9 replies to this topic

[Padawan]

Quote

The original poster is no longer with CodeCall. If you have any question regarding this posting, please start a new thread in the appropriate section of the forum (and reference this thread).

Thank you.

I'm coding the Simple Gallery tutorial posted here. Since the original poster is gone, I have some questions, hope you guys can help me out.

In these lines here, I'm getting Undefined index notice.

$act = addslashes(htmlentities(htmlspecialchars($_REQUEST['act'])));

$view = addslashes(htmlentities(htmlspecialchars($_REQUEST['view'])));

$do = addslashes(htmlentities(htmlspecialchars($_REQUEST['do'])));

$pic = addslashes(htmlentities(htmlspecialchars($_REQUEST['viewpic'])));

It seems there's a problem accessing the strings or something, but I'm having a trouble fixing it.

Also, Strict Standards: Non-static method album::list_albums() should not be called statically here:

	album::list_albums();

Thank you very much in advance.

[Vaielab]

You need to validate if the variable exists

if (isset($_REQUEST['act'])) {

$act = addslashes(htmlentities(htmlspecialchars($_REQUEST['act']))); 

} else {

$act = 'A default value';

}

And you need to do this for each variable

For the non-static method, in the index.php file
Change this line

function list_albums(){ 

To

public static function list_albums(){ 

[Padawan]

Thank you, Vaielab! I fixed the problem with the method, it's fine now.

But I'm still having a trouble with the validation. Do I validate them right before they're declared? And another thing, what should be set as a "default value" in this case?

Thank you again, I appreciate it.

[Vaielab]

The problem is that you try to access a variable that (sometime) dosen't exist
$_REQUEST['act'] only exist if you pass the variable "act" in the post or get.
So each time you want to access this variable, you need to test if it exist before, so you won't get an error
And if the variable dosen't exist, you need to put a default value... the default value depend on what you'd like to show when the user didn't send the data...

[Padawan]

Thank you, Vaielab.

Just another thing. I have them declared here,

$act = addslashes(htmlentities(htmlspecialchars($_REQUEST['act'])));

$view = addslashes(htmlentities(htmlspecialchars($_REQUEST['view'])));

$do = addslashes(htmlentities(htmlspecialchars($_REQUEST['do'])));

$pic = addslashes(htmlentities(htmlspecialchars($_REQUEST['viewpic'])));  

But where does the validation happens? In the code above? I need to add the validation there, like this?

if (isset($_REQUEST['act'])) {

$act = addslashes(htmlentities(htmlspecialchars($_REQUEST['act']))); 

} else {

echo "Error";


if (isset($_REQUEST['do'])) {

$do = addslashes(htmlentities(htmlspecialchars($_REQUEST['do']))); 

} else {

echo "Error";

}


....

[Vaielab]

$act;

$view;

$do;

$pic;  



if (isset($_REQUEST['act'])) {

$act = addslashes(htmlentities(htmlspecialchars($_REQUEST['act']))); 

} else {

echo "Error";


if (isset($_REQUEST['do'])) {

$do = addslashes(htmlentities(htmlspecialchars($_REQUEST['do']))); 

} else {

echo "Error";

}


....  

Something like this. Because if you declare them like you do, you still try to access a variable that doesn't exist, and you will get an error

[Padawan]

Thanks.

I did something like you posted, but when I run the code, it echoes the "Error" (four times), then it shows another Undefined index in the following lines:

if ($act != "" && $act == "new") {

	if ($do != "" && $do =="create") {

		album::create_new_album();

	}

	else {

		album::create_new_album_form();

	}

}

elseif ($act !="" && $act == "upload") {


	if ($do != "" && $do =="add") {

	album::upload_image();

	}

	

	else {

	album::upload_image_form();

	}

}

elseif($act !="" && $act =="view") {

	$id = addslashes(htmlentities(htmlspecialchars($_REQUEST['id'])));


	if ($id != "" && is_numeric($id)) {

		album::view_album();

	} 


	else {

		break;

	}

}

I really have no idea what is wrong here, is it something with the actual HTML form, I don't know. I just followed this thread here, posted on CodeCall some time ago. If that tutorial is actually wrong itself, I'm definitely on a wrong path with PHP. :confused:

Sorry for bothering with the same stuff again, but I'm really hitting a dead-end here.

Thank you.

[SoN9ne]

This will help you get rid of your undefined indexes errors.

$act = isset($_REQUEST['act']) ? addslashes(htmlentities($_REQUEST['act'])) : NULL;

$view = isset($_REQUEST['view']) ? addslashes(htmlentities($_REQUEST['view'])) : NULL;

$do = isset($_REQUEST['do']) ? addslashes(htmlentities($_REQUEST['do'])) : NULL;

$pic = isset($_REQUEST['viewpic']) ? addslashes(htmlentities($_REQUEST['viewpic'])) : NULL;

Then you can do sanity checks for null values.

Personally, I would create a custom filter function and just call that so you have a single method to update that can handle all sanitation. See my post here for an example: http://forum.codecal...html#post317841

On a side note: You seem to be doing pointless double sanitization...

Use htmlentities or htmlspecialchars... not both.

htmlentities() is identical to htmlspecialchars() in all ways, except with htmlentities(), all characters which have HTML character entity equivalents are translated into these entities.

[Padawan]

Thank you, SoN9ne! It works now! I have some other trouble with the functionality but I think I can fix it. :) If not, I'm gonna post it in this thread so we padawans can learn something. :)


EDIT: About the sanitization, I'm gonna work something out, thanks for pointing that out. :) I'm still learning that concept and don't know how to use it properly.

Again, thank you.

EDIT 2:

I have another bug in the process of creating a new album:

Quote

Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in (the bold line below in the code)

Here's the code:

// Create a new album

	public static function create_new_album(){ 

		

		// Albums new name

		$album_name = addslashes(htmlentities(htmlspecialchars($_REQUEST ['album_name'])));

		

		// If there's nothing entered, display an error

		

		if ($album_name == "")

		{

			die ("Please enter your album's name!");

		}

		

		$sql = "SELECT * FROM albums WHERE name ' ".mysql_real_escape_string ($album_name). "'";

		$query = mysql_query ($sql);

		

		// Check if there any albums named like this

		

		[B]if (mysql_num_rows($query)>0) [/B]

		{

			die ("This name is already in use! Please choose another name.");

		} 

		

		else {

			// if the name is not in use, insert into db

			$sql = "INSERT INTO albums (name) VALUES ('".$album_name."')";

			$query = mysql_query($sql);

			

			if (!$query) {

				die ("Cannot create a new album");

			}

			else {

				$sql= "SELECT * FROM albums WHERE name=' ".mysql_real_escape_string($album_name)."'";

				$query = mysql_query($sql);

				

				if (!$query) {

					die (mysql_error());

				}	

				else {

					$row = mysql_fetch_array($query);

					$album_id = $row ['id'];

					}

						

			// if album was successfully create, display message

			echo "Album Create! <a href='album_panel.php?act=view&id=".$id."'>View</a>";

			}

album_name is entered via HTML form:

Album name: <input type='text' name='album_name' /><input type='submit' value='Create' />

But, the table in the DB is albums and the name row is name, not album_name. I've tried changing it, supposing that's the problem, but still doesn't work.

Thanks.

Edited by Padawan, 12 December 2011 - 09:30 AM.

[Alexander]

The name=".." element is useful for accessing $_POST[name] and nothing further. Your immediate issue is with the query:

[LEFT][COLOR=#0000BB][FONT=monospace]$sql [/FONT][/COLOR][COLOR=#007700][FONT=monospace]= [/FONT][/COLOR][COLOR=#DD0000][FONT=monospace]"SELECT * FROM albums WHERE name ' "[/FONT][/COLOR][COLOR=#007700][FONT=monospace].[/FONT][/COLOR][COLOR=#0000BB][FONT=monospace]mysql_real_escape_string [/FONT][/COLOR][COLOR=#007700][FONT=monospace]([/FONT][/COLOR][COLOR=#0000BB][FONT=monospace]$album_name[/FONT][/COLOR][COLOR=#007700][FONT=monospace]). [/FONT][/COLOR][COLOR=#DD0000][FONT=monospace]"'"[/FONT][/COLOR][COLOR=#007700][FONT=monospace]; 
[/FONT][/COLOR][/LEFT]

name should equal something to be useful, "name = '...'"

The query returns false, and so it complains about trying to read a "FALSE" boolean rather than a MySQL resource had the query been a success.

Code said:

$album_name = addslashes(htmlentities(htmlspecialchars($_REQUEST ['album_name'])));

This adds slashes, causing double slashing when mysql_real_escape_string is applied. It also escapes entities twice. <b> will become <b> will become &lt;b&gt; or something similar. As mentioned, only htmlspecialchars() may be the most simple option as it prevents the characters that modifies the browser's behaviour and nothing more.

mysql_real_escape string was intended to fix a few bugs with addslashes for entering items in to the database.