PHP Notice: Undefined index: & PHP Notice: Undefined variable:

[C.Birch]

My server as just been updated and now I'm getting the following errors on my rating script.

[Thu Sep 27 12:28:48 2012] [error] [client ***.***.**.***] PHP Notice: Undefined index: rating in /var/www/vhosts/****/public_html/rateanything.php on line 7

[Thu Sep 27 12:28:48 2012] [error] [client ***.***.**.***] PHP Notice: Undefined variable: stars in /var/www/vhosts/****/public_html/rateanything.php on line 27

[Thu Sep 27 12:28:48 2012] [error] [client ***.***.**.***] PHP Notice: Undefined variable: report in /var/www/vhosts/****/public_html/rateanything.php on line 36


The file coding is as follows, bold text being the lines:

PHP Code:

<?php
require_once('config2.php');
mysql_connect($db_server, $db_username, $db_password) or die(mysql_error());
mysql_select_db($db_database) or die(mysql_error());

$div_id = $_GET['id'];
[B]$rating = $_GET['rating'];[/B]

if($rating){
//Check that this person hasn't already left a rating
$result = mysql_query("SELECT id FROM ratings WHERE div_id = '" . $div_id . "' AND ip = '" . $_SERVER['REMOTE_ADDR'] . "'") or die(mysql_error());  
$row = mysql_fetch_array( $result );
if(!$row['id']){
    $result = mysql_query("INSERT INTO ratings (rating,div_id,ip) VALUES('" . $rating . "','" . $div_id . "','" . $_SERVER['REMOTE_ADDR'] . "')") or die(mysql_error());      if($result){ $report = "<span style=\"color: green;\"> You rated this: $rating</span>"; }
} else {
 $report = "<span style=\"color: red;\"> You have already rated this.</span>";
}
}
?>

<?php
$result = mysql_query("SELECT avg(rating), COUNT(*) FROM ratings WHERE div_id = '" . $div_id . "'") or die(mysql_error());  
$row = mysql_fetch_array( $result );

$x=1;
while($x<=5){
[B]    $stars .= "<li><a onClick=\"javascript:addRating('$div_id','$x');\" class=\"star$x\">$x</a></li>";[/B]
    $x++;
}
?>

<ul class='star-rating'>
<li class="current-rating" id="current-rating" style="width: <?php echo round($row[0],1) * 20; ?>%;"></li>
<? echo $stars; ?>
</ul>
[B]<div><small><?php echo "<span style=\"color: grey;\">Rating: " . round($row[0],1) . "/5 (" . $row[1] . " Ratings)</span> " . $report; ?></small></div>[/B]

[traq]

(FYI: bbcode tags don't work inside the [php] tags. I'm assuming those [B] tags aren't in your actual srcipt )

If your server was "just upgraded" and nothing in the script has changed, it's likely that the only "problem" is that error reporting was turned on.

For example, $rating = $_GET['rating']; will always produce an error when $_GET['rating'] is not set (e.g., if ?rating=whatever is not in the URL). Check before trying to assign the value:

PHP Code:

<?php
$rating = isset( $_GET['rating'] )? $_GET['rating']: false;

[C.Birch]

(FYI: bbcode tags don't work inside the [php] tags. I'm assuming those [B] tags aren't in your actual srcipt )

If your server was "just upgraded" and nothing in the script has changed, it's likely that the only "problem" is that error reporting was turned on.

For example, $rating = $_GET['rating']; will always produce an error when $_GET['rating'] is not set (e.g., if ?rating=whatever is not in the URL). Check before trying to assign the value:

PHP Code:

<?php
$rating = isset( $_GET['rating'] )? $_GET['rating']: false;

Hi what happens is the rating data is being pulled from the database and is being showed right, but after plesk was updated from version 10 to 11, the mouse over on the rating no longer works what means no one is able to rate anything no more, this can see the page this is installed on here: rewards.yourpshome.net

[traq]

Check my response against your script. The three errors you're asking about all have similar causes
(you didn't mention anything about a mouseover problem originally, but it's likely a symptom of the same problem):

PHP Code:

<?php

$rating = $_GET['rating'];
// PHP Notice: Undefined index: rating
// $_GET['rating'] is not defined (e.g., the URL you entered does not have ?rating=something).
// check if the index exists *before* trying to assign it as a value (see my first post).

$stars .= "<li><a onClick=\"javascript:addRating('$div_id','$x');\" class=\"star$x\">$x</a></li>";
// PHP Notice: Undefined variable: stars
// the first time through the loop, $stars is undefined, 
//    so you get an error when you try to append a value to it.
// define the variable *before* the loop (e.g., $stars = ''; )

echo "<span style=\"color: grey;\">Rating: " . round($row[0],1) . "/5 (" . $row[1] . " Ratings)</span> " . $report;
// PHP Notice: Undefined variable: report
// because there is no value assigned to $rating, 
//    the loop where you defined $report is never run,
//    but you're still trying to print it.
// You need to change your logic so you don't try to print $report if it isn't set.

//  This should be a big clue as to what is going wrong with your mouseover, as well.

just to be clear, these lines of code would have *always* produced these errors under the same circumstances. Previously, you may have had your server configured to hide the error messages. This is a good thing for a live website, but when you are developing or debugging code, you need to see all the errors so you can find out what caused them.

[C.Birch]

Hi,

I'm really new to php, so any more help is really welcome, i have edited the script to the below and im no longer getting errors printed on the page (i turned error reporting on) but the mouse over itself will still not work.
here is the new edited code.

PHP Code:

<?php
require_once('config2.php');
mysql_connect($db_server, $db_username, $db_password) or die(mysql_error());
mysql_select_db($db_database) or die(mysql_error());

$div_id = isset( $_GET['id'] )? $_GET['id']: false;
$rating = isset( $_GET['rating'] )? $_GET['rating']: false;
$stars = isset( $_GET['stars'] )? $_GET['stars']: false;
$report = isset( $_GET['report'] )? $_GET['report']: false;



if($rating){
//Check that this person hasn't already left a rating
$result = mysql_query("SELECT id FROM ratings WHERE div_id = '" . $div_id . "' AND ip = '" . $_SERVER['REMOTE_ADDR'] . "'") or die(mysql_error());  
$row = mysql_fetch_array( $result );
if(!$row['id']){
    $result = mysql_query("INSERT INTO ratings (rating,div_id,ip) VALUES('" . $rating . "','" . $div_id . "','" . $_SERVER['REMOTE_ADDR'] . "')") or die(mysql_error());      if($result){ $report = "<span style=\"color: green;\"> You rated this: $rating</span>"; }
} else {
 $report = "<span style=\"color: red;\"> You have already rated this.</span>";
}
}
?>

<?php


$result = mysql_query("SELECT avg(rating), COUNT(*) FROM ratings WHERE div_id = '" . $div_id . "'") or die(mysql_error());  
$row = mysql_fetch_array( $result );

$x=1;
while($x<=5){
    $stars .= "<li><a onClick=\"javascript:addRating('$div_id','$x');\" class=\"star$x\">$x</a></li>";
    $x++;
}
?>

<ul class='star-rating'>
<li class="current-rating" id="current-rating" style="width: <?php echo round($row[0],1) * 20; ?>%;"></li>
<? echo $stars; ?>
</ul>
<div><small><?php echo "<span style=\"color: grey;\">Rating: " . round($row[0],1) . "/5 (" . $row[1] . " Ratings)</span> " . $report; ?></small></div>

[traq]

What does the script output (the relevant part (the anchor with onclick) of the resulting HTML)?

Also,

PHP Code:

$div_id = isset( $_GET['id'] )? $_GET['id']: false;
$rating = isset( $_GET['rating'] )? $_GET['rating']: false;
$stars = isset( $_GET['stars'] )? $_GET['stars']: false;
$report = isset( $_GET['report'] )? $_GET['report']: false; 


are *all* of these variables passed in from the query string? From your original post, it seemed only $rating and $div_id came from the query string. If $stars and $report are not supposed to (and from your code, I doubt that they are), then allowing them to can cause problems later on.*

My recommendation above was to simply set an empty string for $stars, and to change the flow of your script to avoid trying to print $report if you hadn't defined it (possibly by giving it a default value to start with).


*a quick explanation about the possible dangers of what you're doing...
I should have mentioned this in the first place, since your current code is *very* vulnerable to both SQL injection and cross-site scripting (XSS) attacks.

Take a closer look at how you're building your SQL queries:

PHP Code:

"SELECT id FROM ratings WHERE div_id = '" . $div_id . "' AND ..." 


Here, $div_id is simply the value the user sent you in $_GET['id']. You're probably expecting a number, but you don't confirm (validate) that, nor do you escape (sanitize) the data before sending it to your database.

Rule #1 is never trust user input. Sometimes it's malicious. Many, many times, it simply contains mistakes.

What if I visit www.yoursite.com/this_script.php?id=what'sup? your finished query becomes:

Code:

SELECT id FROM ratings WHERE div_id = 'what'sup' AND...

there's an extra single quote in there now, throwing off where your strings start and stop. This will cause an error in your SQL.

Now imagine what would happen if I'd visited www.yoursite.com/this_script.php?id=' OR (DELETE FROM ratings WHERE 1=1)#.

You need to escape strings you send to your database when they might contain dangerous characters.
For ext_mysql, use mysql_real_escape_string( $str ).
However, ext_mysql is outdated and scheduled to be deprecated. As soon as is practical, you should switch to an up-to-date mysql library like mysqli or PDO. Read more about choosing an API for MySQL.

Similar problems exist when you're taking user-supplied input and returning it to the HTML page without validating and sanitizing it, as happens when you print these lines:

Code:

<a onClick=\"javascript:addRating('$div_id','$x');\" class=\"star$x\">$x</a>

what if I visit www.yoursite.com/this_script.php?id=','5'); (function( a,b ){ steal_login_cookies(); })('0 [COLOR="#808080"]?

Always validate that what you get from the user is safe to display.
Make use of functions like strip_tags() and htmlspecialchars() to make sure output does not include markup/script.

The examples I gave above don't exactly work, but that's intentional. YES, it can be done. These very security issues have cost companies millions of dollars.