Welcome to WebmasterWorld Guest from 54.145.166.247

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

php/mysql error

getting error message

   
10:05 pm on Jan 7, 2014 (gmt 0)



Can anyone tell me why I'm getting the following errors:

Notice: Undefined index: id in C:\xampp\htdocs\crudstudents\edit_opposed.php on line 29

Fatal error: Call to a member function fetch_assoc() on a non-object in C:\xampp\htdocs\crudstudents\edit_opposed.php on line 34

Here's the code:

//select the specific database record to update
$query = "select id, last, first, mate. address
from homeowners
LINE 29 where id='".$mysqli->real_escape_string($_REQUEST['id'])."'
limit 0,1";
//execute the query
$result = $mysqli->query( $query );
//get the result
LINE 34 $row = $result->fetch_assoc();
//assign the result to certain variable so our html form will be filled up with values
$address = $row['address'];
$last = $row['last'];
$first = $row['first'];
$mate = $row['mate'];
2:06 am on Jan 8, 2014 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



It looks like your HTTP Request doesn't have an ID parameter.
Since the query method failed you didn't get a $request Returned.
You need to add error checking.
2:37 am on Jan 8, 2014 (gmt 0)



Is this not the Request ID parameter?
where id='".$mysqli->real_escape_string($_REQUEST['id'])."'

and I'm very new at php/mysql and OOP, where would the error checking go and how do I check?
Thanks
3:55 am on Jan 8, 2014 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



that's a php error, not a mysql error.
the error is telling you that $_REQUEST['id'] doesn't exist.
12:50 pm on Jan 8, 2014 (gmt 0)

WebmasterWorld Senior Member swa66 is a WebmasterWorld Top Contributor of All Time 10+ Year Member



I'm very new at php/mysql and OOP, where would the error checking go and how do I check?

It's about writing secure code. That's regardless of programming language or constructs used the same:
You absolutely must do input validation on anything coming from a client (web browser) before you use it.

Specifically $_REQUEST contains parameters coming from the browser: before you use them, you consider their contents tainted. So any before you use it, you check if it's present, if the contents is expected and valid and only then do you use it further.

Now that said ... $_REQUEST is dangerous for CSRF as you cannot guarantee it's coming from a POST request for things that make changes (in your example as far as I can see it would be ok, but why do the evaluation every time?) Hence in general it's far more solid to use $_POST and $_GET as intended instead of $_REQUEST.
Anti-CSRF requires you to do some more work than just to assure it's a POST when doing changes (you also need to add a random (unpredictable to the attacker) hidden input "token" in each form and check it's presence in the POSTed form).
12:58 pm on Jan 8, 2014 (gmt 0)



Here's the url I used to call the program:
[localhost...]
Is the id=366 not the $_REQUEST parameter?
Here's the PHP code that calls the program
echo "<a href='edit_opposed.php?id={$id}'>Edit</a>";
2:13 pm on Jan 8, 2014 (gmt 0)



Let me try again. Let me emphasize again that I'm very new at php/mysqli and am trying to learn by example so I'm presenting working code followed by my code.
Working code:
    display.php

</strong>
<html>
<head>
<title>MySQLi Read Records</title>
</head>
<body>
<?php
//include database connection
include 'db_connect.php';
//query all records from the database
$query = "select * from users";
//execute the query
$result = $mysqli->query( $query );
//get number of rows returned
$num_results = $result->num_rows;
//this will link us to our add.php to create new record
echo "<div><a href='add.php'>Create New Record</a></div>";
if( $num_results > 0){ //it means there's already a database record
echo "<table border='1'>";//start table
//creating our table heading
echo "<tr>";
echo "<th>Firstname</th>";
echo "<th>Lastname</th>";
echo "<th>Username</th>";
echo "<th>Action</th>";
echo "</tr>";
//loop to show each records
while( $row = $result->fetch_assoc() ){
//extract row
//this will make $row['firstname'] to
//just $firstname only
extract($row);
//creating new table row per record
echo "<tr>";
echo "<td>{$firstname}</td>";
echo "<td>{$lastname}</td>";
echo "<td>{$username}</td>";
echo "<td>";
//just preparing the edit link to edit the record
echo "<a href='edit.php?id={$id}'>Edit</a>";
echo " / ";
//just preparing the delete link to delete the record
echo "<a href='#' onclick='delete_user( {$id} );'>Delete</a>";
echo "</td>";
echo "</tr>";
}
echo "</table>";//end table
}else{
//if database table is empty
echo "No records found.";
}
//disconnect from database
$result->free();
$mysqli->close();
?>
</body>
</html>


MY modified code:
</strong>
<html>
<head>
<title>MySQLi Read Records</title>
</head>
<body>
<?php
//include database connection
include 'db_connect_opposed.php';
//query all records from the database
$query = "select * from homeownersnew";
//execute the query
$result = $mysqli->query( $query );
//get number of rows returned
$num_results = $result->num_rows;
//this will link us to our add.php to create new record
echo "<div><a href='add.php'>Create New Record</a></div>";
if( $num_results > 0){ //it means there's already a database record
echo "<table border='1'>";//start table
//creating our table heading
echo "<tr>";
echo "<th>last</th>";
echo "<th>first</th>";
echo "<th>mate</th>";
echo "<th>address</th>";
echo "</tr>";
//loop to show each records
while( $row = $result->fetch_assoc() ){
//extract row
//this will make $row['firstname'] to
//just $firstname only
extract($row);
//creating new table row per record
echo "<tr>";
echo "<td>{$last}</td>";
echo "<td>{$first}</td>";
echo "<td>{$mate}</td>";
echo "<td>";
//just preparing the edit link to edit the record
echo "<a href='edit_opposed.php?id={$id}'>Edit</a>";
echo " / ";
//just preparing the delete link to delete the record
echo "<a href='#' onclick='delete_user( {$id} );'>Delete</a>";
echo "</td>";
echo "</tr>";
}
echo "</table>";//end table
}else{
//if database table is empty
echo "No records found.";
}
//disconnect from database
$result->free();
$mysqli->close();
?>
</body>
</html>

And here's the
    edit.php

</strong>
<?php
//include database connection
include 'db_connect.php';
//check any user action
$action = isset( $_POST['action'] ) ? $_POST['action'] : "";
if($action == "update"){ //if the user hit the submit button
//write our update query
//$mysqli->real_escape_string() function helps us prevent attacks such as SQL injection
$query = "update users
set
firstname = '".$mysqli->real_escape_string($_POST['firstname'])."',
lastname = '".$mysqli->real_escape_string($_POST['lastname'])."',
username = '".$mysqli->real_escape_string($_POST['username'])."',
password = '".$mysqli->real_escape_string($_POST['password'])."'
where id='".$mysqli->real_escape_string($_REQUEST['id'])."'";
//execute the query
if( $mysqli->query($query) ) {
//if updating the record was successful
echo "User was updated.";
}else{
//if unable to update new record
echo "Database Error: Unable to update record.";
}
}
//select the specific database record to update
$query = "select id, firstname, lastname, username, password
from users
where id='".$mysqli->real_escape_string($_REQUEST['id'])."'
limit 0,1";
//execute the query
$result = $mysqli->query( $query );
//get the result
$row = $result->fetch_assoc();
//assign the result to certain variable so our html form will be filled up with values
$id = $row['id'];
$firstname = $row['firstname'];
$lastname = $row['lastname'];
$username = $row['username'];
$password = $row['password'];
?>
<!--we have our html form here where new user information will be entered-->
<form action='#' method='post' border='0'>
<table>
<tr>
<td>Firstname</td>
<td><input type='text' name='firstname' value='<?php echo $firstname; ?>' /></td>
</tr>
<tr>
<td>Lastname</td>
<td><input type='text' name='lastname' value='<?php echo $lastname; ?>' /></td>
</tr>
<tr>
<td>Username</td>
<td><input type='text' name='username' value='<?php echo $username; ?>' /></td>
</tr>
<tr>
<td>Password</td>
<td><input type='password' name='password' value='<?php echo $password; ?>' /></td>
<tr>
<td></td>
<td>
<!-- so that we could identify what record is to be updated -->
<input type='hidden' name='id' value='<?php echo $id ?>' />
<!-- we will set the action to update -->
<input type='hidden' name='action' value='update' />
<input type='submit' value='Edit' />
<a href='display.php'>Back to display page</a>
</td>
</tr>
</table>
</form>

and my modified code
</strong>
<?php
//include database connection
include 'db_connect.php';
//check any user action
$action = isset( $_POST['action'] ) ? $_POST['action'] : "";
if($action == "update"){ //if the user hit the submit button
//write our update query
//$mysqli->real_escape_string() function helps us prevent attacks such as SQL injection
$query = "update homeownersnew
set
last = '".$mysqli->real_escape_string($_POST['last'])."',
first = '".$mysqli->real_escape_string($_POST['first'])."',
mate = '".$mysqli->real_escape_string($_POST['mate'])."',

where id='".$mysqli->real_escape_string($_GET['id'])."'";
//execute the query
if( $mysqli->query($query) ) {
//if updating the record was successful
echo "User was updated.";
}else{
//if unable to update new record
echo "Database Error: Unable to update record.";
}
}
//select the specific database record to update
$query = "select id, last, first, mate, address
from homeownersnew
where id='".$mysqli->real_escape_string($_GET['id'])."'
limit 0,1";
//execute the query
$result = $mysqli->query( $query );
//get the result
$row = $result->fetch_assoc();
//assign the result to certain variable so our html form will be filled up with values
$address = $row['address'];
$last = $row['last'];
$first = $row['first'];
$mate = $row['mate'];
echo "ID is ".$_GET['id']
?>
<!--we have our html form here where new user information will be entered-->
<form action='#' method='post' border='0'>
<table>
<tr>
<td>last</td>
<td><input type='text' name='last' value='<?php echo $last; ?>' /></td>
</tr>
<tr>
<td>first</td>
<td><input type='text' name='first' value='<?php echo $first; ?>' /></td>
</tr>
<tr>
<td>mate</td>
<td><input type='text' name='mate' value='<?php echo $mate; ?>' /></td>
</tr>

<td></td>
<td>
<!-- so that we could addressentify what record is to be updated -->
<input type='haddressden' name='address' value='<?php echo $address ?>' />
<!-- we will set the action to update -->
<input type='haddressden' name='action' value='update' />
<input type='submit' value='Edit' />
<a href='display_opposed.php'>Back to display page</a>
</td>
</tr>
</table>
</form>