undefined variables

Forum Moderators: coopster

Message Too Old, No Replies

undefined variables

jehoshua

11:19 pm on May 9, 2019 (gmt 0)

A php script that has worked for years; now undefined variables

php doesn't like the '2' in thie last line of this set..

//Construct other variables
$combine = $ip . " tried to load " . $server_name . $request_uri ;
$pieces = explode("/", $request_uri);
$request_uri_fp = $pieces[1]; 
$request_uri_lc = strtolower($request_uri_fp); 
$request_uri_sp = $pieces[2];

or 'pos' in this

if ($pos === false) {

$pos is evaluated in a few pieces of code,like ..

$findme = 'http:';
$pos = strpos($request_uri, $findme);

lucy24

11:50 pm on May 9, 2019 (gmt 0)

A php script that has worked for years

How many years? Has your server recently moved from one php version to another?

Off-the-top-of-my-head questions:

What's "http" doing in request_uri?

How do you get from strpos (a number) to false (a toggle)?

NickMNS

12:43 am on May 10, 2019 (gmt 0)

if it doesn't like the "2" that can only mean one thing.
The resulting array only has length of two, so calling the index [2] of the array returns undefined. (I assume that PHP is 0 indexed, I typically code is Python and JS)
The likely cause is here:

$pieces = explode("/", $request_uri);

$request_uri only has one "/" so the resulting

Why now after 2 years? No idea see what Lucy said above.

Dimitri

3:05 pm on May 10, 2019 (gmt 0)

$pieces[2] doesn't exist. This can be for all kind of reason, including a change in your URL addresses. Always test variables before using them, never assume they "should" exist, this is how hackers are succeeding run exploits.

As for the $pos question, it would require a whole code to tell. It's not because it's defined in few pieces of code, that it means these code are effectively executed in a given situation.

jehoshua

10:29 pm on May 10, 2019 (gmt 0)

Thanks for those replies. I will get back to answering them in a day or so. Have a website to upgrade. Had a quick look at the logs and it seemed to be what visitors were doing (parsing) more than code 'breaking'. That said, the code needs modifying to cater for all situations. Thanks :)

jehoshua

5:56 am on May 11, 2019 (gmt 0)

Had a look at the error log and match the time/date from the server logs. The errors were caused by what people were parsing. If visitors follow the links, there are no issues. But there have been many hackers and other attempts lately. SQL injection attempts, looking for paths that don't exist, trying to do a POST,etc.

Have modified the code to cater for those situations. Thanks for your help, much appreciated. :)

Dimitri

7:48 am on May 11, 2019 (gmt 0)

This is why you must always verify ALL the variables you are processing.

penders

9:30 pm on May 12, 2019 (gmt 0)

But there have been many hackers and other attempts lately.....

Apart from changes in "user submitted" data that had not been tested for, the sudden appearance of "undefined variable notices", where previously none were reported suggests a change in the error_reporting level. Which could come about through a PHP "upgrade" (as @lucy24 pointed out), although the error_reporting level should be set in your script to avoid such changes influencing your script in this way.

Whilst "undefined variable" notices aren't necessarily an error, they can indicate vulnerabilities in the script - it depends on the script. It is always preferable to eliminate any such notices/warnings.

What's "http" doing in request_uri?

Note that the $request_uri variable used here is defined by the OP. It isn't the same as the REQUEST_URI Apache server variable, or the $_SERVER['REQUEST_URI'] PHP superglobal - unless the OP has explicitly defined it to be so (which I guess is not the case looking at this code).

I guess the use of $request_uri in the first and last code snippets above relate to different scenarios. If $request_uri contained an absolute URL (like the last snippet suggests) then both $request_uri_fp and $request_uri_lc in the first code snippet would be empty strings.

How do you get from strpos (a number) to false (a toggle)?

Isn't PHP's loose typing great!

strpos() returns (bool)false when $findme is not found at all in the search string (to differentiate the scenario when $findme is found at the very start of the string and returns 0 - which evaluates to false when compared loosely)

jehoshua

9:48 pm on May 12, 2019 (gmt 0)

Thanks, yes, why didn't $pos error come up before ? The line were it is giving an error is because it hasn't been evaluated (oops). So, as the last poster stated, more than likely a php error level changing.

lucy24

12:44 am on May 13, 2019 (gmt 0)

Isn't PHP's loose typing great!

Yes, hours after posting I remembered that FALSE translates numerically as 0 ... except when it translates as -1. Or possibly you need it to translate as -1 because 0 might mean a legitimately non-false value (such as the first character in a string, which is by no means the same thing as the character not occurring at all).

Dimitri

7:05 am on May 13, 2019 (gmt 0)

This is the purpose of the triple equal operator === to test if a variable is both of a given type, and a given value. (or not equal !==)