Undefined Variable PHP + MySQL

Question

I know stackoverflow disapproves of repeat questions, but bear with me as I have scanned many similar questions without finding specific resolutions that will help me. (Mostly they mention things about avoiding database insertions)

I encounter these error messages:

here db connection success
Notice: Undefined variable: firstname in  C:\xampp\htdocs\practice_connection_app\submit.php on line 10

Notice: Undefined variable: lastname in  C:\xampp\htdocs\practice_connection_app\submit.php on line 10

Notice: Undefined variable: conn in   C:\xampp\htdocs\practice_connection_app\submit.php on line 11

Fatal error: Call to a member function exec() on null in C:\xampp\htdocs\practice_connection_app\submit.php on line 11

The first result simply shows that I have connected to my database which I made using phpMyadmin.

Here is my relevant code (my html submission page which calls on a php action):

<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8">
        <title>student info</title>
    </head>
    <body>
        <br>
        Enter your first name and last name in the corresponding boxes.
        <br>
        <form  action="submit.php" method="POST">
            First: <input type="text" name="firstname"/>
        <br>
            Last: <input type="text" name="lastname"/>
        <br>
        <input type="submit">
        </form>


    </body>
</html>

the database connection (I think)

<?php
echo 'here';
    $dsn = 'mysql:host=localhost;dbname=practice_students';
    $username = 'test_usr';
    $password = 'pa55word';

    try {
        $db = new PDO($dsn, $username, $password);
        echo 'db connection success';
    } catch (PDOException $e) {
        $error_message = $e->getMessage();
        include('database_error.php');
        exit();
    }

?>

AND my php submit page

<?php
echo 'here ';
    $dsn = 'mysql:host=localhost;dbname=practice_students';


    try {
        $db = new PDO($dsn);
        echo 'db connection success';
        $sql = "INSERT INTO people (firstname, lastname)
               VALUES ('$firstname', '$lastname')";
        $conn->exec($sql);
        echo "Now we know your name! Hi," . " " . $firstname . " " . $lastname;
    } catch (PDOException $e) {
        $error_message = $e->getMessage();
        include('database_error.php');
        exit();
    }
?>

I understand that I may need to do some 'cleaning up' to avoid database insertions, but for now I would just like to know how I can ensure my submissions are going to the database and can be returned.

Thanks in advance!

1. You are not creating a db connection anywhere (`$conn`) - how do you expect to use it? 2. Where in your code are you populating `$firstname` and `$lastname` from `$_POST`? — Traveling Tech Guy, Nov 17 '16 at 17:10
I'm not quite sure if this is correct but I probably should have added this page to the question: getMessage(); include('database_error.php'); exit(); } ?> — Curiosity List, Nov 17 '16 at 17:11
Please do not dump code in comments as it nearly impossible to decipher. Edit your original question to add any new information. — Jay Blanchard, Nov 17 '16 at 17:29
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) — Jay Blanchard, Nov 17 '16 at 17:30

Stuart · Accepted Answer · 2016-11-17T17:19:22.360

2

Not sure which manual you ahve been reading to end up with that code....

You need to access your POST variables (using $_POST['firstname']) AFTER sanitizing them of course....

EDIT:

To access the POSTed variable, you can do the following:

$firstname = $_POST['firstname'];

But you really need some santization going on, you could use php's filter_var:

$firstname = filter_var($_POST['firstname'], FILTER_SANITIZE_STRING);

Though, you can do better than that, and be very strict in what you allow through your filters / sanitizers... Please go investigate this part after you get your code "working" :)

edited Nov 17 '16 at 17:19

answered Nov 17 '16 at 17:10

Stuart

6,630
2
24
40

how should incorporate the 'POST' method in my php? I guess that's where I am getting confused. Thanks – Curiosity List Nov 17 '16 at 17:14
Ill edit the answer to show you how you will access your post vars. – Stuart Nov 17 '16 at 17:15
that would really be helpful! Also you mentioned sanitizing, is what I have right now at risk of database insertion? – Curiosity List Nov 17 '16 at 17:17
do you own the domain for bomb.com? because thats what you are. haha thank you so much! You don't know how long I spent on this. – Curiosity List Nov 17 '16 at 17:21

Undefined Variable PHP + MySQL

1 Answers1