-1

When I run this code:

<?php
if (preg_match('/^[a-z0-9]+$/', $_GET['p'])) {
  $page = realpath("includes/$_GET[p].php");
  if ($page) {
    include $page;
  }
}
?>

I get this error:

Notice: Undefined index: p in index.php on line 3

hakre
  • 193,403
  • 52
  • 435
  • 836
  • possible duplicate of [PHP: "Notice: Undefined variable" and "Notice: Undefined index"](http://stackoverflow.com/questions/4261133/php-notice-undefined-variable-and-notice-undefined-index) – Jocelyn May 12 '13 at 01:01

6 Answers6

12

The error message says that there is no array item with the key p. If you cannot guarantee that a variable (or array item) does exist, you should first check it with the isset function:

if (isset($_GET['p']) && preg_match('/^[a-z0-9]+$/', $_GET['p'])) {
    $page = realpath("includes/$_GET[p].php");
    if ($page) {
        include $page;
    }
}
Gumbo
  • 643,351
  • 109
  • 780
  • 844
  • in my opionion this is not a solution for the problem... – TheHippo Apr 12 '09 at 17:20
  • 1
    It's just wrong code because "$_GET[p]" means you access the constant "p". It works nevertheless because PHP guesses you meant the string 'p'. – ericteubert Apr 12 '09 at 18:35
  • @Dazmorgan: That’s not true. `$a=array('foo'=>'foo','bar'=>'bar'); define('foo', 'bar'); echo "$a[foo]"` is echoing “foo” and not “bar”. Thus it’s interpreted as `$a['foo']`. – Gumbo Apr 12 '09 at 19:14
  • define('p', 'bar'); outside a string in double quotes the constant will return the string bar, which will look up the index bar in the array. Its a bad habit to get into imo, but it works, for now. – OIS Apr 12 '09 at 23:19
5

What Gumbo said for checking if the index is set in the array.

Also for parsing an array index in a string you should use brackets around the array, and you should escape the index with single quotes if it is a string.

$page = realpath("includes/{$_GET['p']}.php");

But for including files suggested by the user, the safest way is to look up the files in an array, and only include them if they exists there.

OIS
  • 9,833
  • 3
  • 32
  • 41
4
$page = realpath("includes/ " . $_GET['p'] . ".php");
ericteubert
  • 4,531
  • 3
  • 31
  • 35
2

There is no real problem. PHP yields a Notice not a Warning or Error. Basically, your script is not receiving the p URL parameter. So it uses '' and gives a notice in the log. If you see this message on your rendered page, adjust php error reporting to something like E_ERROR | E_WARNING in PHP.ini

Peter Perháč
  • 20,434
  • 21
  • 120
  • 152
0

There is no 'p' parameter to the page, maybe? Did you mean $_REQUEST instead?
Also, is it not `"${_GET['p']}" when you are accessing an array?

Lucas Jones
  • 19,767
  • 8
  • 75
  • 88
0

Look into array_key_exists() for checking whether an array key... exists. But in your case I suggest you pick up the filter class of functions which specialize in working with user input.

moo
  • 7,619
  • 9
  • 42
  • 40
  • $_GET and $_POST set by the web server will only have string or array values. array_key_exists is only needed if null is a valid value. – OIS Apr 12 '09 at 23:21