0

When I run this code:

<?php
if (preg_match('/^[a-z0-9]+$/', $_GET['p'])) {
  $page = realpath("includes/$_GET[p].php");
  if ($page) {
    include $page;
  }
}
?>

I get this error:

Notice: Undefined index: p in index.php on line 3

hakre
  • 184,866
  • 48
  • 414
  • 792
  • possible duplicate of [PHP: "Notice: Undefined variable" and "Notice: Undefined index"](http://stackoverflow.com/questions/4261133/php-notice-undefined-variable-and-notice-undefined-index) – Jocelyn May 12 '13 at 01:01

6 Answers6

12

The error message says that there is no array item with the key p. If you cannot guarantee that a variable (or array item) does exist, you should first check it with the isset function:

if (isset($_GET['p']) && preg_match('/^[a-z0-9]+$/', $_GET['p'])) {
    $page = realpath("includes/$_GET[p].php");
    if ($page) {
        include $page;
    }
}
Gumbo
  • 620,600
  • 104
  • 758
  • 828
  • in my opionion this is not a solution for the problem... – TheHippo Apr 12 '09 at 17:20
  • 1
    It's just wrong code because "$_GET[p]" means you access the constant "p". It works nevertheless because PHP guesses you meant the string 'p'. – ericteubert Apr 12 '09 at 18:35
  • @Dazmorgan: That’s not true. `$a=array('foo'=>'foo','bar'=>'bar'); define('foo', 'bar'); echo "$a[foo]"` is echoing “foo” and not “bar”. Thus it’s interpreted as `$a['foo']`. – Gumbo Apr 12 '09 at 19:14
  • define('p', 'bar'); outside a string in double quotes the constant will return the string bar, which will look up the index bar in the array. Its a bad habit to get into imo, but it works, for now. – OIS Apr 12 '09 at 23:19
5

What Gumbo said for checking if the index is set in the array.

Also for parsing an array index in a string you should use brackets around the array, and you should escape the index with single quotes if it is a string.

$page = realpath("includes/{$_GET['p']}.php");

But for including files suggested by the user, the safest way is to look up the files in an array, and only include them if they exists there.

OIS
  • 9,501
  • 1
  • 31
  • 41
4
$page = realpath("includes/ " . $_GET['p'] . ".php");
ericteubert
  • 4,451
  • 3
  • 30
  • 35
2

There is no real problem. PHP yields a Notice not a Warning or Error. Basically, your script is not receiving the p URL parameter. So it uses '' and gives a notice in the log. If you see this message on your rendered page, adjust php error reporting to something like E_ERROR | E_WARNING in PHP.ini

Peter Perháč
  • 20,064
  • 21
  • 117
  • 151
0

There is no 'p' parameter to the page, maybe? Did you mean $_REQUEST instead?
Also, is it not `"${_GET['p']}" when you are accessing an array?

Lucas Jones
  • 19,341
  • 8
  • 73
  • 88
0

Look into array_key_exists() for checking whether an array key... exists. But in your case I suggest you pick up the filter class of functions which specialize in working with user input.

moo
  • 7,420
  • 7
  • 41
  • 39
  • $_GET and $_POST set by the web server will only have string or array values. array_key_exists is only needed if null is a valid value. – OIS Apr 12 '09 at 23:21