Undefined variable Call Stack #TimeMemoryFunctionLocation 10.0006379256

Question

Good day! I am having this problem on the update part of my code. Whenever I click my button for update, it gives me this error: Undefined variable Call Stack #TimeMemoryFunctionLocation 10.0006379256 . What did error did I made? Please I need your help. Here is my code:

    <?php
    session_start();
    include_once "../styles/header-menu-out.php"; 
    include "dbconnection.php";

    function __autoload($class){
    include_once("../main/".$class.".php");}
    $code = new codex("localhost","library_books","root","" );
    $books = $code->showData("book_info");
    $id = $_REQUEST['update'];
?>

<html>
<head><link rel="stylesheet" type="text/css" href="../styles/library_style.css"></head>
<title>Book-A-Holic: Update an Item</title>
<body>
    <table>
    <?php foreach ($books as $book){ ?>
        <tr><td><input type="Hidden" name="id" value="<?php echo $id; ?>"/></td></tr>
        <tr><td>Title</td><td><input type="text" name="title" value="<?php echo $title; ?>"/></td></tr>
        <tr><td>Author</td><td><input type="text" name="author" value="<?php echo $author; ?>"/></td></tr>
        <tr><td>ISBN</td><td><input type="text" name="isbn" value="<?php echo $isbn; ?>"/></td></tr>
        <tr><td>Publisher</td><td><input type="text" name="publisher" value="<?php echo $publisher; ?>"/></td></tr>
        <tr><td>Language</td><td><input type="text" name="language" value="<?php echo $language; ?>"/></td></tr>
        <tr>
            <td>Genre</td>
            <td><select name="genre">
                        <option value="<?php echo $genre; ?>"><?php echo $genre; ?></option>
                        <option value="Non-Fiction">Non-Fiction</option>
                        <option value="Fiction">Fiction</option>
                        <option value="Educational">Educational</option>
                        <option value="Reserved">Reserved</option>
                        <option value="Instructional Materials">Instructional Materials</option>
                </select>
            </td>
        </tr>
        <tr><td>Quantity</td><td><input type="text" name="quantity" value="<?php echo $quantity; ?>"/></td></tr>
        <tr>
            <td>Availability</td>
            <td><select name="availability">
                        <option value="<?php echo $availability; ?>"></option>
                        <option value="Available">Yes</option>
                        <option value="N/A">No</option>
                    </select>
            </td>
        </tr>
        <tr><td>Queue</td><td><input type="text" name="queue" value="<?php echo $queue; ?>"/></td></tr>     

    <?php } ?>

    <tr>
        <td></td>
        <td>
        <button class="mybutton"><a href="bookUpdate.php?update=<?php echo urlencode($id); ?>">Update</a></button>
        <button class="mybutton"><a href="bookDeleteUI.php">Cancel</a></button>
        </td>
    </tr>
    </table>

</body>
</html>

my oop code:

    public function updateData($id, $title, $author, $isbn, $publisher, $language, $genre, $quantity, $queue, $availability, $table)
{
    $q = "UPDATE $table SET title = '$title', author = '$author', isbn = '$isbn', publisher = '$publisher',language = '$language', genre = '$genre', quantity = '$quantity', availability = '$availability', queue = '$queue' WHERE id ='$id'";
    $stmt = $this->con->prepare($q);
    $stmt->execute(array(':title'=>$title,':author'=>$author,':isbn'=>$isbn,':publisher'=>$publisher,':language'=>$language, ':genre'=>$genre,':quantity'=>$quantity,':availability'=>$availability,':queue'=>$queue));
    return true;
}

thanks in advance.

possible duplicate of [Reference - What does this error mean in PHP?](http://stackoverflow.com/questions/12769982/reference-what-does-this-error-mean-in-php) — DCoder, Feb 18 '14 at 14:46
Where did you read about using prepared statements the way you used them? It's like, polar opposite of what you should be doing :) — N.B., Feb 18 '14 at 14:48
Thank you for help sir. Can you suggest me on what to do to avoid this kind of coding? — user12345654, Feb 18 '14 at 14:58

score 0 · Answer 1 · answered Feb 18 '14 at 14:49

Your prepared statement is totally wrong. You're STILL vulnerable to SQL injection attacks, because you're directly stuffing your data variables into the query string, and THINKING you're safe because you try to use placeholders in the execute() call... but since you have no placeholders in the query string, you're still hosed.

$q = "UPDATE $table SET title = :title, author = :author, etc...";
                                ^^^^^^---placeholder

Note that $table is still used directly in the query - you cannot use placeholders on fields/table names, nor on SQL meta-words. Placeholders only work for values, such as where you'd have $title, $author, etc...

Thanks for helping sir. What shall I do to avoid the injections? I new to this. — user12345654, Feb 18 '14 at 14:55
oh okay. I have placed placeholders on my update part. Still the errors are there . — user12345654, Feb 18 '14 at 15:10

Undefined variable Call Stack #TimeMemoryFunctionLocation 10.0006379256

1 Answers1