Problem when No Check-Boxes Selected

PHP
1

I have an Inbox that has a check-box next to each Message.

The User can check any combination of Messages, and then choose from the following items in a Select List and click “Go”…

[INDENT]- Mark as Read

  • Mark as Unread
  • Mark as Flagged
  • Mark as Not Flagged
  • Delete[/INDENT]

My current problem occurs when no check-boxes are selected and I choose “Mark as Read” and “Go”.

I get this error…


Array ( [pmAction] => Mark as Read [cmdGo] => Go ) 1
( ! ) Notice: Undefined variable: msgArray in /Users/user1/Documents/DEV/++htdocs/06_Debbie/account/inbox.php on line 68
Call Stack
#	Time	Memory	Function	Location
1	0.0009	100316	{main}( )	../inbox.php:0

( ! ) Warning: Invalid argument supplied for foreach() in /Users/user1/Documents/DEV/++htdocs/06_Debbie/account/inbox.php on line 68
Call Stack
#	Time	Memory	Function	Location
1	0.0009	100316	{main}( )	../inbox.php:0

Here is a snippet of my PHP… (Lines 47-77)


	// *************************************************************
	// HANDLE FORM.								 *
	// *************************************************************
	if ($_SERVER['REQUEST_METHOD']=='POST'){
		// Form was Submitted (Post).

		// Initialize Errors Array.
//		$errors = array();

		echo print_r($_POST);

//exit();
		// ************************
		// Check Message Action.	*
		// ************************
		if ($_POST['pmAction']=="Mark as Read"){

			// ************************
			// Mark Message as Read.	*
			// ************************
			
			foreach($msgArray as $msgID => $msgValue){
//				echo "<p>\\$msg[$msgID] = $msgValue</p>";

				// Build query.
				$q1 = "UPDATE pm_recipient
								SET read_on=NOW(),
										updated_on=NOW()
								WHERE member_id_to=?
								AND message_id=?
								LIMIT 1";

And this is a snippet of my dynamically created Form…


	<?php
		// ************************
		// Create 'Inbox' Output.	*
		// ************************

		// Display message.
		if (!$messagesFound){
			echo "<p>There are no messages in your Inbox.</p>";
		}

		// Loop through Messages.
		while (mysqli_stmt_fetch($stmt6)){

			echo "<tr" . (is_null($readOn) ? " class='pmRead'" : "") . ">
					<td class='colSelect'>
						<input id='" . $pmID . "' name=msg[" . $pmID . "] type='checkbox' value='TRUE' />
					</td>
					<td class='colFlag'>"
						. (($flag==TRUE) ? '<img src="/images/Flag_Red_20x22.png" width="15" alt="" />' : '&#149;') .
					"</td>
					<td>$fromUsername</td>
					<td><a class='msgLink' href='/account/view_pm.php?msg=" . $pmID . "'>$subject</a></td>
					<td>$sentOn</td>
				</tr>";
		}
	?>

How can I fix this so if the User forgets to check at least one message my code doesn’t blow up?! :-/

Thanks,

Debbie

2

I think all you have to do to get the error messages to stop showing up is wrap your foreach loop in a quick check:


if (!empty($msgArray)) {
    foreach($msgArray as $msgID => $msgValue){
        // ...

There’s absolutely a more elegant way to do it, but that’s the basic idea: Check to see if there even are any messages that were checked.

How is the $msgArray variable created? Can you show some of that code as well?

3

aufshebung,

Thanks for the reply! (You’ll have to excuse me… I got to bed at 4:00am this morning, and my brain won’t start functioning properly until about 10:00pm tonight?!) :lol:

Even though it is lunch time, after coding straight for like 18 hours yesterday, my brain is fried!!!

Didn’t I answer that in my OP?

Debbie

4

Nope. There is no line in the OP which reads $msgArray = …

5

As StarLion has said looks like you need to define msgArray like so:


$msgArray = isset($_POST['msg']) && is_array($_POST['msg'])?$_POST['msg']:array();

That should probably be injected here:


...

if ($_POST['pmAction']=="Mark as Read"){

     $msgArray = isset($_POST['msg']) && is_array($_POST['msg'])?$_POST['msg']:array();

     ...

By the way not sure if this was intentional or not but the member_id comparison is the only thing preventing people from marking others messages as read. Maybe that isn’t so important here but in another context it could potentially be a huge security hole. If that was the reason you added it though than kudos. Just thought I would mention that.


                $q1 = "UPDATE pm_recipient
                                SET read_on=NOW(),
                                        updated_on=NOW()
                                WHERE member_id_to=?
                                AND message_id=?
                                LIMIT 1";
6

Oddz,

Sorry for the late reply.

If you remember, could you please help me understand where you think I have a security hole?!

My Private Message system is dine, and I believe is working great, but maybe you disagree.

I can tell you that in order to take any actions, you need the right “Member ID” and “Message ID” combination, and since the first is always checked against the User’s $_SESSION, I believe I am good.

I take security very seriously, so I welcome any ways to improve my code.

Thanks,

Debbie