nullArray Posted March 25, 2009 Share Posted March 25, 2009 Greetings, my boss is having me learn PHP in my downtime. It's pretty interesting. I get to go home early (and get paid) if I can complete his tasks. I managed to complete task one, but he'd really like for me to clean up my error messages before I go home. <?php $name = $_POST['name']; $age = $_POST['age']; if (!isset($_POST['submit'])) { ?> <html> <head> <title>PHP Test</title> </head> <body> Please enter the following information: <br> <br> <form method="post"> Name: <input type="text" size="25" maxlength="25" name="name"><br /> Age: <input type="text" size="3" maxlength="3" name="age"><br /><br /> <input type="submit" value="submit" name="submit"> </form> <? } else { echo "Hello, ".$name.".<br />"; echo "You are ".$age." years old, and you love PHP."; } ?> I get the following error message: [Wed Mar 25 15:57:55 2009] [error] [client (hidden for privacy)] PHP Notice: Undefined index: name in (hidden for privacy)/index.php on line 3 [Wed Mar 25 15:57:55 2009] [error] [client (hidden for privacy)] PHP Notice: Undefined index: age in (hidden for privacy)/index.php on line 4 Any idea what that means? Using error_reporting(0); works, but my guess is that only masks the problem. Quote Link to comment Share on other sites More sharing options...
Sparda Posted March 25, 2009 Share Posted March 25, 2009 You never check to see if name or age was posted. If statement wrapper please! I would also like to take the opportunity to scream "INPUT VALIDATION!!!" at the top of my voice, thank you. Quote Link to comment Share on other sites More sharing options...
nullArray Posted March 25, 2009 Author Share Posted March 25, 2009 You never check to see if name or age was posted. If statement wrapper please! Hint? I wrote what I've got from 10 minutes of skimming a PHP tutorial. Quote Link to comment Share on other sites More sharing options...
Sparda Posted March 25, 2009 Share Posted March 25, 2009 if (isset($_POST['name'])) $name = $_POST['name']; Some thing like that. Quote Link to comment Share on other sites More sharing options...
nullArray Posted March 25, 2009 Author Share Posted March 25, 2009 Yep, that did it. Thanks. Quote Link to comment Share on other sites More sharing options...
stingwray Posted March 25, 2009 Share Posted March 25, 2009 I never understood the style of interpolating code with printed text with PHP. I always think its much cleaner looking and easier to understand if you use print<<<X and X; Quote Link to comment Share on other sites More sharing options...
digip Posted March 26, 2009 Share Posted March 26, 2009 Funny. I run what you have there in your first post and got no error messages from it. I don't have error messages suppressed either, as I get plenty of them on other things I work through. Are you posting this data to another step, proces or page that does somehting with the data and could be gettign the error? Because this works on my server. Just change POST to GET and you will see it processes it correctly. It will show up in the URL with a GET just so you can see what it looks like, but usually, you don't want to pass data to the server with GET because anyone on that machine can see it in the browsers URL history. Also, sanitize the input, so no one can put anything other than whats needed into the boxes. Liek for age, only numbers should be valid, name should not be allowed to use any funky characters or unicode stuff that could work against the server and compromise it. example, if someone were to use some javascript in there or even pass PHP commands to a process. ?name=bob&age=999&submit=submit If you put the following in the name box, it executes the javascript. <script>alert()</script> Granted your name box text length was short, I had just enough room to put that in. If it allowed more space, you could enter a nastier script. It executes on IE and Opera, not sure about FF. Quote Link to comment Share on other sites More sharing options...
nullArray Posted March 26, 2009 Author Share Posted March 26, 2009 Funny. I run what you have there in your first post and got no error messages from it. I don't have error messages suppressed either, as I get plenty of them on other things I work through. Are you posting this data to another step, proces or page that does somehting with the data and could be gettign the error? Because this works on my server. Just change POST to GET and you will see it processes it correctly. It will show up in the URL with a GET just so you can see what it looks like, but usually, you don't want to pass data to the server with GET because anyone on that machine can see it in the browsers URL history. Also, sanitize the input, so no one can put anything other than whats needed into the boxes. Liek for age, only numbers should be valid, name should not be allowed to use any funky characters or unicode stuff that could work against the server and compromise it. example, if someone were to use some javascript in there or even pass PHP commands to a process. ?name=bob&age=999&submit=submit If you put the following in the name box, it executes the javascript. <script>alert()</script> Granted your name box text length was short, I had just enough room to put that in. If it allowed more space, you could enter a nastier script. It executes on IE and Opera, not sure about FF. I still only marginally understand the difference between POST, GET and REQUEST, but it works and pleased my boss. I totally managed to finish the project way early. "For tomorrow" I had to put this data into a MySQL table/database that apparently was associated with my university unix account. I got that working too! I'm quite pleased with what I was able to accomplish in under three hours without any prior experience. So since I finished this early, I'm super excited to "impress" my boss tomorrow. In my php code, I use when I connect to sql its like "localhost","username","password." This stuff is hidden from users right? They can't view my source and reverse engineer it? How can I fix the <script> thing?, that looks serious (and put null entries in my SQL database :( ) Quote Link to comment Share on other sites More sharing options...
digip Posted March 26, 2009 Share Posted March 26, 2009 Something like $name= preg_replace("/[^a-zA-Z]/", "", $name); You create a function to grab the string, and only allow alphanumeric items in the input fields. Examples: http://www.phpbuilder.com/columns/sanitize_inc_php.txt http://us3.php.net/preg-match http://us3.php.net/manual/en/function.preg-replace.php Quote Link to comment Share on other sites More sharing options...
nullArray Posted March 26, 2009 Author Share Posted March 26, 2009 Something like $name= preg_replace("/[^a-zA-Z]/", "", $name); You create a function to grab the string, and only allow alphanumeric items in the input fields. Examples: http://www.phpbuilder.com/columns/sanitize_inc_php.txt http://us3.php.net/preg-match http://us3.php.net/manual/en/function.preg-replace.php So I create a separate function, and pass my variable into it or can I just drop that code on a line I already have? This is all very interesting. Quote Link to comment Share on other sites More sharing options...
stingwray Posted March 26, 2009 Share Posted March 26, 2009 Something like $name= preg_replace("/[^a-zA-Z]/", "", $name); You create a function to grab the string, and only allow alphanumeric items in the input fields. Examples: http://www.phpbuilder.com/columns/sanitize_inc_php.txt http://us3.php.net/preg-match http://us3.php.net/manual/en/function.preg-replace.php This is where a good framework makes everything so much easier. CakePHP has a really nice way of setting up validation rules for you and all the regexs are done. Quote Link to comment Share on other sites More sharing options...
nullArray Posted March 26, 2009 Author Share Posted March 26, 2009 This is where a good framework makes everything so much easier. CakePHP has a really nice way of setting up validation rules for you and all the regexs are done. Yeah, I have no idea what that means..., I've only been using PHP for two hours. Quote Link to comment Share on other sites More sharing options...
nullArray Posted March 26, 2009 Author Share Posted March 26, 2009 Okay, I'm implemented a lot of things..., including: $name= preg_replace("/[^a-zA-Z]/", "", $name); Now if someone enters, say, "Steve Jobs" into my new name field, it instead turns $name into SteveJobs. I'd like to keep spaces intact for $name. Suggestions? Quote Link to comment Share on other sites More sharing options...
nullArray Posted March 26, 2009 Author Share Posted March 26, 2009 Okay, I'm implemented a lot of things..., including: $name= preg_replace("/[^a-zA-Z]/", "", $name); Now if someone enters, say, "Steve Jobs" into my new name field, it instead turns $name into SteveJobs. I'd like to keep spaces intact for $name. Suggestions? Quote Link to comment Share on other sites More sharing options...
stingwray Posted March 26, 2009 Share Posted March 26, 2009 You need to alter your regex so that it allows spaces, something like: /[^a-zA-Z\s]/ Probably. Quote Link to comment Share on other sites More sharing options...
digip Posted March 26, 2009 Share Posted March 26, 2009 You need to alter your regex so that it allows spaces, something like: /[^a-zA-Z\s]/ Probably. I belive that is correct also. \s (Small "s") The following should be escaped if you are trying to match that character \ ^ . $ | ( ) [ ] * + ? { } , Special Character Definitions \ Quote the next metacharacter ^ Match the beginning of the line . Match any character (except newline) $ Match the end of the line (or before newline at the end) | Alternation () Grouping [] Character class * Match 0 or more times + Match 1 or more times ? Match 1 or 0 times {n} Match exactly n times {n,} Match at least n times {n,m} Match at least n but not more than m times More Special Character Stuff \t tab (HT, TAB) \n newline (LF, NL) \r return (CR) \f form feed (FF) \a alarm (bell) (BEL) \e escape (think troff) (ESC) \033 octal char (think of a PDP-11) \x1B hex char \c[ control char \l lowercase next char (think vi) \u uppercase next char (think vi) \L lowercase till \E (think vi) \U uppercase till \E (think vi) \E end case modification (think vi) \Q quote (disable) pattern metacharacters till \E Even More Special Characters \w Match a "word" character (alphanumeric plus "_") \W Match a non-word character \s Match a whitespace character \S Match a non-whitespace character \d Match a digit character \D Match a non-digit character \b Match a word boundary \B Match a non-(word boundary) \A Match only at beginning of string \Z Match only at end of string, or before newline at the end \z Match only at end of string \G Match only where previous m//g left off (works only with /g) Quote Link to comment Share on other sites More sharing options...
nullArray Posted March 26, 2009 Author Share Posted March 26, 2009 Thanks for all the help. What do most people use to write PHP? I'm using a new program available for the Mac called Espresso. It seems pretty rad. Quote Link to comment Share on other sites More sharing options...
stingwray Posted March 26, 2009 Share Posted March 26, 2009 Eclipse or Netbeans, need a proper IDE for doing the work that I get into. If I want to be quick then i'll use Smultron just as a text editor. Quote Link to comment Share on other sites More sharing options...
digip Posted March 26, 2009 Share Posted March 26, 2009 Notepad++, just because I can debug line errors and it does color highlighting for code. Other than that, just plain notepad. Quote Link to comment Share on other sites More sharing options...
Lyzon Posted March 26, 2009 Share Posted March 26, 2009 Erm... why are you using PHP 3? I say this because the errors your recieving are PHP3 style and im assuming you dont have a custom error handler. As for the errors, its there because you dont check for the $name and the other variables existance. Its also bad practise to use $name instead of $_POST['name'] as in PHP5, register globals are disabled by default and are removed in PHP6. Try tizag.com for some simple tutorials or go to php.net and see the user posted examples and read the documenttation. Should help you get a better grasp of the language. Quote Link to comment Share on other sites More sharing options...
digip Posted March 26, 2009 Share Posted March 26, 2009 Erm... why are you using PHP 3? I say this because the errors your recieving are PHP3 style and im assuming you dont have a custom error handler. As for the errors, its there because you dont check for the $name and the other variables existance. Its also bad practise to use $name instead of $_POST['name'] as in PHP5, register globals are disabled by default and are removed in PHP6. Try tizag.com for some simple tutorials or go to php.net and see the user posted examples and read the documenttation. Should help you get a better grasp of the language. Where did it say he used PHP 3? Quote Link to comment Share on other sites More sharing options...
FireTime Posted March 27, 2009 Share Posted March 27, 2009 If you want to learn php fast, check out W3 Schools PHP. This is how I learned how to use it. They explain the difference between get post and request, and have a good section on PHP with MySQL databases. Quote Link to comment Share on other sites More sharing options...
Lyzon Posted March 27, 2009 Share Posted March 27, 2009 @digip, read all of my post before replying ;) Quote Link to comment Share on other sites More sharing options...
nullArray Posted March 27, 2009 Author Share Posted March 27, 2009 Erm... why are you using PHP 3? I say this because the errors your recieving are PHP3 style and im assuming you dont have a custom error handler. As for the errors, its there because you dont check for the $name and the other variables existance. Its also bad practise to use $name instead of $_POST['name'] as in PHP5, register globals are disabled by default and are removed in PHP6. Try tizag.com for some simple tutorials or go to php.net and see the user posted examples and read the documenttation. Should help you get a better grasp of the language. Wow, harshness. I don't know, I didn't actively seek out old versions of PHP. What I wrote there took me under an hour from absolutely nothing but a syntax guideline + trial and error. It's since changed now and has a database, sanitation, input validation and stuff, which took about an extra three hours. Probably an hour of that was learning mysql, because I didn't know anything about it. Relax dood, I'm not a seasoned PHP vet..., Quote Link to comment Share on other sites More sharing options...
digip Posted March 27, 2009 Share Posted March 27, 2009 @digip, read all of my post before replying ;) I say this because the errors your recieving are PHP3 style and im assuming you dont have a custom error handler. Yeah, but I think those errors can happen in later versions up to 5.x. http://www.google.com/search?hl=en&q=%...G=Google+Search Wasn't the error becasue he was posting it to a database upon entering the page before the data that was checked for valid input from the form? Or am I wrong. im no expert and don't claim to be, and I did read ALL of your post. Just wondering where php3 comes into it? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.