-1

I am running this piece of code, it is working as expected but giving notices:-

<!DOCTYPE>
<?php 
 $db= mysqli_connect("localhost","root","","php") or die ("Connection wrong!");
?>
<html>
<body>

    <form method="POST" action="db.php">
        <input type="text" name="name" placeholder="Enter name here"></br>
        <input type="password" name="pass" placeholder="Enter pass here"></br>
        <input type="text" name="email" placeholder="Enter email here"></br>
        <input type="submit" name="sub" value="Insert">

    </form>
<?php

    if(isset($_POST['sub'])){

            $name = $_POST['name'];
            $pass = $_POST['pass'];
            $email = $_POST['email'];
    }

    $insert = "insert into users (name,pass,email) values ('$name','$pass','$email')";
    $run = mysqli_query($db,$insert);

    if($run){
        echo "<h3> Reg Success!!<h3>";
    }
?>
<br/>
<table width="500" bgcolor="orange" border="2">
    <tr>
        <th>S.N</th>
        <th>Name</th>
        <th>Password</th>
        <th>Email</th>
        <th>Edit</th>
        <th>Delete</th>
    </tr>
    <tr>
        <td></td>
        <td></td>
        <td></td>
        <td></td>
        <td></td>
        <td></td>
    </tr>
</table>
</body>
</html>

Its working but with these notice, the line no indicating to the line where $insert is being declared. What might causing this? :-

enter image description here

BlackCat
  • 1,932
  • 3
  • 19
  • 47
  • 5
    You define the variables in the if block, but run the insert outside of it. Move the query inside the if block so it only runs when the variables are defined. – aynber May 22 '18 at 14:04
  • what is on your line 32 on db.php? – Juan Diego May 22 '18 at 14:05
  • What @aynber said. Also, beware of [little bobby tables](https://xkcd.com/327/). – Vatev May 22 '18 at 14:06
  • @Vatev "little bobby tables" lucky for us it doesn't work on a PHP MySQL client because `mysqli_query()` doesn't support multiple SQL statements separated with semicons (`;`).. But you are right the topicstarter should use prepared statements to protect against SQL injections that are possible on PHP MySQL clients.. read ( https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 ) – Raymond Nijland May 22 '18 at 14:11
  • @RaymondNijland multiple statements are only 1 hole in the swiss cheese. There are many other ways to abuse SQL injections. Also the code doesn't work for people who are named "O'neal" for example. – Vatev May 22 '18 at 14:44

4 Answers4

2

I think it's because of the } that you are putting before the insert

if(isset($_POST['sub'])){

            $name = $_POST['name'];
            $pass = $_POST['pass'];
            $email = $_POST['email'];

To this

if(isset($_POST['sub'])){

        $name = $_POST['name'];
        $pass = $_POST['pass'];
        $email = $_POST['email'];


$insert = "insert into users (name,pass,email) values ('$name','$pass','$email')";
}
Ende
  • 303
  • 2
  • 4
  • 24
Dev web
  • 81
  • 1
  • 13
1
    <?php
    if (isset($_POST['sub'])) {
    // Isset to check if post variable exists 
        $name = isset($_POST['name'])?$_POST['name']:'';
        $pass =isset( $_POST['pass'])? $_POST['pass']:'';
        $email = isset( $_POST['email'])? $_POST['email']:'';

        $insert = "insert into users (name,pass,email) values ('$name','$pass','$email')";
        $run = mysqli_query($db, $insert);


  // Insert into database should be inside Conditional statement


     }
        if ($run) {
            echo "<h3> Reg Success!!<h3>";
        }
    ?>
Null Pointer
  • 458
  • 1
  • 4
  • 14
  • @RaymondNijland there shouldn't be any notices on those if the form is submitted correctly. If the form isn't correct - the notices are not the problem. – Vatev May 22 '18 at 14:09
1

Notice means that you are trying to access not existing variable. To avoid notice you can use the same way as you check for $_POST['sub'] with isset();

Hope this help you also won’t be bad to read about errors for php notice, warning, fatal error :)

EDIT: Also is good practice to check for POST request something like that

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
  // and here you can do your validations and save you data 
  // or whatever you want to do
}

This means that your form is submitted because as we can see in your code your html form method is "POST"

I have edited your code because of few reasons check it out please:

<!DOCTYPE>
<html>
<body>

    <form method="POST" action="db.php">
        <input type="text" name="name" placeholder="Enter name here"></br>
        <input type="password" name="pass" placeholder="Enter pass here"></br>
        <input type="text" name="email" placeholder="Enter email here"></br>
        <input type="submit" name="sub" value="Insert">

    </form>

    <br/>

    <table width="500" bgcolor="orange" border="2">
        <tr>
            <th>S.N</th>
            <th>Name</th>
            <th>Password</th>
            <th>Email</th>
            <th>Edit</th>
            <th>Delete</th>
        </tr>
        <tr>
            <td></td>
            <td></td>
            <td></td>
            <td></td>
            <td></td>
            <td></td>
        </tr>
    </table>
</body>
</html>

<?php

    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
        // Here we have post request

        // open connection
        $db = mysqli_connect("localhost","root","","php") or die ("Connection wrong!");

        // here you must validate user input
        $name = $_POST['name'];
        $pass = $_POST['pass'];
        $email = $_POST['email'];

        // and then make insert
        $insert = "insert into users (name,pass,email) values ('$name','$pass','$email')";
        if(mysqli_query($db,$insert)) {
           echo "<h3> Reg Success!!<h3>";
        }
    }
?>
Sider Topalov
  • 181
  • 7
0

In "Proper" programming, before assigning a variable any value, you are supposed to "declare" them.

try putting this above the if statement where you determine if there's a post value.

var $name;
var $pass;
var $email;
Prosper Onogberie
  • 11
  • 1