-1

I know there are several similar questions like mine. But I've gone through most of them but found only similar answers that don't solve my situation:

I am creating a PHP website using OOP and wish to edit a record from the database. Here is the link to edit_short.php:

<td><a href="edit_short.php?id=<?php echo $short->id; ?>">Edit</a></td>

This record id is received in edit_short.php as follows: 

<?php
require_once("short.php");
$id = null;
// $short = new stdClass(); **I was told to use this but it didn't work**

if (isset($_GET['id'])) {
  $id=$_GET['id'];
  $short = Short::find_by_id($id);
}

if (isset($_POST['edit_short_btn'])) { 
  $short->title = $_POST['title']; //the error is on this line
  $short->short_text = $_POST['short_text'];
}

Here is my the relevant section of my Short class:

public static function find_by_id($id=0) {
  global $database;
  $result_array = self::find_by_sql("SELECT * FROM short WHERE id=$id LIMIT 1");
  return !empty($result_array) ? array_shift($result_array) : false;
}

Some answers on stackoverflow and other websites i was told to define $short as an object of the stdClass() but that doesn't apply here since $short object in my case must be of the Short class.

Thanks you very much for any help..

Awa Melvine
  • 3,797
  • 8
  • 34
  • 47
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) – Jay Blanchard Jul 22 '16 at 18:52
  • FYI, your code is subject to SQL injection attacks, and likely XSS as well. Use prepared/parameterized queries in your SQL. Use `htmlspecialchars()` or similar when injecting data into an HTML context. – Brad Jul 22 '16 at 18:52
  • just put a @ in front of that line, it's the answer to every error in php ;) – Nick B Jul 22 '16 at 18:58
  • Is there any particular reason for defining find_by_id as a static function ? – Ravinder Reddy Jul 22 '16 at 18:58
  • 1
    You are assigning the return of `find_by_id()` to `$short` which is an array or `false` and then trying to use `$short` as an object: `$short->title`. So it appears, that you have no idea what you are doing... – AbraCadaver Jul 22 '16 at 19:00
  • what exactly does this `find_by_sql()` function do? – Marc B Jul 22 '16 at 19:00
  • `$short` probably isn't defined. Make sure you're hitting the first if, which you may not be able to since you really can't/shouldn't mix GET/POST. – aynber Jul 22 '16 at 19:01
  • Yes. find_by_id() doesn't belong to a particular object of the class. It can be used even when there is no instance of the Short class – Awa Melvine Jul 22 '16 at 19:01
  • 1
    Agreeing to @JayBlanchard and @Brad... if you only use a single instance of that `Short` class, it would be `$short::title = ...` and the like. `$short` refers to an object instance, which you do not create; you would have to do `$anything = new Short();` before. – syck Jul 22 '16 at 19:02
  • In other words, either access it by a single object (`::`) or create an instance (`new` and `->`). – syck Jul 22 '16 at 19:03
  • `$anything = new Short();` would create an entirely new object right? But am editing here so i need the attributes of the object am editing – Awa Melvine Jul 22 '16 at 19:04
  • Which you can access with `$anything->someAttribute` then if they are declared public. – syck Jul 22 '16 at 19:05
  • Possible duplicate of [Creating default object from empty value in PHP?](http://stackoverflow.com/questions/8900701/creating-default-object-from-empty-value-in-php) – Jocelyn Jul 22 '16 at 19:59

1 Answers1

0

It seems like you don't check for the case when find_by_id(...) returns false which could cause that warning.

Filip Smola
  • 166
  • 2
  • 7