Hi I am working on a ranking script where users can rank each other by using 2 forms. one for voting up, one for voting down.

HTML Code:

                  <form id="form1" name="form1" method="post" action="userprofile.php?up=true">
                    <label>
                    <input type="hidden" name="up" value="1">
                      <input type="submit" name="button" id="button" value="Vote Up" />
                    </label>
                  </form>
                  <form id="form2" name="form2" method="post" action="userprofile.php?down=true">
                    <label>
                    <input type="hidden" name="down" value="1">
                      <input type="submit" name="button3" id="button3" value="Vote Down" />
                    </label>
                  </form>

But I am getting alot of errors, which arent normally there if the ranking script wasnt here. such as

Notice: Undefined variable: name in C:\wamp\www\prototype4\userprofile.php on line 111

Notice: Undefined variable: location in C:\wamp\www\prototype4\userprofile.php on line 117

I have these on various different lines

The actual ranking script ( its not fully complete ) but I was expecting the create numbers to be shown when echoed and no errors.

the GET["id"] is used because on a previous page all id's are drawn into a url then a user can click a user and will display the profile, this is where the ranking script is.

PHP Code:

$useridvar = $_GET["id"];

if ($_GET["up"]=="true")
                {
                    $sql="SELECT * FROM `numbers` WHERE `id` = '".$useridvar."'";
                    $result=mysql_query($sql);
                    if (!$result) die('Invalid query: ' . mysql_error());
                        while ($row = mysql_fetch_array($result, MYSQL_ASSOC))
                        {
                            $karma = $row["rank"];
                        }
                    
                    $karma = $karma + $_POST['up'];
                    echo $karma;
                    
                    $_GET["up"]="false";    
                }
if ($_GET["down"]=="true")
                {
                    
                    $_GET["down"]="false";
                } 


Notices are not errors. A script can function perfectly well while still generating notices (and to a lesser degree warnings). That being said, undefined variable notices are caused when you reference a variable that hasn't been set.

I'm not seeing either of the variables (name and location) in the notices in your code so I can't give you a specific reason why this is occurring.

A couple of things not related to your question:
1. You are wide open for sql injections.
2. Should you be using get instead of post on this line?:

PHP Code:

$karma = $karma + $_POST['up']; 


3. Why are you setting values in the $_GET array? There is no reason why you can't do this, and maybe it's because I'm looking at it out of context, but it seems like an odd thing to do. $_GET should only contain user input and I normally try not to modify it directly.

I cant see why I am open for SQL injection, there isnt actually any user input and I was using GET because I wanted one page called userprofile.php but could be used for many users. so userprofile.php?id=1 would be like 1 user and id=2 would be another user. but I then wanted the id to be used to allow other users viewing that profile to vote for that user. if that makes sense.

Also the errors only occur once the form has been submitted. then like 12 errors are displayed all about nonindexed var etc.

Quote:

I cant see why I am open for SQL injection,

You obviously don't understand what SQL injection is then.

Quote:

there isnt actually any user input

People can easily edit the URL to include a different query

figured out why the SQL injection was an issue had to do mysql_real_escape_string on the useridvar because could change in URL bar. but what can I do to sort the ranking script out.