Jump to content

Recommended Posts

Hi,

 

I need to pass a URL varriable onto the next page ideally using a hidden form. I have so far

 

In the form -

 
echo '<input type="hidden" name="shoppingid" value="<?php echo $_POST["shop"]; ?>';
 

The "shop" is the part that changes depending on what section the user is on so it may be shop=12 or shop=10 etc and I have declared it in some code above this code

 

On the other page-

$shopid = $_POST['shoppingid'];

Any ideas as it doesnt seem to be working?

Edited by sithsta4
Link to comment
https://forums.phpfreaks.com/topic/288306-passing-url-variables/
Share on other sites

Do something like this -

<?php

    echo 'Shop ID: ' . $_GET['shop'];

?>

<a href="page2.php?shop=<?=$_GET['shop'];?>"></a>

The reason your first code isn't working is because you're using the wrong type of quotes. Single quotes don't execute PHP, double quotes do, but they try to execute everything. 

 
echo '<input type="hidden" name="shoppingid" value="<?php echo $_POST["shop"]; ?>';
 

Should be this -

echo '<input type="hidden" name="shoppingid" value="'.$_POST["shop"].'" />';

Guys, please escape your variables before inserting them into the HTML markup. We've had enough cross-site scripting vulnerabilities.

 

I also see absolutely no reason why you should use a URL parameter. Since you're dealing with a form, a hidden parameter is the correct solution.

 

The reason why your code doesn't work is because you're trying to have a PHP code block within a PHP code block. This is not possible.

 

So a corrected and sanitized version would look like this:

<?php

// Do not forget the escaping!
echo '<input type="hidden" name="shoppingid" value="' . html_escape($_POST['shop'], 'UTF-8') . '">';



function html_escape($raw_string, $encoding)
{
	return htmlspecialchars($raw_string, ENT_QUOTES, $encoding);
}

Perhaps you're already aware of this, but $_GET and $_POST variables can be tampered with by the user. So keep in mind that you'll need to validate/sanitize the value.

 

If your "shop" variable is supposed to be a number, for example, you can use ctype_digit() to make sure it is. At a minimum, you should use something like htmlentities() before the value is used in things like hidden form fields and anchor tags.

 

 

 

I also see absolutely no reason why you should use a URL parameter. Since you're dealing with a form, a hidden parameter is the correct solution.

 

That depends on what the OP (sithsta4) is trying to do. The "shop" variable being in a hidden form field won't work if the OP wants a visitor to click on a link that's not connected to the form, for example. In that case, a GET (or SESSION) variable may be a better choice.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.