Getting $_GET value

[dean7]

Hey all, I'm coding a Private message system for my website which obviously allows users to message each other.

 

On my Inbox script I have a link which when clicked goes to my send message script what should then have the username in the username box already.

 

For example:

 

inbox link to message other users:

 

SendMessage.php?touser=**The username** 

 

Now on the send message form the Username should be filled with the users username what is clicked.

 

I'm using $_GET['touser']; to pull over the username but its not adding it into the box?

 

The inbox show message part which contains the link:

echo ("<table width='50%' align='center' class='tableborder' border='1' cellpadding='0' cellspacing='0'><tr><td class='header' align='center'>$message->subject</td></tr><tr><td class='Tablebottom' align='center'>From: <a href='profile.php?view=$message->from' >$message->from<a/> | <a href='SendMessage.php?touser=$message->from'>Reply</a> | Date: $message->date</a></td></tr><tr><td>" .clean($message->message). "</td></tr></table> <br />"); 

 

 

Part of the send message script

 

$ToUser = $_GET['touser'];
 

<td width="50%"><div align="right">To:</div></td>
<td width="50%"><div align="center">
<input name="to" type="text" class="textinput"  id="to" value="<?php $ToUser; ?>"  maxlength="20" size="38"></div></td>
</tr>

The username should only appear in the box if a username is clicked on the message else it should be blank for you to input a name but its always showing blank. If i echo out $ToUser it does show the username just not in the box? 

 

Thanks for any help given

 

[dean7]

Okay after a dumb thing I realised that I needed to echo $ToUser . Dumb move from me 

[Jacques1]

It's even dumber to insert user input straight into the page, because now anybody can inject malicious JavaScript code.

 

You need to HTML-escape the input.

[dean7]

Thanks, I can add that on I generally do escape it all.

 

On another note, I'm also wanting to bring over a messageid which is the same I had with the other get value but with the message ID i'm wanting to perform a query which lets me select things from that message from the database. But when I do $_GET['messageid']; its not giving me the ID?

$messageid = $_GET['messageid'];
echo $messageid; // does it show an id
 
$InboxStuff = $db->prepare("SELECT * FROM `inbox` WHERE `id` = :id");
$InboxStuff->bindParam(":id", $messageid);
$InboxStuff->execute();
$IbxObj = $InboxStuff->fetchObject();

if ($_GET['messageid']){ 
 
echo '<textarea class="textinput" name="text" cols="75" cols="75" rows="10" id="text">[b]Last said:[/b] 
$message</textarea>'; 
 
}else{
 
echo '<textarea class="textinput" name="text" cols="75" rows="10" id="text"></textarea>'; 
 
}

[NotionCommotion]

Use var_dump($_GET) or echo('<pre>'.print_r($_GET,1).'</pre>'); to see what you have to work with.

 

Then trying performing your SQL query directly in the database and look at the results.  I often use the following, however, I don't know whether it will work with bind().

    protected function showQuery($sql, $data)
    {
        $keys = [];
        $values = [];

        # build a regular expression for each parameter
        foreach ($data as $key=>$value)
        {
            if (is_string($key)) {$keys[] = '/:'.$key.'/';}
            else {$keys[] = '/[?]/';}

            //if(is_numeric($value)) {$values[] = intval($value);}
            if(is_numeric($value)) {$values[] = $value;}
            else{$values[] = '"'.$value .'"';}
        }
        $sql = preg_replace($keys, $values, $sql, 1, $count);
        return $sql;
    }

[dean7]

I've just done the var_dump() its returning NULL ?

[NotionCommotion]

I've just done the var_dump() its returning NULL ?

 

Well, you can pretty much guarantee all your other script is irreverent until you fix this.  How are you getting to this page?  A GET or POST request?  PHP is a little funny in that it populates the $_GET super even upon a POST request if the URL contains parameters.

[Jacques1]

PHP is a little funny in that it populates the $_GET super even upon a POST request if the URL contains parameters.

 

This isn't funny behavior. The superglobal is simply horribly misnamed. $_GET has nothing to do with the GET method (or any particular method); it's the parsed query part of the URL and should have been called $_URL_PARAMS.

[dean7]

Well, you can pretty much guarantee all your other script is irreverent until you fix this.  How are you getting to this page?  A GET or POST request?  PHP is a little funny in that it populates the $_GET super even upon a POST request if the URL contains parameters.

I'm getting it through a $_GET and everything else on my script is actually working as it don't all rely on this $_GET. A few posts up is what I'm trying to fix

[NotionCommotion]

This isn't funny behavior. The superglobal is simply horribly misnamed. $_GET has nothing to do with the GET method (or any particular method); it's the parsed query part of the URL and should have been called $_URL_PARAMS.

 

I say  funny , you say horribly misnamed.   We are saying the same thing.  Dang tomatoes get all the glory.