0

I create an social network for mobile devices and try to insert some user information with the file "settings.php" into my database. But when I run "settings.php" chrome show me errors( I comment in the file where the errors are showing. Have anyone a hint what I should change?

My Database:

CREATE TABLE `users` (
`id` INT NOT NULL AUTO_INCREMENT ,
`username` VARCHAR NOT NULL ,
`password` VARCHAR NOT NULL ,
`picture` VARCHAR NOT NULL ,
`age` INT NOT NULL ,
`residence` VARCHAR NOT NULL ,
`status` VARCHAR NOT NULL ,
`sex` VARCHAR NOT NULL ,

login.php

 <?php
    if (!empty($_POST)) {
        if (
            empty($_POST['f']['username']) ||
            empty($_POST['f']['password'])
        ) {
            $message['error'] = 'Es wurden nicht alle Felder ausgefüllt.';
        } else {
            $mysqli = @new mysqli('localhost', 'root', 'pw', 'database');
            if ($mysqli->connect_error) {
                $message['error'] = 'Datenbankverbindung fehlgeschlagen: ' . $mysqli->connect_error;
            }
            $query = sprintf(
                "SELECT username, password FROM users WHERE username = '%s'",
                $mysqli->real_escape_string($_POST['f']['username'])
            );
            $result = $mysqli->query($query);
            if ($row = $result->fetch_array(MYSQLI_ASSOC)) {
                if (crypt($_POST['f']['password'], $row['password']) == $row['password']) {
                    session_start();

                    $_SESSION = array(
                        'login' => true,
                        'user'  => array(
                            'username'  => $row['username']
                        )
                    );
                    $message['success'] = '';
                    header('Location: http://' . $_SERVER['HTTP_HOST'] . '/anyask/main.php');
                } 
            } 
            $mysqli->close();
        }
    } 
?>  
<html>
<head>
    <meta charset="UTF-8" /> 
    <title>
        HTML Document Structure
    </title>
    <link rel="stylesheet" type="text/css" href="style1.css" />

    <link rel="stylesheet" href="http://code.jquery.com/mobile/1.3.0/jquery.mobile-1.3.0.min.css" />
    <script src="http://code.jquery.com/jquery-1.8.2.min.js"></script>
    <script src="http://code.jquery.com/mobile/1.3.0/jquery.mobile-1.3.0.min.js"></script>


    <meta name="apple-mobile-web-app-capable" content="yes" />
    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">

</head>
<body>

<div id="wrapper">

    <form name="login-form" class="login-form" action="./login.php" method="post">

        <div class="header">
        </div>

        <div class="content">
        <label for="username"></label>
        <input name="f[username]" type="text" class="input username" placeholder="Username" id="username"
        <?php 
                    echo isset($_POST['f']['username']) ? ' value="' . htmlspecialchars($_POST['f']['username']) . '"' : '' ?>/>
        <label for="password"></label>
        <input name="f[password]" type="password" class="input password" placeholder="Password" id="password" />

        </div>

        <div class="footer">
        <input type="submit" name="submit" value="Login" class="button" data-theme="b"/>
        <a href="./register.php">Register</a>
        </div>

    </form>

</div>
<div class="gradient"></div>


</body>
</html>

auth.php

    <?php
    session_start();
    session_regenerate_id();

    if (empty($_SESSION['login'])) {
        header('Location: http://' . $_SERVER['HTTP_HOST'] . '/login.php');
        exit;
    } else {
        $login_status = '
            <div style="border: 1px solid black">
                Sie sind als <strong>' . htmlspecialchars($_SESSION['user']['username']) . '</strong> angemeldet.<br />
                <a href="./logout.php">Sitzung beenden</a>
            </div>
        ';
    }
?>

settings.php

 <?php require_once './auth.php'; ?>
<!DOCTYPE html>
<html>
    <head>
        <meta charset="utf-8" />
        <title>main</title>
        <link rel="stylesheet" type="text/css" href="mainstyle.css" />
        <link rel="stylesheet" href="http://code.jquery.com/mobile/1.3.0/jquery.mobile-1.3.0.min.css" />
    <script src="http://code.jquery.com/jquery-1.8.2.min.js"></script>
    <script src="http://code.jquery.com/mobile/1.3.0/jquery.mobile-1.3.0.min.js"></script>


    <meta name="apple-mobile-web-app-capable" content="yes" />
    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">

    </head>
    <body>
        <div data-role="header" data-theme="b" data-position="fixed" data-tap-toggle="false" > 
            <h1 class="ui-title" role="heading" aria-level="1">anyask</h1>

    </div>

    <div data-role="main" class="ui-content">
     <div id="wrapper">

    <form name="login-form" class="login-form" action="./settings.php" method="post">

        <div class="header">
        </div>

        <div class="content">
        <label for="age"></label>
        <input name="age" type="number" class="input age" placeholder="age" id="age"/>

        <label for="residence"></label>
        <input name="residence" type="text" class="input residence" placeholder="residence" id="residence" />


        <fieldset data-role="controlgroup" data-type="horizontal">
        <legend>sex:</legend>
        <input type="radio" name="radio-choice-h-2" id="radio-choice-h-2a" value="man" checked="checked">
        <label for="radio-choice-h-2a">man</label>
        <input type="radio" name="radio-choice-h-2" id="radio-choice-h-2b" value="woman">
        <label for="radio-choice-h-2b">woman</label>

        </fieldset>
        profile picture: 
        <input name="attachment" type="file" id="attachment" /><br>
        </div>

        <div class="footer">
        <input type="submit" name="submit" value="save" class="button" data-theme="b"/>

        </div>

    </form>

</div>
<div class="gradient"></div>

        </div>




    </body>
</html>
<?php

$host="localhost"; // Host name 
$username="root"; // Mysql username 
$password=""; // Mysql password 
$db_name=""; // Database name 
$tbl_name=""; // Table name 

// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");
// upload picture

// the following 3 lines are showed as error 
$age=$_POST['age'];
$residence=$_POST['residence'];
$sex=$_POST['radio-choice-h-2'];

// Insert data into mysql 
$sql="INSERT INTO $tbl_name(age, residence, radio-choice-h-2)VALUES('$age', '$residence', '$sex')";
$result=mysql_query($sql);

// if successfully insert data into database, displays message "Successful". 
if($result){
header('Location: http://' . $_SERVER['HTTP_HOST'] . '/anyask/main.php');
}

else {
echo "ERROR";
}

// close connection 
mysql_close();
?>
brabus85
  • 71
  • 7
  • What is the error message? – Jens Jan 18 '15 at 19:35
  • 2
    when you first load the page those variables don't exist as the form has yet to be posted –  Jan 18 '15 at 19:36
  • @Jens Notice: Undefined index: age in C:\xampp\htdocs\settings.php on line 81 Notice: Undefined index: residence in C:\xampp\htdocs\settings.php on line 82 Notice: Undefined index: radio-choice-h-2 in C:\xampp\htdocs\settings.php on line 83 ERROR – brabus85 Jan 18 '15 at 19:40
  • @Dagon which variables do you mean? – brabus85 Jan 18 '15 at 19:40
  • the undefined ones. they wont be defined untill the form is posted, so check that –  Jan 18 '15 at 19:41
  • turn off strict error messaging: http://stackoverflow.com/questions/1248952/php-5-disable-strict-standards-error – Lance Jan 18 '15 at 19:41
  • Your general concept of how this works is wrong. You make a web page that has a form in it. The "action" of that form is a completely different PHP script. That PHP script does the insert. – kainaw Jan 18 '15 at 19:41
  • 1
    @Lance no no and no. code properly, fix errors, don't turn off error reporting –  Jan 18 '15 at 19:42
  • @kainaw should I make the "same" settings.php how login.php – brabus85 Jan 18 '15 at 19:45
  • Absolutely agree with @Dagon to code better, but run your errors into a log, instead of displaying the error messaging. – Lance Jan 18 '15 at 19:49
  • display is the best option when building the site –  Jan 18 '15 at 19:50

1 Answers1

1

upon loading the page the variables age, residence and radio-choice-h-2 do not exist in the $_POST variable as these variables only exist after submitting a form. (http://php.net/manual/en/reserved.variables.post.php)

You should check if these variable exist before running a database query. Something like this:

if (isset($_POST['age'])) {
    // DO SOMETHING
}

You should generally check if a variable exists and contains correct values. Especially when using forms.

izzyu
  • 36
  • 3
  • the whole block should be inside an if form was posted condition as well as variable checking –  Jan 18 '15 at 19:52
  • @Dagon I fully agree with you there. Security is a big topic when using forms. – izzyu Jan 18 '15 at 19:54
  • If he REALLY wants one file, then it should be all wrapped in a "IF FORM NOT SUBMITTED" part and a "ELSE" part. I still suggest having two files. Once for the form. One to handle the submission. Simply wrapping it in an isset will not solve the underlying design problem. – kainaw Jan 18 '15 at 19:54