Forum Moderators: coopster
<body id="page
<?php
$id=$_GET['id'];
$subid=$_GET['subid'];
if ($id==NULL && $subid==NULL) {
$id = 'home';
$subid = 'home';
}
echo($id);
?>
">
It takes variables passed from links in the form index.php?id=X&subid=Y, and uses those values to write an ID value for the <body> tag (which is then used by the css to show a 'current' state for the appropriate menu button).
All of this works fine, as long as the page is entered from a link which passes the variables. The problem lies with the HOME page, where first entering the site does not pass any variables.
I am currently researching the use of either mod_rewrite or a php script in index.php to convert forward slashed uris, which would make this method I'm trying now unnecessary, but FOR NOW, I need to get the code above working.
The result in the source of the resulting page, when just index.php is used to enter the site says...
<body id="page<br />
<b>Notice</b>: Undefined index: id in <b>d:\apache\htdocs\miterbox\index.php</b> on line <b>12</b><br />
<br />
<b>Notice</b>: Undefined index: subid in <b>d:\apache\htdocs\miterbox\index.php</b> on line <b>13</b><br />
home">
I added the bold. Notice that it is writing the correct value, but only after the NOTICES.
I assume from this that, (a) there is an error in my code that I'm not seeing or (b)a missing variable does not have a value NULL. In which case I need to have the IF statement check for something else...the non-existence of a variable, perhaps.
Any thoughts on how to do that? Thanks in advance for any response.
<note>This particular code block doesn't really need the $subid variable, but it is used later in the page to include() the correct files, so I went ahead and $_GETted it here.</note>
Would the ternary operator do the trick?
$id = $_GET['id']? $_GET['id'] : 'home';
looks like something got garbled in the code you posted.
lol...I'll try not to take that personally. ;)
Actually, it didn't get garbled, I just added line breaks to make it readable. Assuming you see something there that doesn't look right, can you point out what it is?
I tried the ternary approach on your suggestion. It has the same results, ie, works on everything except the home page (w/ no variables passed). The page produces fine, but the resulting html source code shows the same "Undefined index" error in the middle of the <body> tag.
I also tried...
if(!isset($id)) {
$id='home';
}
...all to no avail. Exact same results from all three methods.
Thanks, by the way, for your response, timster.
<body id="page
<?php
if (isset($_GET['id'])) {
$id=$_GET['id'];
} else {
$id="home";
}
echo($id);
?>
">
OR
<body id="page
<?php
if (strlen($_GET['id']) > 0) {
$id=$_GET['id'];
} else {
$id="home";
}
echo($id);
?>
">
One of those might work.
I presume you're qualifying these variables somewhere? Something like :
if(isset($_REQUEST['id'])){
if($_REQUEST['id']!== 'valid_string1' ¦¦ if($_REQUEST['id']!== 'valid_string2' ¦¦ if($_REQUEST['id']!== 'valid_string3') {$id = 'home';}
}
With all the possible values of the passed variable instead of 'valid_string1' etc. That'll stop someone messing your website :-)
There are more elegant ways to qualify a variable, but it depends on too many other things, so I've just given a quick and simple example for you.
Hope this helps :-)
JohnP
John, by 'qualifying' do you mean ensuring that only variables referring to actual contents of the site can be passed? I like the security that would seem to offer, but setting up qualifiers like that could get pretty hairy on a high content site. And imagine trying to do that with a blog?
I suppose that's very reason I've seen people warn against using _GET and passing veriables in a URL? I'm hoping to start using mod_rewrite (or a php equivalent) to structure my URLs with forward slashes then rewrite them to variable form, but it's slow going. If you happen to know of any good resources for this, please let me know.
Anyway, thanks to you all for the help.
It's something so simple as initializing variables before you use them -
Since PHP is so forgiving about variables not existing before you use them, it's easy to forget to make sure they exist before you do.
Here is my typical code to check for variables when I create them:
if(isset($_GET['field']) and $_GET['field']!= '')
$field = $_GET['field'];
else $field = 'defaultfield';
(Mind you I always keep register_globals off. It just creates a big mess).
The same goes for POST:
if(isset($_POST['field']) and $_POST['field']!= '')
$field = $_POST['field'];
else $field = 'defaultfield';
Finally,
if($field!= '') etc..
The above checking is what's meant by a 'fully qualified variable.' That being - making sure the variable exists before it is used in a comparison. I always code with error reporting set to maximum so that it forces me to keep my code completely standard and easily readable.
I HATE reading code written by people who use register_globals. I spent 98% of my time trying to figure out "well where in the heck did $id come from?"
The same goes for POST:
if(isset($_POST['field']) and $_POST['field']!= '')
$field = $_POST['field'];
else $field = 'defaultfield';
</snip>
You can cover both GET and POST by using REQUEST now PHPv4.3.1 was when that started - I think.
The qualification you are doing here is merely finding out if the variable exists and defaulting to some value if not. What I was talking about was a complete system of checking that the variable was one of a selection of friendly possiblities that you set, and not some nasty peice of code that someone is trying to inject into your server.
Example:
A GET variable will create a url like this:
[mydomain.com?1stvariable=value01&2ndvariable=value02...]
Anyone can write this url into a browser and find the page, with these variables set, it doesn't *have* to be clicked through. This means that I could equally easily write :
[mydomain.com?1stvariable=$some_$nasty_$code&2ndvariable=$some_$more_$nasty_$code...]
and possibly b0rk your server. I know - it happened to me once some years ago :-(
Hope this helps a bit ........
JohnP.
You can cover both GET and POST by using REQUEST now PHPv4.3.1 was when that started - I think.
REQUEST also includes the COOKIE array, unfortunately. I have successfully fooled my own script into thinking a non-admin was an admin using a COOKIE injection into the REQUEST array.
Rather than get into some convoluted solution to check for valid data, I went with the much simpler option of never using REQUEST. I want to know EXACTLY where my variables are coming from.
It's not really any easier to just use REQUEST anyway.
But by doing the simple check of whether a variable exists or not - no matter if it's GET or POST - doesn't stop a hacker trying to inject a nasty script into your server by way of a query string in the url which is not then checked as being acceptable.
<snip>Rather than get into some convoluted solution to check for valid data, I went with the much simpler option of never using REQUEST. I want to know EXACTLY where my variables are coming from. </snip>
But by doing the simple check of whether a variable exists or not - no matter if it's GET or POST - doesn't stop a hacker trying to inject a nasty script into your server by way of a query string in the url which is not then checked as being acceptable.
You're quite correct :) It's not the only thing I do. Just one of them. I eliminate ambiguity wherever possible. Makes sure the behavior of my script is fully understood.
