vampiro2004 Posted March 28, 2016 Share Posted March 28, 2016 i have a worksheet system designed and coded by an ex collegue, who didnt like to comment what some of the code does and how, i have been tasked to update the system from it current form which work with apache 2.2 and mysql 5.1.34, the php version is 5.2.9 (yes i know very old!!!), boss hasnt wanted to update coz of time n money, but i point out some flaws and he is now willing to update a bit. I am trying to update the code to work with xampp, PHP 5.6.19 and apache 2.4.17. the problem is i have Undefined variable: state across 9 line's of code, all with the undefinded variable: state. Have look at various google searches to no luck. so wondered if you guys could help out. I have the variables define at the top of the code which was already orignally there: <?php include("header.php"); ?> <body link='#000000' vlink='#000000' alink='#000000' text='#000000' > <?php//declare vars $partcatid = 1; $jobcatid = 1; $state = 0; //default 0 $tempinvlineid = 0; $invtotal = 0; /* -----state key----------- 0 display inv / request to create a inv 1 add std part cat 2 add std part 3 add std job 4 add non std 5 update line 6 CNSI 7 Date 8 addy 9 add std job cat 10 nothing */ <!-- react to buttons --> <!-- run create worksheet --> <?php This is where it screws up and all the line have the same code, but do a slighlty different thing (e.g. add parts, add cost's, etc) <?php if ($state==0) { //get work sheet id if needed if ($worksheetid==NULL) { $worksheetid = $_GET['worksheetid']; } //end get work sheet id if needed //display rate $cust_rp = mysql_query("SELECT rate FROM customers WHERE id=(select CustomerID from worksheets where id=" . $worksheetid . ")"); $customer = mysql_fetch_array($cust_rp); echo "The Workshop rate per hour, for this customer is £" . $customer['rate'] . "+VAT"; //end display rate $inv_rp = mysql_query("SELECT * FROM inv where jobid =" . $worksheetid); if ($inv = mysql_fetch_array($inv_rp)) { //Get VAT info $VATInfo_rp = mysql_query("SELECT * FROM vattable"); $Xdate = 0; while ($VATInfo = mysql_fetch_array($VATInfo_rp)) { if ($inv['Date']>$VATInfo['date']) { if ($VATInfo['date']>$Xdate) { $VATRate=$VATInfo['rate']; $Xdate=$VATInfo['date']; } } } //echo "<br>" . $VATRate . "%<br>"; //convert vate rate to multiplier $VATRate = ($VATRate/100)+1; //echo "<br>" . $VATRate . "<br>"; echo "<TABLE align=\"center\"><tr><td><FONT color=\"blue\" SIZE=\"+2\">INVOICE No. " . $inv['invid'] . "<br>Inv status is: "; if($inv['PaymentState'] == 0) { echo "Un-paid"; } elseif($inv['PaymentState'] == 1) { echo "Chased"; } elseif($inv['PaymentState'] == 3) { echo "Deleted"; } elseif($inv['PaymentState'] == 2) { echo "Paid Cash"; } elseif($inv['PaymentState'] == 4) { echo "Paid Till"; } elseif($inv['PaymentState'] == 5) { echo "Paid CHQ"; } elseif($inv['PaymentState'] == 6) { echo "Issued"; } echo "</font></td></tr></TABLE><br>"; //display date echo "Date: " . date("d-m-Y", $inv['Date']) . "</p>"; //display cust details //conver new lines name $name = $inv['name']; $remove = array("\n"); $name = str_replace($remove, '<BR>', $name); echo $name . "</p>"; //conver new lines addy $addy = $inv['addy']; $remove = array("\n"); $addy = str_replace($remove, '<BR>', $addy); echo $addy . "</p>"; echo "There is a inv</p>"; echo "<TABLE>"; $invline_rp = mysql_query("SELECT * FROM invline where invid =" . $inv['invid'] . " ORDER BY invlineid"); while ($invline = mysql_fetch_array($invline_rp)) { //conver new lines $des = $invline['description']; $remove = array("\n"); $des = str_replace($remove, '<BR>', $des); echo "<tr><td align=\"left\">" . $invline['invlineid'] . ": </td><td align=\"left\">"; echo $des; $moneyout = sprintf('%.2f', $invline['price']); echo ":</td><td align=\"right\"><B> £" . $moneyout; if ($invline['HasVAT']) { echo " +Std VAT</B></td></tr>"; } else { echo " Zero Rate VAT</B></td></tr>"; } } //get total of whole inv $invline_rp = mysql_query("SELECT SUM(price) FROM invline WHERE invid =" . $inv['invid']); $invline = mysql_fetch_array($invline_rp); $invtotal = $invline['SUM(price)']; //get total of VAT lines only on inv $invlineVL_rp = mysql_query("SELECT SUM(price) FROM invline WHERE invid='" . $inv['invid'] . "' AND HasVAT='1'" ); $invlineVL = mysql_fetch_array($invlineVL_rp); $invtotalVL = $invlineVL['SUM(price)']; //display sub total ex vat $moneyout = sprintf('%.2f', round($invtotal, 2)); echo "<tr><td></td><td align=\"right\"><B>Total ex VAT =</td><td align=\"right\"><B> £". $moneyout . "</td></tr>"; //display vat element $moneyout = sprintf('%.2f', round(($invtotalVL*($VATRate-1)), 2 )); echo "<tr><td></td><td align=\"right\"><B>VAT = </td><td align=\"right\"><B>£" . $moneyout . "</td></tr>"; //calc then display total inc vat $temptotal=$invtotalVL*$VATRate; $temptotal=$temptotal+($invtotal-$invtotalVL); $moneyout = sprintf('%.2f', round(($temptotal),2)); echo "<tr><td></td><td align=\"right\"><B>Total inc VAT = </td><td align=\"right\"><B>£" . $moneyout . "</td></tr>"; echo "</TABLE> "; echo "</p><form method=\"POST\" action=\"draftinv.php\"> Line number:<input type=\"int\" name=\"edit_line\"> <input type=\"submit\" value=\"edit line\"> <input type=\"hidden\" name=\"worksheetid\" value=\"" . $worksheetid ."\"> </form>"; echo "<form method=\"POST\"> <input type=\"hidden\" name=\"worksheetid\" value=\"" . $worksheetid ."\"> <input type=\"submit\" name=\"AddStdPart\" value=\"Add Std Part\" > <input type=\"submit\" name=\"AddStdJob\" value=\"Add Std Job\" > <input type=\"submit\" name=\"AddNonStd\" value=\"Add Non Std\" > <input type=\"submit\" name=\"SetDate\" value=\"Set Date\" > <input type=\"submit\" name=\"Setaddy\" value=\"Change Address\" > <input type=\"submit\" name=\"AddCCsur\" value=\"CC Charge\" >"; if($inv['beatIt']==1) { echo "<input type=\"submit\" name=\"cInvType\" value=\"Make WC INV\" >"; } else { echo "<input type=\"submit\" name=\"cInvType\" value=\"Make BeatIt INV\" >"; } echo "</form></br>"; //display inv owner echo "This inv is a, <b>" . $engineer_names[$inv['whos']] . "</b> inv<br>"; //end display inv owner echo "</p><form method=\"POST\">"; echo "<input type=\"hidden\" name=\"worksheetid\" value=\"" . $worksheetid ."\">"; echo "<select style=\"width: 100;\" name=\"entry_engineer\">"; //pull Engineers from database $engineer_result_pointer = mysql_query("SELECT id, EngineerName FROM engineers"); while ($engineer_results = mysql_fetch_array($engineer_result_pointer)) { echo "<option value='$engineer_results[id]'"; if ($engineer_results["id"]==$inv["whos"]) echo " SELECTED"; echo ">$engineer_results[EngineerName]</option>"; //echo "<br>" . $engineer_results[id] . $engineer_results[EngineerName] . $inv['whos']; } echo "</select>"; echo "<input type=\"submit\" name=\"assign\" value=\"Assign Inv\">"; echo "</form>"; echo "<form method=\"post\" name=\"form1\"> <input type=\"hidden\" name=\"nothing\" value=\"nothing\" > <input type=\"hidden\" name=\"worksheetid\" value=\"" . $worksheetid ."\"> <script> function Printinv () { window.open('printinv.php?worksheetid=" . $worksheetid . "', 'PrintInv', 'height=550, width=550, scrollbars=yes, menubar=no, toolbar=no, status=no'); } function Pdfinv () { window.open('pdfinv.php?worksheetid=" . $worksheetid . "', 'PrintInv', 'height=550, width=550, scrollbars=yes, menubar=no, toolbar=no, status=no'); } function Cloneinv () { window.open('cloneinv.php?worksheetid=" . $worksheetid . "', 'CloneInv', 'height=550, width=550, scrollbars=yes, menubar=no, toolbar=no, status=no'); } </script>"; echo "<button onClick=\"javascript:Printinv();\">Print Inv </button> <button onClick=\"javascript:Pdfinv();\">Generate PDF</button> <button onClick=\"javascript:Cloneinv();\">Clone Inv </button></form>"; } else { echo $_POST['worksheetid']; echo "There is NO inv would you like to create one"; echo "<form method=\"POST\"> <input type=\"submit\" name=\"create\" value=\"Create a Inv\" > <input type=\"hidden\" name=\"worksheetid\" value=\"" . $_POST['worksheetid'] ."\"> </form>"; } } ?> i have had other errors but they have been easy to figure out, i dont know much about php but learn fast and understand what its meant to do. the ex-collegue is unwilling to help which kinda sucks. So any help would really be appreciated. if you need the acutally php page i will supply it. many thanks in advance Quote Link to comment Share on other sites More sharing options...
benanamen Posted March 28, 2016 Share Posted March 28, 2016 (edited) YOU ARE VULNERABLE TO AN SQL INJECTION ATTACK! You NEVER EVER send user supplied data directly to the database. You are using obsolete Mysql code that has been completely removed from PHP. You need to use PDO. https://phpdelusions.net/pdo Page formatting needs to go in an external CSS file. The whole thing needs to be re-written and you need to update all your software versions. You are just begging to be hacked. Edited March 28, 2016 by benanamen Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted March 28, 2016 Share Posted March 28, 2016 if the $state variable is undefined at the line 504+ code, either it has been unset() at some point or there's a variable scope problem. is the line 504+ code inside of a function definition or is it being included into the page using a URL instead of a file system path? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.