So I am using the following style of code if(array_key_exists('some_value', $_POST)){echo 'hi';}
For PHP 5.2.17 I am getting a warning from this style of code. This is the warning:
WARNING: argument 2 for array_key_exists() is not either an array or an object on line: 123
This seems strange to me because I believe that the $_POST array should always be defined. Is that not the case? I'm not sure what would cause the $_POST array to not be considered an array. I am not resetting $_POST to anything so it should exist as an array at all times. Does anyone have any idea what is wrong. Please let me know if more information is needed and thank you for the help.
Edit: I should note that this only happens on the production server. My local environment does not have this problem.
The Superglobals $_POST and $_GET are only populated if the script is POSTed to or GET from. In your example, the reason that you'd get that error is if there was not post action to the script. Before checking for a certain post value, you should check to make sure there was a post:
if(isset($_POST)) {
//The form was posted
}
In that fashion. From there, you can check for certain values using array_key_exist, or you can further check isset($_POST['myKey']).
Use if(isset($_POST['some_value'])) { echo 'hi'; } instead. Never had a problem with it.
Also check if you are not overriding or unsetting $_POST (or some framework you are using is doing it for you). I avoid to do so with superglobal variables since I think it is a bad practice and might give headaches like this one.
Related
Full disclosure: I'm not a PHP programmer, rather a Javascript/Node programmer, but I'm trying to help a friend fix a fatal PHP error on their site.
To wit,
Fatal error: Call to undefined function import_request_variables()
I've looked it up and import_request_variables() is deprecated.
The relevant piece of code is this -- I noticed that the developer seems to have tried out the more modern form (?) and abandoned it.
import_request_variables("pgc", "re_");
//extract($_GET, EXTR_PREFIX_ALL, "pgc");
//extract($_POST, EXTR_PREFIX_ALL, "pgc");
//extract($_GET, EXTR_PREFIX_ALL, "re_");
//extract($_POST, EXTR_PREFIX_ALL, "re_");
I found a solution on Stack Overflow here Php import_request_variable stopped working, that suggests using that same extract method
extract($_GET, EXTR_PREFIX_ALL, 'p');
extract($_POST, EXTR_PREFIX_ALL, 'p');
Is this the correct method to follow? I've read in other posts (e.g. here) that this could lead to security errors, as does the PHP documentation here
Warning
Do not use extract() on untrusted data, like user input (e.g. $_GET, $_FILES).
and that it's best to import the variables specifically, but I'm not sure that I'm adept enough at PHP to go through all the code and figure out where each variable is being used...
What's the best way to solve this issue swiftly and securely?
Thanks for any help!
EDIT:
This is the code where the variables are used, for what it's worth
if ($re_sub && $re_sec) { $content="./$re_sec/$re_sub.php";}
else if ($re_sec) { $content="./$re_sec/index.php";}
else { $content="./home.php";}
Wow. import_request_variables went away in PHP5, that was a LONG time ago... hope you are upgrading to 7!
Anyway, it seems that you are basically trying to form POST and the content of the post determine the URL the user is sent to. Since you can't trust user input (or shouldn't anyway) you check what is sent in the $_POST array against a whitelist. Depending on how many sections and sub-sections you have, that whitelist can be hard coded, kept in a separate include file, stored in a database, etc.
Given a structure like
home
sec1
sec1sub1
sec1sub2
sec1sub3
sec2
sec2sub1
sec2sub2
sec2sub3
sec3
sec3sub1
sec3sub2
sec3sub3
You can do something like loop through your whitelist and see if a matching POST variable was sent, if so add it to the URL.
$url="/";
$whitelist=array();
$whitelist['cars']=array("compact","sedan","sportscar");
$whitelist['trucks']=array("diesel","4x4");
$whitelist['suvs']=array("crossovers","domestic","import");
foreach($whitelist as $k=>$v){
if(isset($_POST[$k])){
$url=$url."/".$k;
foreach($v as $subv){
if(isset($_POST[$subv])){
$url=$url."/".$subv;
}
}
}
}
header("location :".$url);
Do not Access Superglobal $_POST Array Directly.
Use some filtering functions instead (e.g. filter_input(), conditions with is_*() functions, etc.).
----
(Alt-Enter shows hints)
I am getting this kind of warning in my NetBeans IDE when I am sending an AJAX request to my PHP file.
My request type is POST and when I go to PHP page I am getting the warning.
Can this warning harm my code in any way. How do I get rid of this?
Should I just ignore it or it very important to get rid of the warning?
The warning is appearing in the $_POST when I am getting the data that is passed from AJAX.
Example:
$fname = ($_POST['Fname']);
The line $_POST is having the yellow underline.
The warning text you posted gives you the examples - pass your $_POST param through a function like filter_input() or is_*().
try something like:
$fname = filter_input(INPUT_POST, 'Fname', FILTER_SANITIZE_SPECIAL_CHARS);
Reference - http://php.net/manual/en/function.filter-input.php
EDIT:
The list of available filters is linked on the function page.
You do not have to use FILTER_SANITIZE_SPECIAL_CHARS, I just gave it as example.
The point is that Netbeans telling you to validate / sanitize POST data. You can write your own functions for that. Check whether the value is of correct type, length etc.
I'm stuck with a php/mySQL thing..
I have a dynamically created form and I want to parse the $_POST variables it generates. To be specific,I have a query in SQL which generates the fields in my form. Then, I need to process these variables in the php file, where the action of the form goes.
However, I cannot parse the dynamically created $_POST variables. Below is my code:
$sql="just-a-query";
$result = mysql_query($sql);
while ($data = mysql_fetch_array($result)) {
${''.$data['parameterName']}=$_POST[$data['parameterName']];
}
For example, if I have 3 variables that got through the form the values:
house=1
tree=3
car=2
I would like to save them via php like this:
$house=$_POST['house'];
$tree=$_POST['tree'];
$car=$_POST['car'];
However I can't get through it. It returns Undefined index error. Any thoughts?
If you want to find if a variable is defined before using it, it's as simple as using isset():
if( isset($_POST[$data['parameterName']]) ) {
${''.$data['parameterName']}=$_POST[$data['parameterName']];
}
If on the other hand, it's supposed to be defined (you see the form element), but then it's not getting defined in the postback. First check to make sure that your form submission type is post, then check to make sure you are using the name attribute in the form elements.
thank you for your time. My problem was that I was parsing wrong parameters from the HTML.
Yes, I'm an idiot and yes, var_dump() helped me to figure my error.
Thanks again!
btw, my code was working perfectly. Ha!
I came across a bit of code working in someone else's code for a form validator. It was supposed to return a value from the form data posted. Anyway, it was always returning NULL. This is what the function was in its entirety (the assumption is that this code did work at one point):
function _getValue($field)
{
global ${$field};
return ${$field};
}
From the context in the other functions, I could tell it was trying to get the value from the (in this case) $_POST variable. When I changed the function to the following, everything worked like a charm:
function _getValue($field)
{
// $_REQUEST should hold $_GET and $_POST values
return $_REQUEST[$field];
}
So my question is... what the heck is global ${$field} mean in this context? I know what ${$field} is, but let's say they passed in email to that function. Where is this global $email variable coming from?
How is the original function supposed to have worked? I know there's something called "Super Globals" or something and that's bad. Is this related? Is that possibly why it stopped working? Did the host turn off Super Globals?
[EDIT] There was some obviously confusion in the way I phrased the question. I know what ${$field} and $$field means, but I don't know how
global ${$field};
return ${$field};
returns the value the user put into a form like
<input name="email">
when you call
$this->_getValue('email');
The programmer before you expected the POST variables to be in the global space, because of the register_globals directive. Thankfully, this feature has been turned off by default in PHP 4.2 and removed in PHP 5.4.
To quote the documentation:
When on, register_globals will inject your scripts with all sorts of variables, like request variables from HTML forms.
I wonder how could anyone think that was a good idea :)
Yes, it is related to register_globals and yes it is very bad. I think you have fetched that from very old code. Now by default Php comes with register_globals set to off. That's why the code was not working. Your fix is correct. Register_globals is bad because it generates a serious security risk issue.
Obviously got off track with my poor phrasing of the question, I apologize, but from the comments on Radu's post from Radu and pst, I found the following that answers my question perfectly (as found on http://php.net/manual/en/security.globals.php):
Note: Dealing with register_globals
If the deprecated register_globals directive is set to on then the
variables within will also be made available in the global scope of
the script. For example, $_POST['foo'] would also exist as $foo.
I have a php script that is processing a form for me. However, something is strange (or I'm just a bigger noob than I think).
The following code at the top of the script:
<?php
// Get Post Data to Insert into Database
print('<pre>');
print_r($_POST);
print('</pre>');
$vehicleID = $_Post['list3'];
echo "Variable vehicleID is: {$vehicleID}";
echo "Post variable list3 is: {$_Post['list3']};
?>
Results in the following "printout" when the form is submitted and form data intercepted by the script:
Array
(
[list1] => 7
[list2] => 3923
[list3] => 20745
[Submit] => Submit
)
Variable vehicleID is: Post variable list3 is:
I've only included the post array printout to see if post data is actually being received - which, apparently, it is. So, why is not passing into my variable so that I can USE it?
I know I'm just a PHP hack, but I feel like I must be losing it.
Your code has $_Post and should be $_POST?
Try changing $_Post to $_POST in the lower part of your code; that may be what's causing the problem.
The manual page on the HTTP POST data superglobal array describes it as $_POST.
And, elsewhere:
Basics
Variables in PHP are represented by a dollar sign followed by the name of the variable. The variable name is case-sensitive.
Thus it follows that your use of $_Post should, in fact, read $_POST.
You should fix your error_reporting settings, because you should have seen an E_NOTICE about using a non-existent variable.