them.

Hope to be helpful :)

Community
  • 1
  • 1
Langusten Gustel
  • 10,917
  • 9
  • 46
  • 59
1

Try it like this, now, all the fields are required, so no data will be stored to database if user doesn't fill all the fields.

but use it ony on your small home app, don't put it in production server, since it's still badly vulnerable to injection. 

if(isset($_POST['phone'])
   && isset($_POST['tagline'])
   && isset($_POST['activity'])
   && isset($_POST['about'])){

    $phone = $_POST['phone'];
    $tagline = $_POST['tagline'];
    $activity = $_POST['activity'];
    $about = $_POST['about'];

    $date=date('d-m-y');
    $status='ok';
    $con=mysqli_connect("localhost","root","","database");
    mysqli_query($con,"UPDATE owners 
                       SET phone='$phone', tagline='$tagline',status='$status',activity='$activity',about='$about',date='$date' 
                       WHERE username='deiin'");
    mysqli_close($con);
}

Or like this, activity and about would be optional:

if(isset($_POST['phone'])  
  && isset($_POST['tagline']){  

    $phone = $_POST['phone'];
    $tagline = $_POST['tagline'];

    if(isset($_POST['activity'])) $activity = $_POST['activity'];
    else $activity = '';

    if(isset($_POST['about'])) $about = $_POST['about'];
    else $about = '';

    $date=date('d-m-y');
    $status='ok';
    $con=mysqli_connect("localhost","root","","database");
    mysqli_query($con,"UPDATE owners 
                       SET phone='$phone', tagline='$tagline',status='$status',activity='$activity',about='$about',date='$date' 
                       WHERE username='deiin'");
    mysqli_close($con);
}

But again, be aware that there's huge security hole in this code, so don't put this on production server. If someone wrote ' quote in the form, it would be inserted in the sql query and it would be the ending quote there, thus whatever following the quote would be interpreted as commands for sql. That way every joker around could delete your whole database in a second. use mysqli_real_escape_string() or prepared statements

EDIT: How to use mysqli_real_escape_string():

instead of for example $phone = $_POST['phone'];, you enclose it in mysql_real_escape_string() like this:

$phone = mysql_real_escape_string( $_POST['phone'] );

Couldn't be simpler, could it? :)

and remember to quote everyhing in query, like you do:

UPDATE owners SET phone=     ---> '$phone' <--- /*those quotes are 
important for it to work, remember to keep them there */

I don't want to explain prepared statements, because the procedural syntax is weird and the OOP syntax would probably look even weirder to you.

enrey
  • 1,621
  • 1
  • 15
  • 29
  • Why mysql_real_escape_string is bad: http://johnroach.info/2011/02/17/why-mysql_real_escape_string-isnt-enough-to-stop-sql-injection-attacks/ – Langusten Gustel Jun 01 '13 at 11:34
  • 1
    @Jan1337z Yeah, I was expecting this kind of comment, just not that quickly... Well, first, he uses quotes, and second, who cares? The point is to know about it, sane people use prepared statements anyway. – enrey Jun 01 '13 at 11:40
1
<?php
////////////you use////////
echo "<pre>";
print_r($_REQUEST);
echo "</pre>";
die("here");

$phone=$_POST['phone'];
 $tagline=$_POST['tagline'];
 $activity=$_POST['activity'];
$about=$_POST['about'];
$date=date(d-m-y);
$status='ok';
$con=mysqli_connect("localhost","root","","database");
mysqli_query($con,"UPDATE owners set    phone='$phone',tagline='$tagline',status='$status',activity='$activity',about='$about',date='$    date' where username='deiin'");
mysqli_close($con);

?>

$_REQUEST will return if value sending method is either POST or GET OR COOKIES//may be you using get method

Ankur Saxena
  • 629
  • 3
  • 13
  • 26