0

I'm new to PHP and I've been creating a webapp that will allow me to create an owner in my DB, then allow me to read the owner.

I've been receiving the following errors:

Notice: Undefined variable: new_owner in C:\xampp\htdocs\public\create.php on line 26

Warning: array_keys() expects parameter 1 to be array, null given in C:\xampp\htdocs\public\create.php on line 26

Warning: implode(): Invalid arguments passed in C:\xampp\htdocs\public\create.php on line 26

Notice: Undefined variable: new_owner in C:\xampp\htdocs\public\create.php on line 27

Warning: array_keys() expects parameter 1 to be array, null given in C:\xampp\htdocs\public\create.php on line 27

Warning: implode(): Invalid arguments passed in C:\xampp\htdocs\public\create.php on line 27

Fatal error: Uncaught Error: Call to a member function execute() on boolean in C:\xampp\htdocs\public\create.php:31 Stack trace: #0 {main} thrown in C:\xampp\htdocs\public\create.php on line 31

my code is as follows:

<?php


if (isset($_POST['submit']))
{

require "config.php";
require "common.php";

try 
{
$connection = new mysqli($host, $user, $password, $dbname, $port, $socket);
    
$new_user = array(
"OwnerNum" => $_POST['OwnerNum'],
"LastName"  => $_POST['LastName'],
"Address"     => $_POST['Address'],
"City"       => $_POST['City'],
"State"  => $_POST['State'],
"PostalCode"  => $_POST['PostalCode']
);

$sql = sprintf(
"INSERT INTO %s (%s) values (%s)",
"owners",
implode(", ", array_keys($new_owner)),
":" . implode(", :", array_keys($new_owner))
);
    
$statement = $connection->prepare($sql);
$statement->execute($new_owner);
}

catch(PDOException $error) 
{
echo $sql . "<br>" . $error->getMessage();
}

}
?>

<?php require "templates/header.php"; ?>

<?php 
if (isset($_POST['submit']) && $statement) 
{ ?>
<blockquote><?php echo $_POST['OwnerNum']; ?> successfully added.
</blockquote>
<?php 
} ?>

<h2>Add an Owner</h2>

<form method="post">
<label for="OwnerNum">OwnerNum</label>
<input type="text" name="OwnerNum" id="OwnerNum">
<label for="LastName">Last Name</label>
<input type="text" name="LastName" id="LastName">
<label for="FirstName">First Name</label>
<input type="text" name="FirstName" id="FirstName">
<label for="Address">Address</label>
<input type="text" name="Address" id="Address">
<label for="City">City</label>
<input type="text" name="City" id="City">
<label for="State">State</label>
<input type="text" name="State" id="State">
<label for="PostalCode">PostalCode</label>
<input type="PostalCode" name="PostalCode" id="PostalCode">
<input type="submit" name="submit" value="Submit">
</form>

<a href="index.php">Back to home</a>

<?php require "templates/footer.php"; ?>
Community
  • 1
  • 1
Kevin Jones
  • 1
  • 1
  • 3
    Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use prepared statements with bound parameters, via either the [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) driver. [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. – Alex Howansky Dec 07 '17 at 21:27
  • 1
    `$new_owner` != `$new_user` – Jay Blanchard Dec 07 '17 at 21:30
  • `implode(", ", array_keys())` is invalid. You are better off hard-coding the fields since you are updating a single user. The values can be referenced by the `$array['key']` – Nerds of Technology Dec 07 '17 at 22:31

0 Answers0