Undefined_index ajax call

Question

Hi Hello Every One i Start A New Code But i can not figure out the error on my code

The Code wen i send a call to my script like this http://www.mywebsite.com/savedata.php?user_id=abc

and this is my code

<?php
header('Access-Control-Allow-Origin: *');
error_reporting(E_ALL);
ini_set('display_errors',1);

$servername = "localhost";
$username = "user_name";
$password = "pass";

try {
    $conn = new PDO("mysql:host=$servername;dbname=mydb_name", $username, $password);
    // set the PDO error mode to exception
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    echo "Connected successfully"; 
}
catch(PDOException $e){
    echo "Connection failed: " . $e->getMessage();
}


if(isset($_GET['user_id'])){
     //$user_id = intval($_GET['user_id']);
     //Lightly sanitize the GET's to prevent SQL injections and possible XSS attacks

    try {
      $dbh = new PDO("mysql:host=$servername;dbname=db_name", $username, $password);

      $user_id = @$_GET['user_id'];  
      $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); // <== add this line
      $sql = "INSERT INTO users (user_id) VALUES ('".$_POST["user_id"]."')";
      if ($dbh->query($sql)) {
         echo "<script type= 'text/javascript'>alert('New Record Inserted Successfully');</script>";
      }
      else{
         echo "<script type= 'text/javascript'>alert('Data not successfully Inserted.');</script>";
      }    
      $dbh = null;
    }
    catch(PDOException $e){
       echo $e->getMessage();
    }

}
?>

$sql->execute(array($user_Id));


     if($sql){         
          //The query returned true - now do whatever you like here.
          echo 'Your ID was saved. Congrats!';              
     }else{         
          //The query returned false - you might want to put some sort of error reporting here. Even logging the error to a text file is fine.
          echo 'There was a problem saving your points. Please try again later.';              
     }         
}else{
     echo 'Your id wasnt passed in the request.';
}

// close MySQL connection 
$conn = null;
?>
<html>
<head>
</head>
<body>
<body bgcolor="#ffffff">
</body>
</html>

Possible dup? [PHP: “Notice: Undefined variable” and “Notice: Undefined index”](http://stackoverflow.com/questions/4261133/php-notice-undefined-variable-and-notice-undefined-index) — M. Eriksson, Aug 31 '16 at 11:13
`"INSERT INTO users (user_id) VALUES ('".$_POST["user_id"]."')"` - Major security issue. You are wide open to [SQL Injections](http://php.net/manual/en/security.database.sql-injection.php) and should really use [Prepared Statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). — M. Eriksson, Aug 31 '16 at 11:14
Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) — RiggsFolly, Aug 31 '16 at 11:15
$sql = "INSERT INTO users (user_id) VALUES ('".$_GET["user_id"]."')"; — JYoThI, Aug 31 '16 at 11:15
Code is complete nonsence. Copy/paste is fine but you also have to understand the code your borrow — RiggsFolly, Aug 31 '16 at 11:16
Also dont silence errors using the `@` symbol. If you have errors **fix them** — RiggsFolly, Aug 31 '16 at 11:17
You're also connecting to two different database tables in your two db connections. — M. Eriksson, Aug 31 '16 at 11:17
The: `$sql->execute(array($user_Id));` is actually after `?>` and will be literally printed on the page in plain text. — M. Eriksson, Aug 31 '16 at 11:19

score 0 · Answer 1 · answered Aug 31 '16 at 11:13

0

You check for $_GET['user_id']...

if(isset($_GET['user_id'])){

...but then you try to access $_POST['user_id']:

$sql = "INSERT INTO users (user_id) VALUES ('".$_POST["user_id"]."')";

P.S.: in the query you can simply use $user_id, given that some line before you do:

$user_id = @$_GET['user_id'];

answered Aug 31 '16 at 11:13

Davide Visentin

735
5
19

There is a lot more wrong with this code than what you mention – RiggsFolly Aug 31 '16 at 11:20
I know. I've just signaled the error for wich the question was posted. – Davide Visentin Aug 31 '16 at 11:26

score 0 · Answer 2 · answered Aug 31 '16 at 11:13

0

You sometimes use $_GET["user_id"], but sometimes $_POST["user_id"]. If you are always sending data through GET you should always use $_GET["user_id"].

Or simply use $_REQUEST["user_id"].

answered Aug 31 '16 at 11:13

Boris Schegolev

3,601
5
21
34

There is a lot more wrong with this code than what you mention – RiggsFolly Aug 31 '16 at 11:20
Sure is. I'm just addressing the error described in the question. Design, security and performance of the given code are of no interest to me. – Boris Schegolev Aug 31 '16 at 11:26
so you mean like this? $sql = "INSERT INTO users (user_id) VALUES ('".$user_id =@$_GET['user_id']; ."')"; – Antoine Ferras Aug 31 '16 at 11:27

Undefined_index ajax call

Hi Hello Every One i Start A New Code But i can not figure out the error on my code

2 Answers2