$_GET Undefined Index (value from mysql table)

Question

Well i'm an absolute beginner considering PHP/HMTL programing and I'm stuck with these problem for days now.

First i've created Mysql table containing following columns (id, Name, Surname, Telephone_number, Email). Then I've successfully created form for reading table. Now i want to read and later edit a specific row using following code:

41 <?php
42 $con = mysql_connect("localhost","username","password");
43 mysql_select_db("database", $con);
44 $id=$_GET["id"];
45 $result = mysql_query("SELECT * FROM Table  where id='$id'");
46 $row = mysql_fetch_array($result);
47 ?>

But all I get is the following error: Notice: Undefined index: id in C:\xampp\htdocs\contacts_edit.php on line 44

Any help will be greatly appreciated!

Error says you that you must send id parameter with GET method from your html page — Denis Ermolin, Oct 19 '12 at 07:51
Have you called your script with something like `?id=123` at the end? — Sirko, Oct 19 '12 at 07:51
You are using [an obsolete database API](http://stackoverflow.com/q/12859942/19068) and are exposing yourself to [SQL injection attacks](http://bobby-tables.com/) that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. — Quentin, Oct 19 '12 at 07:55
Have tried calling your script with an url like: `http://localhost/yourscript.php?id=';drop%20table%20Table;--1`? — GolezTrol, Oct 19 '12 at 07:55

René Höhle · Answer 1 · 2015-04-24T23:36:45.300

You haven't set the GET parameter in your URL. This is the reason why id is not defined in your global.

To prevent that problem check the variable before:

$id = isset($_GET['id']) ? (int)$_GET['id']: 0;

Or

if (!isset($_GET['id']) {
    $_GET['id'] = 0;
}

A short hint for you...

You should really look at SQL-Injections you have build a very big security hole.

Don't use $_GET and $_POST directly in your SQL query. You should prefer prepared statements with PDO or MySQLi. If you want to use your solution then cast your id to an integer value like this:

$id = (int)$_GET['id'];

then you have a default value 0 when its not set.

@user1758545 is your questions answered? Then you should mark one answer as correct. — René Höhle, Oct 22 '12 at 08:33

score 2 · Answer 2 · edited May 23 '17 at 10:29

2

You have to check first that the id is set

<?php

$con = mysql_connect("localhost","username","password");
mysql_select_db("database", $con);

if(isset($_GET['id'])) {

   $id=$_GET["id"];
   $result = mysql_query("SELECT * FROM Table  where id='$id'");
   $row=mysql_fetch_array($result);
}
?>

The better approach is to use pdo or mysqli.

How can I prevent SQL injection in PHP?

edited May 23 '17 at 10:29

Community

1
1

answered Oct 19 '12 at 07:55

fortune

3,361
1
20
30

I'd also escape the value. But this is will fix the issue. – CharliePrynn Oct 19 '12 at 07:58
This is vulnerable (like the code in the original question) to SQL injection and should not be used as is. – Quentin Oct 19 '12 at 08:02
The id is not set. I want for program to automaticly detect id, depends which row i want to read/edit. – user1758545 Oct 19 '12 at 08:17

score 1 · Answer 3 · answered Oct 19 '12 at 08:05

I did this and worked for me

 <?php
 $con = mysql_connect("localhost","***","***");
 mysql_select_db("***", $con);
 if(isset($_GET["id"]) && !empty($_GET["id"])){
    $id= $_GET['id'];
    $result = mysql_query("SELECT * FROM core_usuarios  where id=".$id);
    $row = mysql_fetch_array($result);
    print_r($row);
}
 ?>

By the way, if you want to connect to a database and you are using "plain php" it's better if you use PDO PHP http://www.php.net/manual/en/pdo.construct.php

score -1 · Answer 4 · answered Oct 19 '12 at 07:55

-1

You should have something like this

http://site.com/contacts_edit.php?id=1

And in contacts_edit.php then you can use $_GET['id']

Bye

answered Oct 19 '12 at 07:55

PatomaS

1,603
18
25

Changing the input to the program is not a solution, since the input is under the control of the user. The program needs to be robust enough to handle bad input. – Quentin Oct 19 '12 at 08:00
Hi is not asking for best practices, he is asking about a specific error. Obviously he should protect his application, but we are not here answering that, otherwise, you should be writing that same tip on almost every single question here that uses $_POST and $_GET My answer tells how to use what he has – PatomaS Oct 19 '12 at 08:05

score -1 · Answer 5 · answered Oct 19 '12 at 07:59

-1

You should do something like this :

$con = mysql_connect("localhost","username","password");
mysql_select_db("database", $con);
if(isset($_GET['id'])) {
  $id=$_GET["id"];
  $result = mysql_query("SELECT * FROM Table  where id='$id'");
  $row = mysql_fetch_array($result);
}

answered Oct 19 '12 at 07:59

Greg

167
2
10

This is a game of spot-the-difference, it doesn't explain anything, and is (like the code in the original question) vulnerable to SQL injection. – Quentin Oct 19 '12 at 08:01

$_GET Undefined Index (value from mysql table)

5 Answers5