Simple question: Is it ok to use undefined variables? Is this just a general rule without any advantage or does it make any big affect?
If you look at the documentation for mysql_query you will see them used in the example where variables are passed to the database.
In this case with sprintf, %s refers to a string value and %d is for a decimal value.
siteguru links to good documentation for you about it.
http://www.php.net/manual/en/index.php … Bookmark this.
http://uk.php.net/manual/en/function.sprintf.php
%s etc. references are handled sequentially as they are defined within the first string part of sprintf() function.
%s means a string value
%d means an integer value
but what if there is no function? For example:
$userId=$_GET[id];
if(isset($_POST[test])){
$test=$_POST[test];
mysql_query("INSERT INTO users test=$test" WHERE id=$userId);
}
<form action="editprofile.php" method="post">
<input type="text" name="test" value="<? echo $test; ?>" />
<input type="submit" />
</form>
How would you define here constants id, test and variable $test? Variable $userId is already defined with $userId=$_GET[id], right?
Thanks a lot
It means your code is properly considered and formed. 
Note that this is a Notice and not a Warning or Error. As such it means your code still works but could benefit from structural review.
To define it means that the script knows whether its a number or a string or a boolean or an object of some sort.
Some scripting behaviour can be undefined (random, exotic, unpredictable) when dealing with undefined variables.
but what purpose does have to define it?
You should get an error, if its truly undefined :
Notice: Undefined variable
Typically you define a variables at the start of each function. It’s also common to assign a default value for a variable before creating that variable from within a conditional branch.
In terms of defines, that can depend on how they’re intending to be used.
what is the most common way to define variables, constants etc.? Is it ok to just simply put all defines in one extra file and include it to header?
Here is a way that the code could be improved.
The $userId variable might be undefined if the id parameter is not in $_GET. Also, the $_GET and $_POST names should be strings.
$userId = '';
if (isset($_GET[id])) {
$userId = $_GET[id];
}
You can shorten that code using a conditional statement, so that instead of the above code, you could do the same with this:
$userId = (isset($_GET[id])) ? $_GET[id] : '';
and if you’re using PHP 5, you can use the filter_input function instead:
$userId = filter_input(INPUT_GET, 'id');
The mysql_query statement has severe security issues in the way that it was used. You should sanitise all untrusted information before passing it to the database.
For example:
$sql = sprintf('INSERT INTO users test="%s" WHERE id=%d',
mysql_real_escape_string($test),
intval($userId)
);
mysql_query($sql);
Here’s the code after some updates.
$userId = filter_input(INPUT_GET, 'id');
$test = filter_input(INPUT_POST, 'test');
if (!empty($test)) {
$sql = sprintf('INSERT INTO users test="%s" WHERE id=%d',
mysql_real_escape_string($test),
intval($userId)
);
mysql_query($sql);
}
<form action="editprofile.php" method="post">
<input type="text" name="test" value="<? echo $test; ?>" />
<input type="submit" />
</form>
You may want to solve another problem
tnx, just one more question:
What means test=“%s” WHERE id=%d’ and why to use $sql = sprintf and not mysql_query=(“…”)?
Could you elaborate? How does the user define these variables? What scope do they have?
Whoops, I read that as ‘user defined’ variables. My apologies.
All variables should be defined, why would they not be? To me, it screams of sloppy code.