PHP form not recognizing code on localhost but works on online hosting

Question

I have this php form processing code downloaded from php form guide site

The code works perfectly without any errors on my hosting space.

But if i try to run on xampp localhost, its not recognizing the fields. and giving this error:

Notice: Undefined variable: varMovie in C:\wamp64\www\form\myform2.php on line 88 Call Stack #TimeMemoryFunctionLocation 10.0007248808{main}( )...\myform2.php:0

Can anyone help me in this? I'm pasting the php code:

    <?php
    if (isset($_POST['formSubmit']) && $_POST['formSubmit'] == 'Submit') 
    {
        $errorMessage = "";

        if(empty($_POST['formMovie'])) 
        {
            $errorMessage .= "<li>You forgot to enter a movie!</li>";
        }
        if(empty($_POST['formName'])) 
        {
            $errorMessage .= "<li>You forgot to enter a name!</li>";
        }
        if(empty($_POST['formGender'])) 
        {
            $errorMessage .= "<li>You forgot to select your Gender!</li>";
        }

        $varMovie = $_POST['formMovie'];
        $varName = $_POST['formName'];
        $varGender = $_POST['formGender'];

        if(empty($errorMessage)) 
        {
            $db = mysql_connect("loclhost","root","admin");
            if(!$db) die("Error connecting to MySQL database.");
            mysql_select_db("my_db" ,$db);

            $sql = "INSERT INTO movieformdata (moviename, yourname, Gender) VALUES (".
                            PrepSQL($varMovie) . ", " .
                            PrepSQL($varName) . ", " .
                            PrepSQL($varGender) . ")";
            mysql_query($sql);

            header("Location: thankyou.html");
            exit();
        }
    }

    // function: PrepSQL()
    // use stripslashes and mysql_real_escape_string PHP functions
    // to sanitize a string for use in an SQL query
    //
    // also puts single quotes around the string
    //
    function PrepSQL($value)
    {
        // Stripslashes
        if(get_magic_quotes_gpc()) 
        {
            $value = stripslashes($value);
        }

        // Quote
        $value = "'" . mysql_real_escape_string($value) . "'";

        return($value);
    }
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>PHP Form processing example</title>
<!-- define some style elements-->
<style>
label, a {
    font-family : Arial, Helvetica, sans-serif;
    font-size : 12px;
}
</style>
</head>

<body>
<?php
            if(!empty($errorMessage)) 
            {
                echo("<p>There was an error with your form:</p>\n");
                echo("<ul>" . $errorMessage . "</ul>\n");
            }
        ?>
<form action="<?php echo htmlentities($_SERVER['PHP_SELF']); ?>" method="post">
  <p>
    <label for='formMovie'>Which is your favorite movie?</label>
    <br/>
    <input type="text" name="formMovie" maxlength="50" value="<?=$varMovie;?>" />
  </p>
  <p>
    <label for='formName'>What is your name?</label>
    <br/>
    <input type="text" name="formName" maxlength="50" value="<?=$varName;?>" />
  </p>
  <p>
    <label for='formGender'>What is your Gender?</label>
    <br/>
    <select name="formGender">
      <option value="">Select...</option>
      <option value="M"<? if($varGender=="M") echo(" selected=\"selected\"");?>>Male</option>
      <option value="F"<? if($varGender=="F") echo(" selected=\"selected\"");?>>Female</option>
    </select>
  </p>
  <input type="submit" name="formSubmit" value="Submit" />
</form>
<p> <a href='http://www.html-form-guide.com/php-form/php-form-processing.html'
>'PHP form processing' article page</a> </p>
</body>
</html>

Are both the versions of PHP in localhost and prod server the same? — Praveen Kumar Purushothaman, May 24 '16 at 17:58
What about the loaded extensions of both? Check `phpinfo()` on both? May be enable errors on prod server? — Praveen Kumar Purushothaman, May 24 '16 at 18:00
Are you sure the production server isn't just suppressing the warning? Usually production servers suppress all warnings and development servers show notices/warnings/errors. — Shane, May 24 '16 at 18:01
`$varMovie` is being created inside a conditional block. If the condition isn't met, it's never created. Then later, after the conditional block, you try to use it. Seems that the condition wasn't met. — David, May 24 '16 at 18:05
@PraveenKumar what extensions i shud look? I have a free hosting that I'm running the code. This is localhost: http://postimg.org/image/rnm59nhob/ This is online hosting: http://postimg.org/image/77yk7i797/ I'm not sure how to see phpinfo on my hosting. — Malik, May 24 '16 at 18:10
Yes, the prod server has errors suppressed. It's the same with the prod server as well. — Praveen Kumar Purushothaman, May 24 '16 at 18:13
Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, May 24 '16 at 18:17
[Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, May 24 '16 at 18:17
ok, i ll use the mysqli... But how can i hide the errors on my local server, for now. — Malik, May 24 '16 at 18:27

score 0 · Answer 1 · edited May 23 '17 at 11:52

0

You are connecting to localhost as the database server. When you move the code to a different server, you'd be connecting to a different database. Maybe the other server doesn't have a database.

Also, please use mysqli and bind_param instead of mysql_real_escape_string. The hacker group Anonymous found a way around mysql_real_escape_string by sending in single quotes in a foreign language.

edited May 23 '17 at 11:52

Community

1
1

answered May 24 '16 at 18:10

Russell Hankins

1,196
9
17

First of all, don't advise to use the `mysql_*` functions. – Praveen Kumar Purushothaman May 24 '16 at 18:14

PHP form not recognizing code on localhost but works on online hosting

1 Answers1