undefined index error while trying to get value returned from the link?

Question

I know its a duplicate one but i'm getting this error while trying to fetch data passed from a link..I dont know how to resolve it.

here is my code:

add_package.php

 echo "<td><a href='delete.php?name3=" .  $row['package_type']."&id3=".$row['p_id']."'>Delete</a></td>";
 echo "<td><a href='edit_package.php?name3=" . $row['package_type']."&id3=".$row['p_id']."'>Update</a></td>";

here the delete link works perfectly but when i click update it takes to the edit_package page where i'm getting an undefined error..

code for edit_package.php:

<?php
 include('db.php');
 $id4 = $_GET['id3'];//update the page
 $name4 = $_GET['name3'];//helps to update the package 
 echo $id4;
 echo $name4;//getting values here correctly..
 if(isset($_POST['submit']) )
 {
   $package=$_POST['package'];
    if (ctype_alnum($package) && !empty($id4) && !empty($name4))
    {     
     $sql13="select package_type,id from tbl_package where package_type='".$package."'";
    $retvali=mysql_query($sql13,$conn);
    $num_rows1 = mysql_num_rows($retvali);
    if ($num_rows1 == 0 || $num_rows1=="")
    {   
      $sql = "Update tbl_package set package_type='".$package."' where package_type='".$name4."' and p_id='".$id4."'";
      $retval = mysql_query( $sql, $conn );
      ?><script>alert("Updated Successsfully");window.location ='http://localhost/demo/add_package.php';
      </script><?php
    }
    else
    {
      ?><script>alert("Already Exists");window.location ='http://localhost/demo/add_package.php';
      </script><?php
    }
}
  else
  {
  ?><script>alert("enter only letters and numbers")</script><?php
  }
 }
?>

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">

<form id="form-validation" action="edit_package.php" method="post" class="form-horizontal" enctype="multipart/form-data" novalidate="novalidate">
<div class="col-md-6">
<div class="block" style="height:500px;">
<div class="block-title">
<h2><strong>State the Package For Tour</strong></h2>
</div>
<fieldset>
  <div class="form-group">
   <label class="col-md-4 control-label" for="val_username">Update Package <span class="text-danger">*</span></label>
  <div class="col-md-6">
  <div class="input-group">
  <input type="text" id="package" name="package" class="form-control" required >
  <span class="input-group-addon"><i class="fa fa-user"></i></span>
  </div>
 </div>
</div>

 <div class="form-group form-actions">
  <div class="col-md-8 col-md-offset-4">
   <input type="submit" class="btn btn-info btn-primary " value="Update" name="submit">
  </div>
 </div>
 </fieldset>
</form>

When i press update button i'm getting an undefined error i dont know why?..Thanks in advance I'm attaching an image to it..

Answer 1

Try to change the <form>'s action URL to include your GET varaibles:

<form id="form-validation" action="edit_package.php?id3=<?php echo $_GET['id3']; ?>&name3=<?php echo $_GET['name3']; ?>" method="post" class="form-horizontal" enctype="multipart/form-data" novalidate="novalidate">

PLEASE NOTE: This is extremely unsafe! You need to sanitize ALL user input before using it. My example above, dis-regards security, and simply is to demonstrate my point. GET and POST data, are user variables. A malicious user could put bad code in the URL (ie ?name3=<badcode>) and it would be printed on the page, well in the source code, which they could easily pop out of. Also, in SQL queries, you need to escape the data or use prepared statements.

You should not be using mysql functions, switch to MySQLi or PDO. MySQL has been killed for a while now..

These are just asking for you to get hacked:

$sql13="select package_type,id from tbl_package where package_type='".$package."'";

and..

$sql = "Update tbl_package set package_type='".$package."' where package_type='".$name4."' and p_id='".$id4."'";

You are vulnerable to SQL injections, would could easily allow a malicious attacker to add/edit/view/delete data in your database.

The problem is, you have $package (which is raw data from POST) and $id4 and $name4 (which is raw data from GET) in your SQL query.

You would use mysql_real_escape_string() on them, but you should be using mysqli or PDO anyways...

Example:

$name4 = mysql_real_escape_string($_GET['name3']);

It's confusing, I don't know what the GET variable is called name3 but you assign it the variable $name4.. Whoever (even you) comes along later on will be lost in your code.

Updated:

Try this code. I swapped your GET for POST in your php code, and passed the GET variables from your URL as hidden fields in your form.

<?php
include('db.php');

if(isset($_POST['submit']) )
{
    $package = mysql_real_escape_string($_POST['package']);
    $id4 = mysql_real_escape_string($_POST['id3']);         // why is variable named id4 but its id3??
    $name4 = mysql_real_escape_string($_POST['name3']);     // why is variable $name4 but its name3??

    if (ctype_alnum($package) && !empty($id4) && !empty($name4))
    {     
        $sql13 = "SELECT package_type,id FROM tbl_package WHERE package_type='$package' LIMIT 1";
        $retvali = mysql_query($sql13, $conn);
        $num_rows1 = mysql_num_rows($retvali);

        if ($num_rows1 == 0 || $num_rows1=="")
        {   
            $sql = "Update tbl_package set package_type='$package' WHERE package_type = '$name4' AND p_id='$id4'";
            $retval = mysql_query( $sql, $conn );

            echo '<script>alert("Updated Successsfully");window.location = "http://localhost/demo/add_package.php";</script>';

        } else {

            echo '<script>alert("Already Exists"); window.location = "http://localhost/demo/add_package.php";</script>';
        }
    } else {
        echo '<script>alert("enter only letters and numbers");</script>';
    }
 }
?>


<form action="edit_package.php" method="post" enctype="multipart/form-data" novalidate="novalidate">

    <input type="hidden" name="id3" value="<?php echo htmlspecialchars($_GET['id3'], ENT_QUOTES | ENT_HTML5); ?>" />
    <input type="hidden" name="name3" value="<?php echo htmlspecialchars($_GET['name3'], ENT_QUOTES | ENT_HTML5); ?>" />

    Update Package: <input type="text" id="package" name="package" class="form-control" required >

    <input type="submit" class="btn btn-info btn-primary " value="Update" name="submit">

</form>

I removed your HTML formatting from the form. You had div tags that didn't match up.. I can't see your whole code, but it looks like you have a bunch of div's that are messed up (ie: not closed where they should be). I also added mysql_real_escape_string() to the passed variables, and htmlspecialchars() to the GET variables echo'd in the hidden fields of your form. It's a start.

You might be able to make better sense of your code and troubleshoot errors, if you wrote your code a bit cleaner. Not trying to bash you :) Proper indentation, spacing, and formatting go a long way. It makes it easier on your eyes, and on yourself, in times like these..

I left your <script> tags because I assumed there was a reason your wanted to popup a message box.. I would just use header('Location: /path/to/where.php'); and pass your error message through a session variable or something, like an array of errors, which you get, clear, and show on the page the errors.