if(isset(filter_input_array(input_post)
Also the reason why im using Filter input array is because $_POST doesn't even work anymore not on netbeans anyway.
My localHost hits me back with a :
Warning: Use of undefined constant input_post - assumed 'input_post' (this will throw an Error in a future version of PHP) in C:\xampp\htdocs\Test1\Includes\signup2.inc.php on line 3
I'm pretty new to Coding and especially PHP. Im in 1st year of Uni doing course work, so dont get upset if its a silly question. But I have no idea how to fix this.
This is all I have so far
<?php
if(isset(filter_input_array(input_post)['signup-submit'])) {
require 'dbh.inc.php';
$username = filter_input_array(input_post)['uid'];
$email = filter_input_array(input_post)['mail'];
$password = filter_input_array(input_post)['pwd'];
$passwordRepeat = filter_input_array(input_post)['pwd-repeat'];
Filtering input is fundamentally wrong (really the issue here is about PHP naming conventions).
because $_POST doesn't even work anymore
So your workaround for a problem is no longer working. Stop trying to fix your workaround and fix the problem. PHP is primarily a scripting language for the web - if it is not handling request data something is very wrong.
Try using $_REQUEST as global var.
Related
Full disclosure: I'm not a PHP programmer, rather a Javascript/Node programmer, but I'm trying to help a friend fix a fatal PHP error on their site.
To wit,
Fatal error: Call to undefined function import_request_variables()
I've looked it up and import_request_variables() is deprecated.
The relevant piece of code is this -- I noticed that the developer seems to have tried out the more modern form (?) and abandoned it.
import_request_variables("pgc", "re_");
//extract($_GET, EXTR_PREFIX_ALL, "pgc");
//extract($_POST, EXTR_PREFIX_ALL, "pgc");
//extract($_GET, EXTR_PREFIX_ALL, "re_");
//extract($_POST, EXTR_PREFIX_ALL, "re_");
I found a solution on Stack Overflow here Php import_request_variable stopped working, that suggests using that same extract method
extract($_GET, EXTR_PREFIX_ALL, 'p');
extract($_POST, EXTR_PREFIX_ALL, 'p');
Is this the correct method to follow? I've read in other posts (e.g. here) that this could lead to security errors, as does the PHP documentation here
Warning
Do not use extract() on untrusted data, like user input (e.g. $_GET, $_FILES).
and that it's best to import the variables specifically, but I'm not sure that I'm adept enough at PHP to go through all the code and figure out where each variable is being used...
What's the best way to solve this issue swiftly and securely?
Thanks for any help!
EDIT:
This is the code where the variables are used, for what it's worth
if ($re_sub && $re_sec) { $content="./$re_sec/$re_sub.php";}
else if ($re_sec) { $content="./$re_sec/index.php";}
else { $content="./home.php";}
Wow. import_request_variables went away in PHP5, that was a LONG time ago... hope you are upgrading to 7!
Anyway, it seems that you are basically trying to form POST and the content of the post determine the URL the user is sent to. Since you can't trust user input (or shouldn't anyway) you check what is sent in the $_POST array against a whitelist. Depending on how many sections and sub-sections you have, that whitelist can be hard coded, kept in a separate include file, stored in a database, etc.
Given a structure like
home
sec1
sec1sub1
sec1sub2
sec1sub3
sec2
sec2sub1
sec2sub2
sec2sub3
sec3
sec3sub1
sec3sub2
sec3sub3
You can do something like loop through your whitelist and see if a matching POST variable was sent, if so add it to the URL.
$url="/";
$whitelist=array();
$whitelist['cars']=array("compact","sedan","sportscar");
$whitelist['trucks']=array("diesel","4x4");
$whitelist['suvs']=array("crossovers","domestic","import");
foreach($whitelist as $k=>$v){
if(isset($_POST[$k])){
$url=$url."/".$k;
foreach($v as $subv){
if(isset($_POST[$subv])){
$url=$url."/".$subv;
}
}
}
}
header("location :".$url);
this is my first time using PHP in a real project environment. The project is pretty simple, take an existing, working PHP site and update the HTML to be consistent with HTML5. After designing the HTML, I am inserting the PHP from the previous site. This works most of the time, but I get a few errors. For instance:
<?
$sec = $_GET['sec'];
if ($sec == "1") {
echo ('Success!');
}
?>
Is causing the error:
Notice: Undefined index: sec in /file_that_holds_site_build.
Of course that is only if the url doesn't include the append tag (=1) that alerts the message.
So the question is this, what am I missing that causes the $GET when there is no $sec? How do I eliminate this error on first page load?
You're getting that notice because you're trying to access an array index that doesn't exist in some scenarios. Here's how you should be getting the data out of the request.
$sec = array_key_exists('sec', $_GET) ? $_GET['sec'] : null;
Thanks to everyone who provided possible answers to this question. It was Daniel that came up with the easiest fix. Again, I am just adjusting someone else's code to work, so a universal solve would involve too much of my own writing. To the point, the final code looks like this:
<?
if (isset($_GET["sec"])){
$sec = $_GET['sec'];
if ($sec == "1") {
echo ('Success! Your username and password have been sent via email.');
}}
?>
Notice the added if statement. As I said in a comment to Daniel, SO SIMPLE!
Thanks again for everyone's help. I hope to be likewise of service to you all soon.
Simple just use isset($_GET['sec']) to check for the parameter 'sec' before using it in the php code. That should eliminate the error. This is quite trivial I suppose.
I often simply extract() the wohle $_GET super global and then either get the desired variable or not. As a kind of "declaration" I initialize each expected variable first with false. This way I find it much easier to handle than individually doing a check like if(isset($_GET['element'])) ...
$var1=$var2=$var3=false; // my desired variables
extract($_GET); // everything I get from the form
// or: extract($_REQUEST);
if ($var1) { /* do something with it */ }
Possible security risk:
Of course you should be aware that everybody could simply include their own variable as an argument to he page ...
So I am using the following style of code if(array_key_exists('some_value', $_POST)){echo 'hi';}
For PHP 5.2.17 I am getting a warning from this style of code. This is the warning:
WARNING: argument 2 for array_key_exists() is not either an array or an object on line: 123
This seems strange to me because I believe that the $_POST array should always be defined. Is that not the case? I'm not sure what would cause the $_POST array to not be considered an array. I am not resetting $_POST to anything so it should exist as an array at all times. Does anyone have any idea what is wrong. Please let me know if more information is needed and thank you for the help.
Edit: I should note that this only happens on the production server. My local environment does not have this problem.
The Superglobals $_POST and $_GET are only populated if the script is POSTed to or GET from. In your example, the reason that you'd get that error is if there was not post action to the script. Before checking for a certain post value, you should check to make sure there was a post:
if(isset($_POST)) {
//The form was posted
}
In that fashion. From there, you can check for certain values using array_key_exist, or you can further check isset($_POST['myKey']).
Use if(isset($_POST['some_value'])) { echo 'hi'; } instead. Never had a problem with it.
Also check if you are not overriding or unsetting $_POST (or some framework you are using is doing it for you). I avoid to do so with superglobal variables since I think it is a bad practice and might give headaches like this one.
I came across a bit of code working in someone else's code for a form validator. It was supposed to return a value from the form data posted. Anyway, it was always returning NULL. This is what the function was in its entirety (the assumption is that this code did work at one point):
function _getValue($field)
{
global ${$field};
return ${$field};
}
From the context in the other functions, I could tell it was trying to get the value from the (in this case) $_POST variable. When I changed the function to the following, everything worked like a charm:
function _getValue($field)
{
// $_REQUEST should hold $_GET and $_POST values
return $_REQUEST[$field];
}
So my question is... what the heck is global ${$field} mean in this context? I know what ${$field} is, but let's say they passed in email to that function. Where is this global $email variable coming from?
How is the original function supposed to have worked? I know there's something called "Super Globals" or something and that's bad. Is this related? Is that possibly why it stopped working? Did the host turn off Super Globals?
[EDIT] There was some obviously confusion in the way I phrased the question. I know what ${$field} and $$field means, but I don't know how
global ${$field};
return ${$field};
returns the value the user put into a form like
<input name="email">
when you call
$this->_getValue('email');
The programmer before you expected the POST variables to be in the global space, because of the register_globals directive. Thankfully, this feature has been turned off by default in PHP 4.2 and removed in PHP 5.4.
To quote the documentation:
When on, register_globals will inject your scripts with all sorts of variables, like request variables from HTML forms.
I wonder how could anyone think that was a good idea :)
Yes, it is related to register_globals and yes it is very bad. I think you have fetched that from very old code. Now by default Php comes with register_globals set to off. That's why the code was not working. Your fix is correct. Register_globals is bad because it generates a serious security risk issue.
Obviously got off track with my poor phrasing of the question, I apologize, but from the comments on Radu's post from Radu and pst, I found the following that answers my question perfectly (as found on http://php.net/manual/en/security.globals.php):
Note: Dealing with register_globals
If the deprecated register_globals directive is set to on then the
variables within will also be made available in the global scope of
the script. For example, $_POST['foo'] would also exist as $foo.
Hey all, my first time asking on stackoverflow!
Anyway. So this morning (and most of last night) I have been working on an a project of mine. Its a simple small scale e-commerce site.
Not to bog down with the details of the website, I'll skip straight to it.
Basically, I have my website hosted on a webserver with my own domain. In order to submit the work to my University tutors, I have to transfer the files to their web-server. This can only be accessed when connected to the university network and runs under the path http://jawa/handins/...../
Now in order for the MySQL and PHP to function I have to extract the tables and information from my personal phpmyadmin panel and dump it into the phpmyadmin panel provided on the Uni network. The database is called something alot different but the tables are the same, so a small minute to make sure my mysql_connect functions are pointing to the correct database and everything is working fine. Or at least that is the plan..
For some reason my PHP variables (Which WORK on MY server) are now undefined - How? I havent changed a single piece of code except where the database is and that is it:
//form data
$firstName = strip_tags($_POST['firstName']);
$lastName = strip_tags($_POST['lastName']);
$Email = strip_tags($_POST['Email']);
$userName = strip_tags($_POST['userName']);
$regPass = strip_tags($_POST['regPass']);
$repeatPass = strip_tags($_POST['repeatPass']);
$date = date("Y-m-d");
$permissions = strip_tags($_POST['permissions']);
Everything matches up with the relevant submit fields. There is nothing different with the code I have running on my personal webserver, and the code hosted on the university network. Yet now these variables you see here are not defined. Forgive me for being stupid if it's obvious, but ive been up for 20hrs straight now and I'm getting really agitated with small problems. However I will not vent my frustration out on anyone, it's not your fault!
Essentially, those variables are used for a registration form. Each sumbit field is given the value which is passed on the $_POST[] function. The form is "POSTING" so no problems there. Im just at a loss!
You probably have a different error_reporting level on your own machine, then it is on the other server. Please add error_reporting(E_ALL); to the top of your page, and these will yell at you.
As #Wesley van Opdorp mentioned, your machine must've a different reporting level, if you set it to E_ALL you will see all errors diplayed such as warnings, notices, and fatal errors.
You have to remember, if you're writing code with the error_reporting turned off or it is set to hide warnings or even notices and everything is working fine, if you turn it on, it may affect your code as it will report every single undefined variable and some other warnings as if it's on strict mode. You may have to add additional checks if that's the case like using isset or is_null before using or referring to undefined variables. Just a thought.
#Wesley is probably right about error reporting.
Try this too though. Check if the input has been entered before trying to use it:
$firstName = isset($_POST['firstName'])?strip_tags($_POST['firstName']):null;
Looks rough I know, but looks it can be as easy as this:
$date = date("Y-m-d");
$inputs = array('firstName', 'lastName', 'Email', 'userName', 'regPass', 'repeatPass', 'permissions');
foreach($inputs as $input)
{
$values[$input] = isset($_POST[$input])?$_POST[$input]:null;
//if it was set/used, store it in the variable, if not store null
}
This saves you writing a line for each of the inputs.
So for example $values['firstName'] would have the value of "John" OR null
So when using any of the $values elements check if it's null or use empty() to see if they put in an actual value.