Unexpected '$_POST' error messsage

Question

I hope someone will help me with this. :( Here's my error message. Thank you in advance.

desc

And also here's my code.

<tr>
                <td><label for="cname">Client Name:</label></td>
                <td><select name="cname" id="cname">
                        <option>Choose</option>
                        <?php
                            include("alqdb.php");
                            $result=mysqli_query($con, "SELECT ClientName FROM events");
                            while($row=mysqli_fetch_assoc($result)){
                                echo "<option>".$row["ClientName"]."</option>";
                            }
                        ?>
                        </select>
                </td>
            </tr>
            <tr>
                <td><label for="survey">Survey:</label></td>
                <td><select name="survey" id="survey">
                        <option>Choose</option>
                        <?php
                            include("alqdb.php");
                            $result=mysqli_query($con, "SELECT * FROM events WHERE ClientName = '"$_POST['cname']"'");
                            while($row=mysqli_fetch_assoc($result)){
                                echo "<option>".$row["EventTitle"]."</option>";
                            }
                        ?>
                        </select>
                </td>
            </tr>

**WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use string interpolation or concatenation to accomplish this because you have created a severe [SQL injection bug](http://bobby-tables.com/). **NEVER** put `$_POST` or `$_GET` data directly into a query, it can be very harmful if someone seeks to exploit your mistake. — tadman, Sep 13 '16 at 16:59

score 2 · Answer 1 · answered Sep 13 '16 at 15:04

2

You need to concatenate the string properly:

$result=mysqli_query($con, "SELECT * FROM events WHERE ClientName = '".$_POST['cname']."'");

Note the periods on either side of the variable. Or you can put it inline with brackets:

$result=mysqli_query($con, "SELECT * FROM events WHERE ClientName = '{$_POST['cname']}'");

In any case, you're wide open for SQL injection. Look into prepared statements, and you won't have this kind of issue.

answered Sep 13 '16 at 15:04

aynber

22,380
8
50
63

thank you for helping me. but your two codes have an error. Notice: Undefined index: cname in C:\wamp\www\capstoneproject\alqbilling.php on line 86 – Francis Vargas Sep 13 '16 at 15:09
Then you're not passing `cname` properly in your `POST`. Check to make sure it exists and has a value before running your query. – aynber Sep 13 '16 at 15:11
ohh. that's also what I think. I think my first drop down has no value. can you help me about that? :) – Francis Vargas Sep 13 '16 at 15:13
@FrancisVargas He/she already answered your question. That is a different issue. You can resolve that a number of ways as well. `isset`, `empty`, etc. Don't post a question on that issue because it will be a duplicate. See: http://stackoverflow.com/questions/4261133/php-notice-undefined-variable-and-notice-undefined-index – chris85 Sep 13 '16 at 15:15
1

It's better to ask that in another question, so as to not clutter up this one. – aynber Sep 13 '16 at 15:17

score 1 · Answer 2 · answered Sep 13 '16 at 15:14

Use PDO and prepare statements to be safe. Also you're including your database twice, you only will need to include it once.

Change your datebase file to this.

try {
  $db = new PDO("mysql:host=localhost;dbname=second;port=8889","root","root");
  $db->setAttribute(PDO::ATTR_ERRMODE,PDO::ERRMODE_EXCEPTION);
  $db->exec("SET NAMES 'utf8'");
} catch (Exception $e){
  echo 'Could not connect to the database.';
  exit();
}

Then when you want to safely use your database, use this

$foo = trim(htmlspecialchars($_POST['cname']));//depending on where your information comes from, you might want to use htmlspecialchars

try{
  $results = $db->prepare("SELECT * FROM events WHERE ClientName = ?");
  $results->bindParam(1,$foo);// you can also use bindValue here if you intend to use a for loop
  $results->execute();
  $hold = $results->fetchAll(PDO::FETCH_ASSOC);
} catch (Exception $e) {
  echo "Data could not be retrieved from the database.";
  exit();
}
foreach($hold as $value){
    echo $value['ClientName'];
}

score -1 · Answer 3 · answered Sep 13 '16 at 15:08

-1

Try this:

... "SELECT * FROM events WHERE ClientName = '" . $_POST['cname'] . "'"

But please note that your code will permit SQL Injection!!! Your post should be escaped before ...

Please see: SQL Injection

answered Sep 13 '16 at 15:08

Leonard Lepadatu

606
8
14

Unexpected '$_POST' error messsage

3 Answers3