-2

I'm trying to figure out what went wrong to my codes, basically, I'm just trying to create an "insert data" modal to my PHP homework. I have a database name sampleDB and these data are supposed to go to the table named "con_tab".

I'm using XAMPP for my homework.

The database:

<?php
$conn = mysqli_connect("localhost","root","","sampleDB");

if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }
?>

The modal's header where I catch errors:

<?php 
require('../config/Database.php');
$query = "SELECT * FROM con_tab";

$status = "";
if(isset($_POST['new']) && $_POST['new']==1)
{ 
$contitle = $_REQUEST['con_title']; 
$conauth = $_REQUEST['con_auth'];
$condstart = $_REQUEST['con_dstart'];
$condcomp = $_REQUEST['con_dcomp'];
$conabs = $_REQUEST['con_abs'];
$concol = $_REQUEST['con_col'];
$constat = $_REQUEST['con_stat'];
$moddate = date("Y-m-d H:i:s");    

$ins_query="INSERT INTO con_tab (con_title,con_auth,con_dstart,con_dcomp,con_abs,con_col,con_stat) VALUES ('$contitle', '$conauth', '$condstart', '$condcomp', '$conabs', '$concol', '$constat', '$moddate')";

mysqli_query($conn,$ins_query) or die(mysql_error());
$status = "New data successfully added.</br></br></a>";
}
?>

Here's the error messages:

Notice: Undefined index: con_title in C:\xampp..\con-modal.php on line 9

Notice: Undefined index: con_auth in C:\xampp..\con-modal.php on line 10

Notice: Undefined index: con_dstart in C:\xampp..\con-modal.php on line 11

Notice: Undefined index: con_dcomp in C:\xampp..\con-modal.php on line 12

Notice: Undefined index: con_abs in C:\xampp..\con-modal.php on line 13

Notice: Undefined index: con_col in C:\xampp..\con-modal.php on line 14

Notice: Undefined index: con_stat in C:\xampp..\con-modal.php on line 15

In which the lines 9-15 starts at $contitle to $con_stat. This post was tagged as duplicate but the link given didn't solve the problem I have, the issues are different.

Reu Roo
  • 131
  • 1
  • 10
  • 1
    It is a very bad idea to use `die(mysqli_error($conn));` in your code, because it could potentially leak sensitive information. See this post for more explanation: [mysqli or die, does it have to die?](https://stackoverflow.com/a/15320411/1839439) Besides you have it wrong with `mysql_error`, which doesn't exist. – Dharman Jul 04 '19 at 08:55
  • It seems like you do not submit the parameters you try to access, neither with GET nor with POST. What is `var_dump($_REQUEST)`? – Kryptur Jul 04 '19 at 08:56
  • 2
    Please count your column and inserted column and Insert query recheck – SAVe Jul 04 '19 at 09:17

1 Answers1

4

There is so much wrong with your code:

But, your issue is caused by your $_REQUESTed parameters not being present; they have not been give to the script.

So; you have three options: You need to check your HTML form to ensure that the correct parameter names have been given, or you need to check each $_REQUEST with an if(isset(...)) wrapper or you can simply ignore this error.

Example 1:

HTML:

  <input type='text' value='something' name='con_title'>
                                 Check HERE  ^^^^^^^^^

Example 2:

$contitle = "";
if(isset($_REQUEST['con_title'])){
    $contitle = $_REQUEST['con_title'];
}

Example 3:

Php.ini and per script.

error_reporting = E_ALL & ~E_NOTICE;

Other issues:

  • You are wide open to SQL Injections and should really use parameterized prepared statements instead of manually building your queries. They are provided by PDO or by MySQLi. Never trust any kind of input, especially that which comes from the client side. Even when your queries are executed only by trusted users, you are still in risk of corrupting your data.

  • It is a very bad idea to use die(mysqli_error($conn)); in your code, because it will potentially leak sensitive information. See this post for more explanation: mysqli or die, does it have to die?

  • You do not need brackets around your require or include statements.

  • $_POST['new']==1 is open to abuse; you should use === as much as possible. Use $_POST['new'] === "1" (posted values are always strings)

  • Best practise, do not add time's to the SQL when you write the INSERT; instead it's more profficient to set the MySQL column to be a Timestamp and set

     ALTER TABLE con_tab MODIFY moddate datetime DEFAULT CURRENT_TIMESTAMP

  • Count your insert columns and insert data, you are currently inserting more data than you have set columns. This will fail.

  • Correct your HTML syntax. You want <br/> not </br>. You seem to have an excess </a> for some reason, too.

  • It is better to use $_POST throughout rather than $_REQUEST as $_REQUEST will potentially also accept cookie data or other data that is non-POSTed.

Community
  • 1
  • 1
Martin
  • 22,212
  • 11
  • 70
  • 132