0

the following script gives me the following NOTICE:

Notice: Undefined variable: employee_pic in C:\xampp\htdocs\SFDB\form\add_employee.php on line 121 -> Line 121 is the last line of my INSERT query where the variable "$employee_pic" at the end of the query is the culprit to the notice.

I can't seem to understand how to define that variable if someone does not upload a picture on the form. I have tried every imaginable ways including if(isset($employeepic)),if(isset($_file['employeepic'])) and even assigning a value to the variable if false without success. I managed to suppress the notice by using -error_reporting (E_ALL ^ E_NOTICE); at the top of my page but it doesn't help me understand why I can't give a value to a variable in the first place?

    $employerid= mysqli_real_escape_string($dbc,trim($_POST['employerid']));
$jobtitleid= mysqli_real_escape_string($dbc, trim($_POST['jobtitleid']));
$firstname= mysqli_real_escape_string($dbc, trim($_POST['firstname']));
$lastname= mysqli_real_escape_string($dbc, trim($_POST['lastname']));
$address= mysqli_real_escape_string($dbc, trim($_POST['address']));
$city= mysqli_real_escape_string($dbc, trim($_POST['city']));
$province= mysqli_real_escape_string($dbc, trim($_POST['province']));
$country= mysqli_real_escape_string($dbc, trim($_POST['country']));
$postalcode= mysqli_real_escape_string($dbc, trim($_POST['postalcode']));
$phone= mysqli_real_escape_string($dbc, trim($_POST['phone']));
$email= mysqli_real_escape_string($dbc, trim($_POST['email']));
$employeecomment = mysqli_real_escape_string($dbc, trim($_POST['employeecomment']));
$employeepic = mysqli_real_escape_string($dbc, trim($_FILES['employeepic']['name']));
$employeepic_type = $_FILES['employeepic']['type'];
$employeepic_size = $_FILES['employeepic']['size'];

  //Validate picture type//
  if(!empty($employeepic)) {

        if ((($employeepic_type == 'image/jpg') ||($employeepic_type == 'image/jpeg') ||($employeepic_type == 'image/gif') ||
            ($employeepic_type == 'image/png')) && ($employeepic_size <= EMP_MAXSIZE) && ($employeepic_size > 0)){
            preg_replace('#[\s\&\@\#\$\%\(\)\[\]\&]#','', $employeepic);

            // Move the file to the target upload folder
            $target = (EMP_UPLOADPATH .$firstname.$employeepic);
            if(move_uploaded_file($_FILES['employeepic']['tmp_name'],$target)){

                $employee = $firstname. " " .$lastname;
                $employee_pic = $firstname.$employeepic;
                }

            }else{
                $filetoobig =' <p class="error"> There was a problem uploading your picture. Maximum size is 30K and must be in jpg, jpeg or pjpeg format</p>';
                @unlink($_FILES['employeepic']['tmp_name']);
                $employee_pic = '';


                 }
         }

  // pulling out records to check for duplicate
  $query2 ="SELECT firstname, lastname FROM employee WHERE firstname='$firstname' AND lastname='$lastname'";
  $duplicate = mysqli_query($dbc, $query2);

        if  (mysqli_num_rows($duplicate) <> 0){
            $query3 = "SELECT employeeid FROM employee WHERE firstname='$firstname' AND lastname ='$lastname'";
            $result3 =mysqli_query($dbc, $query3);
            if($result3) {
                while($row = mysqli_fetch_assoc($result3)) {
                    $newpic= $row['employeeid'];    
                }
            }
                $query2 = "UPDATE employee SET employeepic = '$employee_pic' WHERE employeeid = '$newpic'";
                $result2 = mysqli_query($dbc, $query2);
                mysqli_close($dbc);
            $successup ='<p class="success">You successfully updated this employee record</p>';

        }else{


                //query to populate employee form//
                $query = "INSERT INTO employee (employerid, jobtitleid, firstname, lastname, address, city, province, country, postalcode," .
                "phone, email, employeecomment, employeepic) VALUES ('$employerid', '$jobtitleid', '$firstname', '$lastname'," .
                " '$address', '$city', '$province', '$country', '$postalcode', '$phone', '$email','$employeecomment',$employee_pic";
                $result = mysqli_query($dbc, $query);
                mysqli_close($dbc);
                $success ='<p class="success">Record created successfully</p>';

            }

} ?>

AlanD
  • 1
  • 3
  • @FatAdama It does not make any difference. I still get the notice. thanks for trying to help. – AlanD Apr 10 '15 at 22:52
  • FatAdama - I am not using statement because I am only 1 month into learning php. I have read and tried PDO but it is too advanced for me to understand. I find the procedural way of coding with msqli much easier to understand – AlanD Apr 10 '15 at 23:27
  • The variable you're creating is called `$employeepic`. The one in your statement is `$employee_pic` – andrewsi Apr 11 '15 at 02:34
  • Andrewsi - yes, if you look in my script you will noticed that I have given the value of $employeepic to $employee_pic. Reason because I save the optional uploaded file to folder and save the filename to mysql. I added the $firstname variable concatenated to $employeepic to the uploadpath in the event someone uploaded a file with the same name. By transferring the value I also solve the error entry made in mysql of saving the $firstname by itself as a file but with no associated file in the folder. – AlanD Apr 11 '15 at 03:14

1 Answers1

0

For something like a $_POST, you may want to wrap your assignments in an isset()—something like:

if (isset($_POST['var'])) {
    $var = $_POST['var'];
} else {
    $var = null;
}

This way, every variable is initialized.

On a side note, it's really scary that you're not using prepared statements using PDO. Without using prepared statements, you're vulnerable to SQL injection! It doesn't matter how much sanitization you think you're using.

David Wyly
  • 1,671
  • 1
  • 11
  • 19
  • _“Without using prepared statements, you're vulnerable to SQL injection! It doesn't matter how much sanitization you think you're using.”_ – that is a nonsense statement – _if_ values are handled correctly. then there is no risk of SQL injection, even without prepared statements. (That being said, OP’s code is quite terrible in many ways.) – CBroe Apr 10 '15 at 22:33
  • The issue lies in the fact that, barring really robust sanitization, chances are that all cases are not accounted for. This is generally the rule rather than the exception. – David Wyly Apr 10 '15 at 22:39