homepage Welcome to WebmasterWorld Guest from 54.167.10.244
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
php/mysql error
getting error message
ricksum




msg:4635838
 10:05 pm on Jan 7, 2014 (gmt 0)

Can anyone tell me why I'm getting the following errors:

Notice: Undefined index: id in C:\xampp\htdocs\crudstudents\edit_opposed.php on line 29

Fatal error: Call to a member function fetch_assoc() on a non-object in C:\xampp\htdocs\crudstudents\edit_opposed.php on line 34

Here's the code:

//select the specific database record to update
$query = "select id, last, first, mate. address
from homeowners
LINE 29 where id='".$mysqli->real_escape_string($_REQUEST['id'])."'
limit 0,1";
//execute the query
$result = $mysqli->query( $query );
//get the result
LINE 34 $row = $result->fetch_assoc();
//assign the result to certain variable so our html form will be filled up with values
$address = $row['address'];
$last = $row['last'];
$first = $row['first'];
$mate = $row['mate'];

 

phranque




msg:4635867
 2:06 am on Jan 8, 2014 (gmt 0)

It looks like your HTTP Request doesn't have an ID parameter.
Since the query method failed you didn't get a $request Returned.
You need to add error checking.

ricksum




msg:4635869
 2:37 am on Jan 8, 2014 (gmt 0)

Is this not the Request ID parameter?
where id='".$mysqli->real_escape_string($_REQUEST['id'])."'

and I'm very new at php/mysql and OOP, where would the error checking go and how do I check?
Thanks

phranque




msg:4635871
 3:55 am on Jan 8, 2014 (gmt 0)

that's a php error, not a mysql error.
the error is telling you that $_REQUEST['id'] doesn't exist.

swa66




msg:4635913
 12:50 pm on Jan 8, 2014 (gmt 0)

I'm very new at php/mysql and OOP, where would the error checking go and how do I check?

It's about writing secure code. That's regardless of programming language or constructs used the same:
You absolutely must do input validation on anything coming from a client (web browser) before you use it.

Specifically $_REQUEST contains parameters coming from the browser: before you use them, you consider their contents tainted. So any before you use it, you check if it's present, if the contents is expected and valid and only then do you use it further.

Now that said ... $_REQUEST is dangerous for CSRF as you cannot guarantee it's coming from a POST request for things that make changes (in your example as far as I can see it would be ok, but why do the evaluation every time?) Hence in general it's far more solid to use $_POST and $_GET as intended instead of $_REQUEST.
Anti-CSRF requires you to do some more work than just to assure it's a POST when doing changes (you also need to add a random (unpredictable to the attacker) hidden input "token" in each form and check it's presence in the POSTed form).

ricksum




msg:4635914
 12:58 pm on Jan 8, 2014 (gmt 0)

Here's the url I used to call the program:
[localhost...]
Is the id=366 not the $_REQUEST parameter?
Here's the PHP code that calls the program
echo "<a href='edit_opposed.php?id={$id}'>Edit</a>";

ricksum




msg:4635920
 2:13 pm on Jan 8, 2014 (gmt 0)

Let me try again. Let me emphasize again that I'm very new at php/mysqli and am trying to learn by example so I'm presenting working code followed by my code.
Working code:
    display.php

</strong>
<html>
<head>
<title>MySQLi Read Records</title>
</head>
<body>
<?php
//include database connection
include 'db_connect.php';
//query all records from the database
$query = "select * from users";
//execute the query
$result = $mysqli->query( $query );
//get number of rows returned
$num_results = $result->num_rows;
//this will link us to our add.php to create new record
echo "<div><a href='add.php'>Create New Record</a></div>";
if( $num_results > 0){ //it means there's already a database record
echo "<table border='1'>";//start table
//creating our table heading
echo "<tr>";
echo "<th>Firstname</th>";
echo "<th>Lastname</th>";
echo "<th>Username</th>";
echo "<th>Action</th>";
echo "</tr>";
//loop to show each records
while( $row = $result->fetch_assoc() ){
//extract row
//this will make $row['firstname'] to
//just $firstname only
extract($row);
//creating new table row per record
echo "<tr>";
echo "<td>{$firstname}</td>";
echo "<td>{$lastname}</td>";
echo "<td>{$username}</td>";
echo "<td>";
//just preparing the edit link to edit the record
echo "<a href='edit.php?id={$id}'>Edit</a>";
echo " / ";
//just preparing the delete link to delete the record
echo "<a href='#' onclick='delete_user( {$id} );'>Delete</a>";
echo "</td>";
echo "</tr>";
}
echo "</table>";//end table
}else{
//if database table is empty
echo "No records found.";
}
//disconnect from database
$result->free();
$mysqli->close();
?>
</body>
</html>


MY modified code:
</strong>
<html>
<head>
<title>MySQLi Read Records</title>
</head>
<body>
<?php
//include database connection
include 'db_connect_opposed.php';
//query all records from the database
$query = "select * from homeownersnew";
//execute the query
$result = $mysqli->query( $query );
//get number of rows returned
$num_results = $result->num_rows;
//this will link us to our add.php to create new record
echo "<div><a href='add.php'>Create New Record</a></div>";
if( $num_results > 0){ //it means there's already a database record
echo "<table border='1'>";//start table
//creating our table heading
echo "<tr>";
echo "<th>last</th>";
echo "<th>first</th>";
echo "<th>mate</th>";
echo "<th>address</th>";
echo "</tr>";
//loop to show each records
while( $row = $result->fetch_assoc() ){
//extract row
//this will make $row['firstname'] to
//just $firstname only
extract($row);
//creating new table row per record
echo "<tr>";
echo "<td>{$last}</td>";
echo "<td>{$first}</td>";
echo "<td>{$mate}</td>";
echo "<td>";
//just preparing the edit link to edit the record
echo "<a href='edit_opposed.php?id={$id}'>Edit</a>";
echo " / ";
//just preparing the delete link to delete the record
echo "<a href='#' onclick='delete_user( {$id} );'>Delete</a>";
echo "</td>";
echo "</tr>";
}
echo "</table>";//end table
}else{
//if database table is empty
echo "No records found.";
}
//disconnect from database
$result->free();
$mysqli->close();
?>
</body>
</html>

And here's the
    edit.php

</strong>
<?php
//include database connection
include 'db_connect.php';
//check any user action
$action = isset( $_POST['action'] ) ? $_POST['action'] : "";
if($action == "update"){ //if the user hit the submit button
//write our update query
//$mysqli->real_escape_string() function helps us prevent attacks such as SQL injection
$query = "update users
set
firstname = '".$mysqli->real_escape_string($_POST['firstname'])."',
lastname = '".$mysqli->real_escape_string($_POST['lastname'])."',
username = '".$mysqli->real_escape_string($_POST['username'])."',
password = '".$mysqli->real_escape_string($_POST['password'])."'
where id='".$mysqli->real_escape_string($_REQUEST['id'])."'";
//execute the query
if( $mysqli->query($query) ) {
//if updating the record was successful
echo "User was updated.";
}else{
//if unable to update new record
echo "Database Error: Unable to update record.";
}
}
//select the specific database record to update
$query = "select id, firstname, lastname, username, password
from users
where id='".$mysqli->real_escape_string($_REQUEST['id'])."'
limit 0,1";
//execute the query
$result = $mysqli->query( $query );
//get the result
$row = $result->fetch_assoc();
//assign the result to certain variable so our html form will be filled up with values
$id = $row['id'];
$firstname = $row['firstname'];
$lastname = $row['lastname'];
$username = $row['username'];
$password = $row['password'];
?>
<!--we have our html form here where new user information will be entered-->
<form action='#' method='post' border='0'>
<table>
<tr>
<td>Firstname</td>
<td><input type='text' name='firstname' value='<?php echo $firstname; ?>' /></td>
</tr>
<tr>
<td>Lastname</td>
<td><input type='text' name='lastname' value='<?php echo $lastname; ?>' /></td>
</tr>
<tr>
<td>Username</td>
<td><input type='text' name='username' value='<?php echo $username; ?>' /></td>
</tr>
<tr>
<td>Password</td>
<td><input type='password' name='password' value='<?php echo $password; ?>' /></td>
<tr>
<td></td>
<td>
<!-- so that we could identify what record is to be updated -->
<input type='hidden' name='id' value='<?php echo $id ?>' />
<!-- we will set the action to update -->
<input type='hidden' name='action' value='update' />
<input type='submit' value='Edit' />
<a href='display.php'>Back to display page</a>
</td>
</tr>
</table>
</form>

and my modified code
</strong>
<?php
//include database connection
include 'db_connect.php';
//check any user action
$action = isset( $_POST['action'] ) ? $_POST['action'] : "";
if($action == "update"){ //if the user hit the submit button
//write our update query
//$mysqli->real_escape_string() function helps us prevent attacks such as SQL injection
$query = "update homeownersnew
set
last = '".$mysqli->real_escape_string($_POST['last'])."',
first = '".$mysqli->real_escape_string($_POST['first'])."',
mate = '".$mysqli->real_escape_string($_POST['mate'])."',

where id='".$mysqli->real_escape_string($_GET['id'])."'";
//execute the query
if( $mysqli->query($query) ) {
//if updating the record was successful
echo "User was updated.";
}else{
//if unable to update new record
echo "Database Error: Unable to update record.";
}
}
//select the specific database record to update
$query = "select id, last, first, mate, address
from homeownersnew
where id='".$mysqli->real_escape_string($_GET['id'])."'
limit 0,1";
//execute the query
$result = $mysqli->query( $query );
//get the result
$row = $result->fetch_assoc();
//assign the result to certain variable so our html form will be filled up with values
$address = $row['address'];
$last = $row['last'];
$first = $row['first'];
$mate = $row['mate'];
echo "ID is ".$_GET['id']
?>
<!--we have our html form here where new user information will be entered-->
<form action='#' method='post' border='0'>
<table>
<tr>
<td>last</td>
<td><input type='text' name='last' value='<?php echo $last; ?>' /></td>
</tr>
<tr>
<td>first</td>
<td><input type='text' name='first' value='<?php echo $first; ?>' /></td>
</tr>
<tr>
<td>mate</td>
<td><input type='text' name='mate' value='<?php echo $mate; ?>' /></td>
</tr>

<td></td>
<td>
<!-- so that we could addressentify what record is to be updated -->
<input type='haddressden' name='address' value='<?php echo $address ?>' />
<!-- we will set the action to update -->
<input type='haddressden' name='action' value='update' />
<input type='submit' value='Edit' />
<a href='display_opposed.php'>Back to display page</a>
</td>
</tr>
</table>
</form>

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved