"Notice: Undefined variable"

Question

I'm getting this error when I run the following change password script:

Notice: Undefined variable: $insert in C:\xampp\htdocs\oh\change.php on line 21 Password not changed

<?php
include('db_connection.php');
include('crypt.php');
session_start();
if (isset($_POST['submit'])) {
    $oldpassword = $_POST['current_password'];
    $newpassword= $_POST['new_password'];
    $confirm_password =$_POST['confirm_password'];
    $user_name = $_SESSION['UserName'];          
    $old = decrypt($oldpassword);
    $select = mysql_query("SELECT * FROM staff WHERE UserName='$user_name'");
    $fetch = mysql_fetch_array($select);
    $data_password = $fetch['password';
    if ($newpassword == $confirm_password && $data_password == $old) {
        $pass = encrypt($confirm_password);
        $insert = mysql_query("UPDATE staff SET password='$pass' WHERE UserName='$user_name'");
    }
    if ($insert) {
        echo "Password changed";
    } else {
        echo "Password  not changed";
    }
}
mysql_close($con);
?>

**Danger**: You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. — Quentin, Apr 23 '14 at 09:21

score 0 · Answer 1 · answered Apr 23 '14 at 08:22

0

Well, that is because you might not get in the if statement where $insert gets set. If that is the case $insert does not exist en you get this notice.

Try to check if the variable exists like:

if (isset($insert)) {
    echo "Password changed";
} else {
    echo "Password  not changed";
}

answered Apr 23 '14 at 08:22

putvande

15,068
3
34
50

What if mysql_query returns false? – jackfrankland Apr 23 '14 at 08:25
Wrong answer as if it's false, isset will return true – Aysennoussi Apr 23 '14 at 08:34

jackfrankland · Answer 2 · 2014-04-23T09:29:58.437

You should define $insert before the if statement, so when you reference it later, it will definitely be defined:

$insert = FALSE;
if ($newpassword == $confirm_password && $data_password == $old) {
    $pass = encrypt($confirm_password);
    $insert = mysql_query("UPDATE staff SET password='$pass' WHERE UserName='$user_name'");
}
if ($insert) {
    echo "Password changed";
} else {
    echo "Password  not changed";
}

Edit:

There's another issue too, in that the old password will probably be encrypted in the database, and you are comparing it to a decrypted version of the supplied $oldpassword. Try changing the line to:

$old = encrypt($oldpassword);

Not optimal, if mysql_query returns false. – Aysennoussi Apr 23 '14 at 08:36 — Aysennoussi, Apr 23 '14 at 08:36

score -1 · Answer 3 · answered Apr 23 '14 at 08:25

-1

What's happening is that $insert is not declared outside the previous "if" statement. if this statement is false, then $insert is undefined. Try this:

    <?php
    include('db_connection.php');
    include('crypt.php');
    session_start();
    if (isset($_POST['submit'])) {
        $oldpassword = $_POST['current_password'];
        $newpassword= $_POST['new_password'];
        $confirm_password =$_POST['confirm_password'];
        $user_name = $_SESSION['UserName'];          
        $old = decrypt($oldpassword);
        $select = mysql_query("SELECT * FROM staff WHERE UserName='$user_name'");
        $fetch = mysql_fetch_array($select);
        $data_password = $fetch['password';
        if ($newpassword == $confirm_password && $data_password == $old) {
            $pass = encrypt($confirm_password);
            $insert = mysql_query("UPDATE staff SET password='$pass' WHERE UserName='$user_name'");

        if ($insert) {
            echo "Password changed";
        } else {
            echo "Password  not changed";
        }
}
    }
    mysql_close($con);
    ?>

answered Apr 23 '14 at 08:25

Aysennoussi

3,720
3
36
60

I explained it :) see edit. there are further explanations if you need them. please let me know when you fully understand. – Aysennoussi Apr 23 '14 at 08:27
@LéoLam error was because of the scope of variable `$insert` see your code you are enclosing `$insert` in if loop and later you are checking it. – Bender Apr 23 '14 at 08:27
I think this is the Optimal answer since it doesn't initiate any variable separately as someone did $initiate=FALSE; You just need to make the scope of if statement bigger :) – Aysennoussi Apr 23 '14 at 08:32
And what happens if the if statement is not executed? You will receive no message at all. – jackfrankland Apr 23 '14 at 08:48
You can just add an else statement then ! and if you followed the logic , the $insert is just for the mysql_part. – Aysennoussi Apr 23 '14 at 08:55

"Notice: Undefined variable"

3 Answers3