Welcome to WebmasterWorld Guest from 54.227.157.163

Forum Moderators: coopster & jatar k

undefined variables

     
11:19 pm on May 9, 2019 (gmt 0)

Junior Member

10+ Year Member

joined:Feb 15, 2004
posts: 85
votes: 0


A php script that has worked for years; now undefined variables

php doesn't like the '2' in thie last line of this set..

//Construct other variables
$combine = $ip . " tried to load " . $server_name . $request_uri ;
$pieces = explode("/", $request_uri);
$request_uri_fp = $pieces[1];
$request_uri_lc = strtolower($request_uri_fp);
$request_uri_sp = $pieces[2];


or 'pos' in this

if ($pos === false) {


$pos is evaluated in a few pieces of code,like ..

$findme = 'http:';
$pos = strpos($request_uri, $findme);
11:50 pm on May 9, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15650
votes: 800


A php script that has worked for years
How many years? Has your server recently moved from one php version to another?

Off-the-top-of-my-head questions:

What's "http" doing in request_uri?

How do you get from strpos (a number) to false (a toggle)?
12:43 am on May 10, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Apr 1, 2016
posts:2569
votes: 738


if it doesn't like the "2" that can only mean one thing.
The resulting array only has length of two, so calling the index [2] of the array returns undefined. (I assume that PHP is 0 indexed, I typically code is Python and JS)
The likely cause is here:
$pieces = explode("/", $request_uri);

$request_uri only has one "/" so the resulting

Why now after 2 years? No idea see what Lucy said above.
3:05 pm on May 10, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Nov 13, 2016
posts:792
votes: 165


$pieces[2] doesn't exist. This can be for all kind of reason, including a change in your URL addresses. Always test variables before using them, never assume they "should" exist, this is how hackers are succeeding run exploits.

As for the $pos question, it would require a whole code to tell. It's not because it's defined in few pieces of code, that it means these code are effectively executed in a given situation.
10:29 pm on May 10, 2019 (gmt 0)

Junior Member

10+ Year Member

joined:Feb 15, 2004
posts: 85
votes: 0


Thanks for those replies. I will get back to answering them in a day or so. Have a website to upgrade. Had a quick look at the logs and it seemed to be what visitors were doing (parsing) more than code 'breaking'. That said, the code needs modifying to cater for all situations. Thanks :)
5:56 am on May 11, 2019 (gmt 0)

Junior Member

10+ Year Member

joined:Feb 15, 2004
posts: 85
votes: 0


Had a look at the error log and match the time/date from the server logs. The errors were caused by what people were parsing. If visitors follow the links, there are no issues. But there have been many hackers and other attempts lately. SQL injection attempts, looking for paths that don't exist, trying to do a POST,etc.


Have modified the code to cater for those situations. Thanks for your help, much appreciated. :)
7:48 am on May 11, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Nov 13, 2016
posts:792
votes: 165


This is why you must always verify ALL the variables you are processing.
9:30 pm on May 12, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member penders is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:July 3, 2006
posts: 3127
votes: 1


But there have been many hackers and other attempts lately.....


Apart from changes in "user submitted" data that had not been tested for, the sudden appearance of "undefined variable notices", where previously none were reported suggests a change in the error_reporting level. Which could come about through a PHP "upgrade" (as @lucy24 pointed out), although the error_reporting level should be set in your script to avoid such changes influencing your script in this way.

Whilst "undefined variable" notices aren't necessarily an error, they can indicate vulnerabilities in the script - it depends on the script. It is always preferable to eliminate any such notices/warnings.

What's "http" doing in request_uri?


Note that the $request_uri variable used here is defined by the OP. It isn't the same as the REQUEST_URI Apache server variable, or the $_SERVER['REQUEST_URI'] PHP superglobal - unless the OP has explicitly defined it to be so (which I guess is not the case looking at this code).

I guess the use of $request_uri in the first and last code snippets above relate to different scenarios. If $request_uri contained an absolute URL (like the last snippet suggests) then both $request_uri_fp and $request_uri_lc in the first code snippet would be empty strings.

How do you get from strpos (a number) to false (a toggle)?


Isn't PHP's loose typing great!

strpos() returns (bool)false when $findme is not found at all in the search string (to differentiate the scenario when $findme is found at the very start of the string and returns 0 - which evaluates to false when compared loosely)
9:48 pm on May 12, 2019 (gmt 0)

Junior Member

10+ Year Member

joined:Feb 15, 2004
posts: 85
votes: 0


Thanks, yes, why didn't $pos error come up before ? The line were it is giving an error is because it hasn't been evaluated (oops). So, as the last poster stated, more than likely a php error level changing.
12:44 am on May 13, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15650
votes: 800


Isn't PHP's loose typing great!
Yes, hours after posting I remembered that FALSE translates numerically as 0 ... except when it translates as -1. Or possibly you need it to translate as -1 because 0 might mean a legitimately non-false value (such as the first character in a string, which is by no means the same thing as the character not occurring at all).
7:05 am on May 13, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Nov 13, 2016
posts:792
votes: 165


This is the purpose of the triple equal operator === to test if a variable is both of a given type, and a given value. (or not equal !==)