Jump to content

Passing URL variables


sithsta4

Recommended Posts

Hi,

 

I need to pass a URL varriable onto the next page ideally using a hidden form. I have so far

 

In the form -

 
echo '<input type="hidden" name="shoppingid" value="<?php echo $_POST["shop"]; ?>';
 

The "shop" is the part that changes depending on what section the user is on so it may be shop=12 or shop=10 etc and I have declared it in some code above this code

 

On the other page-

$shopid = $_POST['shoppingid'];

Any ideas as it doesnt seem to be working?

Link to comment
https://forums.phpfreaks.com/topic/288306-passing-url-variables/
Share on other sites

Do something like this -

<?php

    echo 'Shop ID: ' . $_GET['shop'];

?>

<a href="page2.php?shop=<?=$_GET['shop'];?>"></a>

The reason your first code isn't working is because you're using the wrong type of quotes. Single quotes don't execute PHP, double quotes do, but they try to execute everything. 

 
echo '<input type="hidden" name="shoppingid" value="<?php echo $_POST["shop"]; ?>';
 

Should be this -

echo '<input type="hidden" name="shoppingid" value="'.$_POST["shop"].'" />';

Guys, please escape your variables before inserting them into the HTML markup. We've had enough cross-site scripting vulnerabilities.

 

I also see absolutely no reason why you should use a URL parameter. Since you're dealing with a form, a hidden parameter is the correct solution.

 

The reason why your code doesn't work is because you're trying to have a PHP code block within a PHP code block. This is not possible.

 

So a corrected and sanitized version would look like this:

<?php

// Do not forget the escaping!
echo '<input type="hidden" name="shoppingid" value="' . html_escape($_POST['shop'], 'UTF-8') . '">';



function html_escape($raw_string, $encoding)
{
	return htmlspecialchars($raw_string, ENT_QUOTES, $encoding);
}

Perhaps you're already aware of this, but $_GET and $_POST variables can be tampered with by the user. So keep in mind that you'll need to validate/sanitize the value.

 

If your "shop" variable is supposed to be a number, for example, you can use ctype_digit() to make sure it is. At a minimum, you should use something like htmlentities() before the value is used in things like hidden form fields and anchor tags.

 

 

 

I also see absolutely no reason why you should use a URL parameter. Since you're dealing with a form, a hidden parameter is the correct solution.

 

That depends on what the OP (sithsta4) is trying to do. The "shop" variable being in a hidden form field won't work if the OP wants a visitor to click on a link that's not connected to the form, for example. In that case, a GET (or SESSION) variable may be a better choice.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.