Undefined variables/indexes when storing $_POST in session vars

Tezread

I have been given some code whereby the script is parsing the data for insert into a a database. This is protected from sql injection attacks (see code below)
I am processing all the $_POST vars with it, then storing them in session vars so that the form handler has them available, it's a multi-page form.
The errors Im am getting are undefined indexes/varialbe errors and I am having a tough time getting my head round this as the code is more advanced and dynamic than I have handled in the past. I have had other issues which have been resolved but im trying to isoloate the problem to understand it better.

formhandler page at end of multipage form:



<?php
// at the top of each form processing page you need this little bit of code 

require_once('common_functions.php'); // includes the quote_smart function 

if (isset($_POST['val'])) { 

foreach ($_POST as $key=>$val) { 

// build the column name list 
$_SESSION['cols'] .= $key . ','; 
// and the values list 
$_SESSION['vals'] .= quote_smart($val) . ','; 
// and you MUST quote_smart to get the correct quotes around the values or the final query will fail 
} 
} 

$strcols = rtrim($_SESSION['cols'], ',');     

$strvals = rtrim($_SESSION['vals'], ','); 
//now echo them just for debugging 
echo $strcols; 
echo $strvals; 
//remove the echos once it is working 

$sql = "INSERT INTO nottsvcs (" . $strcols . ") VALUES (" . $strvals . ")"; 

echo $sql; 

?>

The error message here is:

Notice: Undefined variable: _SESSION in /disk1/home3/mindseye/public_html/nottsvcs_short_1_4_formhandler.php on line 20

Notice: Undefined variable: _SESSION in /disk1/home3/mindseye/public_html/nottsvcs_short_1_4_formhandler.php on line 21
INSERT INTO nottsvcs () VALUES ()

common_functions.php


<?php 
error_reporting(E_ALL); 
// Quote variable to make safe
function quote_smart($value)
{
   // Stripslashes
   if (get_magic_quotes_gpc()) {
       $value = stripslashes($value);
   }
   // Quote if not integer
   if (!is_numeric($value)) {
       $value = "'" . mysql_real_escape_string($value) . "'";
   }
   return $value;
}

// Connect
$link = mysql_connect('*******', '****', '*****')
   OR die(mysql_error());

// Make a safe query
$query = sprintf("SELECT * FROM users WHERE user=%s AND password=%s",
           quote_smart($_POST['username']),
           quote_smart($_POST['password']));

mysql_query($query);
?>

The error message is:

Notice: Undefined index: username in /disk1/home3/mindseye/public_html/common_functions.php on line 23

At the top of each page of my multipage form is this code which stores $_POST into a session var

<?php
// at the top of each form processing page you need this little bit of code 

require_once('common_functions.php'); // includes the quote_smart function 

if (isset($_POST['submit'])) { 

foreach ($_POST as $key=>$val) { 

// build the column name list 
$_SESSION['cols'] .= $key . ','; 
// and the values list 
$_SESSION['vals'] .= quote_smart($val) . ','; 
// and you MUST quote_smart to get the correct quotes around the values or the final query will fail 
} 
} 


?

In this case the message reads:

Notice: Undefined variable: _SESSION in /disk1/home3/mindseye/public_html/nottsvcs_short_1_4_b.php on line 11

I have had some fantastic help already with similar problems in other threads and I thought I knew what was going on but when I keep getting the same errors I fear I am missing something simple.

rincewind456

Try changing your error reporting level to

error_reporting(E_ALL ^ E_NOTICE);

this should clear up the problem, for a more comprehensive explanation of the error reporting levels look at http://uk.php.net/manual/en/ref.errorfunc.php

Tezread

Thx rincewind but the issue is not with the error reporting as such. The issue is how to rectify the undefined variable/index messages in instances where $_POST is stored in session variable. I did try your suggestion but it makes no difference unfortunately

rincewind456

The error message is:

Notice: Undefined index: username in /disk1/home3/mindseye/public_html/common_functions.php on line 23

for this one you need to take out the query

// Make a safe query 
$query = sprintf("SELECT * FROM users WHERE user=%s AND password=%s", 
           quote_smart($_POST['username']), 
           quote_smart($_POST['password'])); 

mysql_query($query);

that is in your common_functions.php file

and in your form handler page you aren't actually calling the mysql query just echoing it you need somethinfg like this

// execute the SQL statement
 if (mysql_query($sql, $link)) {
echo "<p>The data has been added to the database";
 } else {
  echo mysql_error(); "something went wrong this is the error number:";mysql_errno();
 }

It might also be a good idea to start the session with

session_start()

at the top of each page.

Tezread

I have eliminated the code that connected to my db and stuck with my old approach which has helped things along but I still am stuck with hose undefined indexes and variables:

code now reads:

<?php
session_start();

// at the top of each form processing page you need this little bit of code 

require_once('common_functions.php'); // includes the quote_smart function 

if (isset($_POST['vals'])) { 

foreach ($_POST as $key=>$val) { 

// build the column name list 
$_SESSION['cols'] .= $key . ','; 
// and the values list 
$_SESSION['vals'] .= quote_smart($val) . ','; 
// and you MUST quote_smart to get the correct quotes around the values or the final query will fail 
} 
}

$strcols = rtrim($_SESSION['cols'], ',');     

$strvals = rtrim($_SESSION['vals'], ','); 

//now echo them just for debugging 
echo $strcols; 
echo $strvals; 
//remove the echos once it is working 

$sql = "INSERT INTO nottsvcs (" . $strcols . ") VALUES (" . $strvals . ")"; 

// execute the SQL statement 
if (mysql_query($sql, $link)) { 
echo "<p>The data has been added to the database"; 
} else { 
  echo mysql_error(); "something went wrong this is the error number:";mysql_errno(); 
} 


?>

rincewind456

Change your error reporting to

error_reporting(E_ALL ^ E_NOTICE);

this will do away with the undefined variable messages(they are not errors as such).

Tezread

still the same error message grrrrrrrrhhhh- I simply do not know what else to try

rincewind456

What's the message?

Tezread

Interesting results now- ive checked all the forms and instances when ISSET occurs I have made sure 'submit' is there.
Now I am getting an SQL output with no error messages but once I checked to see the result in phpmyadmin it is not there!
I have put echo statements all the down my form handler as well to debug and nowt comes up. Obviously the values are not being passed onto the next form page so the foreeach function is failing somehow

One thing that does bug me is at the moment values in each form page are being stored in a session var and then inserted into the table 'nottsvcs' but on my last form page where I have listboxes with multiple selections there the mulitple selection choices are supposed to be stored in another MySQL table.

As it stands here is my code for the formhandler:

<?php
session_start();
error_reporting(E_ALL ^ E_NOTICE); 

// at the top of each form processing page you need this little bit of code 

require_once('common_functions.php'); // includes the quote_smart function 

if (isset($_POST['submit'])) { 

foreach ($_POST as $key=>$val) { 


// build the column name list 
$_SESSION['cols'] .= $key . ','; 
echo $key;
// and the values list 
$_SESSION['vals'] .= "'" . quote_smart($val) . "',"; 
echo $val;
// and you MUST quote_smart to get the correct quotes around the values or the final query will fail 
} 
}

$strcols = rtrim($_SESSION['cols'], ',');     

$strvals = rtrim($_SESSION['vals'], ','); 

//now echo them just for debugging 
echo $strcols; 
echo $strvals; 
//remove the echos once it is working 

$sql = "INSERT INTO nottsvcs (" . $strcols . ") VALUES (" . $strvals . ")"; 
echo $sql;
// execute the SQL statement 
$res = mysql_query($sql,$connection);
echo $res;

?>

and here is an example formpage (one of six)

<?php
session_start();
// at the top of each form processing page you need this little bit of code 

require_once('common_functions.php'); // includes the quote_smart function 

if (isset($_POST['submit'])) { 

foreach ($_POST as $key=>$val) { 

// build the column name list 
$_SESSION['cols'] .= $key . ','; 
// and the values list 
$_SESSION['vals'] .= quote_smart($val) . ','; 
// and you MUST quote_smart to get the correct quotes around the values or the final query will fail 
} 
} 

?>

Tezread

I just wanted to say I am not going for the record number of posts in one day. Im not lazy I want to learn as much as I can 🙂

rincewind456

Sorry can't help you with that I've not used that way of entering data to a Db before.

suntra

First of all, submit your data to a page which will call phpinfo(), and then in the PHP Variables section, check what variables are set. If there aer any missing ones, double check your form.

Don't forget that an input must have its "name" parameter defined at all times, and that it is that parameter that is used, and not the "id" parameter.

Tezread

suntra wrote:
First of all, submit your data to a page which will call phpinfo(), and then in the PHP Variables section, check what variables are set. If there aer any missing ones, double check your form.

Im not sure how to submit data to a page which calls phpinfo().. sorry.

Weedpacket

suntra means you to replace the script you're checking with a page that just calls phpinfo(). In fact, just take the page you've got now, and put

phpinfo();
exit;

after the session_start().

The resulting information will include all the you sent to the page.

And ignore rincewind's advice to set error reporting to E_ALL ^ E_NOTICE. That's like ignoring those abdominal twinges and waiting until your appendix bursts before doing anything. Develop with E_ALL turned on and only turn it down (and turing display_errors off) when going live.

Tezread

I have directed my formhandler to phpinfo() but I don't see how i can check any vars here
have a look at the output if you like:

http://www.mindseyemidlands.co.uk/nottsvcs_short_1_4_formhandler.php

Tezread

Its ok- I see now- I will need to complete the whole form and answers all questions to gauge vars properly. This will take a while but I see the debugging technique using phpinfo() here thx.

In the words of Arnie... i'll be back 😉

Tezread

I have established the problem of why the db is not being populated- only the values of the last part of the form are showing so the values of the session var are not being passed onto the form parts. I kind of knew this already but I don't know why this is happening still:

all my submit buttons have a name 'submit' and a label 'next' to avoid confusion.

here is the code that is at the top of each part of the form:


<?php
session_start();
// at the top of each form processing page you need this little bit of code 

require_once('common_functions.php'); // includes the quote_smart function 

if (isset($_POST['submit'])) { 

foreach ($_POST as $key=>$val) { 

// build the column name list 
$_SESSION['cols'] .= $key . ','; 
// and the values list 
$_SESSION['vals'] .= quote_smart($val) . ','; 
// and you MUST quote_smart to get the correct quotes around the values or the final query will fail 
} 
} 
?>

my formhandler has not changed but you can check out the phpinfo results on:

www.mindseyemidlands.co.uk/nottsvcs_short_1_4_formhandler.php

Tezread

Ive now debugged all my field names in my forms and they are all correct. Can anyone figure out why I am still getting this message:

check out the link to test it out if you like

click a number betweem 1 and 4 in....

and keep clicking submit- notice the error on the 3rd page- the session var is then not carried over

www.mindseyemidlands.co.uk/nottsvcs_placeyourorganisation_short.php

Tezread

Ive checked using phpinfo() and my forms but I still cannot see why the 1st five parts of the form are not being posted.

Im not sure what else I can do other than offer this job to tender

Tezread

Maybe there are some tutotials or examples out there based around building session arrays for forms that someone could point me to?