_GET and REQUEST_URI complict?

[bugzy]

I have a form get like this

 

<form action="<?php echo $_SERVER['REQUEST_URI']."&";  ?>" method="get" name="search">

 

that form is for example on www.mywebsite.com/search.php?cat=1001

 

if I click submit button, I'm expecting this

 

www.mywebsite.com/search.php?cat=1001&search=textbox_anything

 

 

But it is always redirecting me to

 

www.mywebsite.com/search.php?search=textbox_anything

 

It is removing the cat=1001

 

 

Is there any alternative?

[requinix]

If you set method=get then the query string in the action URL will be overwritten with whatever the form data is.

 

It looks like all you're expecting is the category ID? Put that in a hidden field.

</pre>
<form action="search.php" method="get" name="search">
" /><

[bugzy]

Perfect!

 

Thanks! requinix 

[requinix]

Uh, I posted something potentially very bad. Try again:

</pre>
<form action="search.php" method="get" name="search">
" /><

XSS

[bugzy]

Uh, I posted something potentially very bad. Try again:

<form action="search.php" method="get" name="search">
<input type="hidden" name="cat" value="<?php echo (int)$_GET["cat"]; ?>" />

XSS

 

Just a question, so (int) is necessary to increase security on every numeric data that will be pass on the url? are htmlentities and urlencode also suitable for this?

[scootstah]

urlencode() isn't meant to prevent XSS, so no. You could use htmlentities() if you wanted, but if it is going to be numeric it's easier to just typecast it. There's no point having sanitized data if it isn't valid data.