Fix php 8.1 Undefined array key

Hi All

I have just upgraded to PHP 8.1 and am getting “Undefined array key” errors on code that was working fine.

It is basic $_GET code.

The first 2 issues I have:

$alert = $_GET['alert'];
$alertText = $_GET['alertText'];

I use this for my error alerts.

How do I fix these so that I no longer get an error?

Thanks for any help.

mrmbarnes

You need to find what’s causing a problem in order to be able to fix it. Either the code producing the URLs with those values in them is no longer working or the code was always producing these errors but php’s error related settings were not setup properly to let you know about the problem.

Just posting the snippet of code where the errors are occurring at doesn’t tell us anything useful. The only thing those two lines of code shows is that you are copying variables to other variables for nothing and that you are passing text messages through the URL which opens your site up to phishing attacks and cross site scripting.

You would need to post all the code needed to reproduce the problem for anyone here to actually help with the problem. What’s the code producing the URLs? What’s the code for the page using the values?

Hi

That is all the code that is causing the issue… it is not being used here… it is just sitting there waiting to be used.

An example of it being used is:

  1. I have a form (many all over the place)

  2. The user completes the form and submits it

  3. My code processes the request and then redirects the page to a success or fail message

That’s it.

In the URL I have the path etc and add something like:

&alert=success&alertText=Completed successfully

I have code in my page such as:

if ($alert == "success") { echo ('<div id="alert"><div class="alert alert-success text-center w-100" role="alert" style="padding:0.4em;">' . $alertText . '</div></div>'); }

if ($alert == "fail") { echo ('<div id="alert"><div class="alert alert-danger text-center w-100" role="alert" style="padding:0.4em;">' . $alertText . '</div></div>'); }

I have been using this for years, it works and I have never had an error before.

I don’t want a massive error log for something so simple.

Any idea?

mrmbarnes

The only reason this has not been producing errors up to this point is because php’s error related settings have not been set to report and display/log ALL errors.

For $_GET inputs that may not exist when a page gets requested, you need to use isset() with some conditional logic, such as a ternary operator, or php’s null coalescing operator ??, in order to prevent the errors and to also assign a default value to use in the rest of the code.

The posted code is open to the two security holes I mentioned. By redirecting around on your site, you are conditioning your visitors to seeing a changing url and since the message being displayed is wholly determined by values in the url, a phishing site can trick your visitors to submit things like login credentials on the phishing site, then redirect to your site, making it look like they entered the wrong values. Also, by echoing the raw alert text on your site, you are open to cross site scripting.

Your form processing code and form should be on the same page. If there are user/validation errors, the code would simply continue to redisplay the html document, display any error messages, redisplay the form, repopulating the field values/options/checkbox/radio fields with the existing values. Any dynamic value you output in a html context should have htmlentities() applied to it to help prevent cross site scripting. The only redirect you should have in form processing code should be upon successful completion of the form processing code and it should be to the exact same url of the current page to cause a get request for that page. To display a one-time success message, store it in a session variable, then test, display, and clear the session variable at the appropriate location in the html document.

3 Likes