Since you’ve only provided 46 lines of code it will be difficult to be precise, but I would suggest that you look at line 222 of list.php
What I expect that you’ll find is that something like your line 2 above ($url = $_POST[“route”] will be referring to a value that is missing. Basically, if $_POST[“route”] is not set, then you will get that error. You should really change that line to put in a default action when it’s not sent. For example:
On a related note, you really didn’t ought to allow data to be passed via $_POST and then inject it straight into a MySQL query. It allows what is called an “SQL Injection Attack”. It’s much better to do something like this:
switch (@$_POST["route"]){
case 'route1':
$url = 'this/url';
break;
case 'route2':
$url = 'that/url';
break;
case 'route3':
$url = 'this/other/url';
break;
default:
$url = 'index/url';
}
$SQL = "select * from notes where route='$url'"
What we’re doing differently here is hard coding the URLs in. No matter what you post in “route” you can never interfere with the SQL that you generate. You know for sure that one of three options will be selected because the correct information has been provided, or else the default value will be selected. There is no way to attack this. Also note that I changed $_POST[“route”] by adding an @ at the front? That will suppress the error you get when $_POST[‘route’] isn’t already set, so this will still work
In any case the OP needs to migrate away from the mysql_* extension as it’s depreceated as of the current version of PHP, they should be now using either the mysqli_* extension or PDO, either of which enable the use of prepared statements
BTW, the original MySQL library is deprecated as of PHP 5.5, not 5.4. Although I do agree that we should be moving on to MySQLi or PDO by now, and that not properly escaping/preparing statements is bad, the rush to switch from the original MySQL functions isn’t quite as urgent
Personally I would discourage suppressing like that because I feel that with notices enabled that you are encouraged to a) code better and b) if you do need to suppress individually with @$var then at least you are aware and it’s all deliberate. Doesn’t take away from the fact that you CAN do it, I just don’t recommend it. Feels… lazy
Agreed - it is a lazy solution, but usable for non-critical stuff.
I’ve seen these notices being returned for such things as not enclosing an array index in single quotes, e.g. array[index] instead of array[‘index’]. I think the quotes are mandatory as of php 5.4
Yeah, I used to make that mistake occasionally with arrays many years back when I first had to work on a site where warnings were shown. Soon got out of that habit and I think I’m a better developer for it