Running PHP page on localhost shows "undefined index", but code works perfectly

Question

Here is my PHP code, I guess the problem is with $_POST[...]?

PHP:

<?php
require('connect.php');
$name = $_POST['name'];
$comment = $_POST['comment'];
$submit = $_POST['submit'];
if($submit)
{
    if($name&&$comment)
    {
    $query=mysql_query("INSERT INTO comment (id,name,comment) VALUES ('','$name','$comment')");
    header("Location: success.php");
    }
    else
    {
        echo "Lūdzu aizpildi visus logus.";
    }
}
?>

The form of fields and textarea.

HTML:

<form action="help-add-comment.php" method="POST">
  <label>Jūsu vārds:  </label><br /><input type="text" name="name" size="25" value="<?php echo "$name" ?>" /><br /><br />
  <label>Ziņojums:  </label><br /><textarea name="comment" cols="25" rows="7"></textarea><br /><br />
  <input type="submit" class="button button-red" name="submit" value="Pievienot" /><br/>
</form>

This is my result: undefined index

51,52,53 marked those line no in your question – Awlad Liton Jan 04 '14 at 20:44 — Awlad Liton, Jan 04 '14 at 20:44
Use `if(isset($_POST['submit'])){` instead of `if($submit)` – Funk Forty Niner Jan 04 '14 at 20:50 — Funk Forty Niner, Jan 04 '14 at 20:50

score 3 · Answer 1 · edited May 23 '17 at 12:03

3

Check if your value are defined first, it works because this isnt an error, its just a warning.

Do like this :

<?php
if (!empty($_POST["name"]) && !empty($_POST["comment"]) && isset($_POST["submit"])) {
    require('connect.php');
    //Get Post value
    $name = $_POST['name'];
    $comment = $_POST['comment'];
    $submit = $_POST['submit'];
    //Execute query
    $query=mysql_query("INSERT INTO comment (id,name,comment) VALUES ('','$name','$comment')");
    header("Location: success.php");
}else{
    //one of the value is not set (undefined)
    echo "Ludzu aizpildi visus logus.";
}
?>

Learn more about if and if/else, isset() and empty()

PS:

Your code is vulnerable to SQL injection, and also mysql is now deprecated. You should use mysqli extensions or PDO. This is serious because you will get hacked very easily.

edited May 23 '17 at 12:03

Community

1
1

answered Jan 04 '14 at 20:49

meda

45,103
14
92
122

Personally, I would use `if (!empty($_POST["name"]) && !empty($_POST["comment"]) && isset($_POST["submit"]))` but that's just me ;-) – Funk Forty Niner Jan 04 '14 at 20:52
yes your right, these should be required field from the client side at least – meda Jan 04 '14 at 20:55
There are of course numerous ways/combinations to achieve basically the same results. The OP can play with the options made available. I'd even put a link to the PHP.net's page about the `if/else` conditional statements, then he/she can pick and choose which method he/she likes best. – Funk Forty Niner Jan 04 '14 at 20:57
@Fred-ii- what link about the `if/else` are you referring to ? – meda Jan 04 '14 at 21:01
These: http://www.php.net/manual/en/control-structures.elseif.php and http://www.php.net/manual/en/control-structures.if.php and http://php.net/empty – Funk Forty Niner Jan 04 '14 at 21:02
Plus, I tend to think that when one gets an `Undefined index...` error message, this is also caused by form elements not being named or improperly named. I.e.: `` if OP does not have that or is called `Comment` instead of `comment`, then those will fail. – Funk Forty Niner Jan 04 '14 at 21:10
@Fred-ii- or a user sending a malformed postback on purpose to try and trigger warnings like this to discover application internals like filenames and server directory layouts. – Niels Keurentjes Jan 04 '14 at 21:11
Yes that's another possibility. We can't be 100% certain as to how the OP is using this code, in conjunction with something else. Be it HTML form, AJAX etc. @NielsKeurentjes Sometimes OP's post different code than the actuals. I've seen that happen quite a few times. – Funk Forty Niner Jan 04 '14 at 21:13
I never touch questions like these myself (only comments), they just tend to open up the proverbial "Can of Worms". @NielsKeurentjes – Funk Forty Niner Jan 04 '14 at 21:16
Never hurts to always rub in the ***NEVER TRUST CLIENT INPUT*** wisdom an extra time. – Niels Keurentjes Jan 04 '14 at 21:20

score 2 · Answer 2 · answered Jan 04 '14 at 20:48

2

You're trying to access non-existent fields in the $_POST array, the warning is correct. You should only process those fields when they're actually there, so when you're actually responding to a form postback, by checking the request method:

if($_SERVER['REQUEST_METHOD'] == 'POST')
{
  $name = $_POST['name'];
  $comment = $_POST['comment'];
  $submit = $_POST['submit'];
  // Handle rest of postback
}

Note that this still allows a malicious user to trigger the warnings, and thus gain knowledge of your application internals, by faking a request. You can fix this by retrieving the POST values safely:

function getPostValue($name, $default = null)
{
  return isset($_POST[$name]) ? $_POST[$name] : $default;
}
$name = getPostValue('name');

You can achieve the same effect by using the error suppression operator (@) but it's bad for performance and considered bad style for simple cases like this.

answered Jan 04 '14 at 20:48

Niels Keurentjes

41,402
9
98
136

May I know why It is bad practice using @ ?Here I am just printing something. – Asraful Haque Jan 04 '14 at 21:05
@AsrafulHaque because it supress the error, you wont see any error/warning – meda Jan 04 '14 at 21:06
First off it suppresses all errors and warnings, while it is most commonly used to suppress only a single *expected* error or warning. You might be silencing completely unrelated problems as well. Secondly, it's **terribly slow**. When a line using `@` fails, all error handling code inside PHP is still executed, and then at the end of that it's thrown away. I've tested it myself and found it over 100 times slower at times than just properly testing for expected problems. – Niels Keurentjes Jan 04 '14 at 21:07
Thank you too much!Happy new year 2014 all of you! – Asraful Haque Jan 04 '14 at 21:07
Sir,May I know which software can be used to test to check the slow? – Asraful Haque Jan 04 '14 at 21:09
Thank you sir a lot of Happy new year 2014 – Asraful Haque Jan 04 '14 at 21:12

score 0 · Answer 3 · answered Jan 04 '14 at 20:50

TRY THIS:

  <?php
    require('connect.php');
    $name = isset($_POST['name']) ? $_POST['name']: '' ;
    $comment = isset($_POST['comment']) ? $_POST['comment'] : '' ;;
    $submit = isset($_POST['submit']) ? $_POST['submit'] : '' ;;
    if($submit)
    {
        if($name&&$comment)
        {
        $query=mysql_query("INSERT INTO comment (id,name,comment) VALUES ('','$name','$comment')");
        header("Location: success.php");
        }
        else
        {
            echo "Lūdzu aizpildi visus logus.";
        }
    }
    ?>

@user3160837 : you always should check isset for post variable. — Awlad Liton, Jan 04 '14 at 20:55

Running PHP page on localhost shows "undefined index", but code works perfectly

3 Answers3