My need is to send multiple values when a user clicks a button which uses GET METHOD.
Since multiple values are to be sent, I am using an argument as follows:
$argument='var2=value2&var3=value3';
echo "<button value='value1&$argument&' type='submit' name='var1'>Send</button>";
Essentially, the button tag in HTML has a restriction that it can send ONLY one name-value pair. In this case, it will send name='var1' and corresponding value as value1. Hence, I am appending the other name-value pairs through the PHP $argument variable. In this case, var2=value2&var3=value3 are getting appended, and sent.
All good till here.
The problem is that when it reaches the submitted page, it is getting the following encoding:
https://example.com/dir1/page.php?var1=value1%26var2%3Dvalue2%26var3%3Dvalue3%26
Essentially, the & is getting %26, and = is becoming %3D.
I am aware that this is due to the inbuilt encodeURIComponent of HTML, but due to this encoding the form submission is failing.
I am looking for a way/method to receive the following in the submitted page (i.e. without encoding), so that it can be processed smoothly:
https://example.com/dir1/page.php?var1=value1&var2=value2&var3=value3&
PS: have explored existing threads like Escaping ampersand in URL & Why does %26 get decoded to & when passed as a parameter to a JavaScript function from a link? & many more, but unable to find the answer.
Also tried the following as mentioned in URL/HTML escaping/encoding, but not working:
echo "<button value='value1&".htmlspecialchars($argument)."' type='submit' name='var1'>Send</button>";
If any existing answer exists, pls point me to it in the comment before marking this question down.
Thanks
You can simply put these values individually in hidden fields in the form which the button is part of.
e.g.
<form>
<button type='submit' name='send'>Send</button>
<input type="hidden" name="var1" value="<?php echo htmlspecialchars($val1)?>">
<input type="hidden" name="var2" value="<?php echo htmlspecialchars($val2)?>">
</form>
The browser will then use these to create a properly-constructed and encoded URL for you automatically when the form is submitted.
Related
I am trying to input submit value and want to pass the value to another page through GET but for that I have to use two Clicks button.
I want the same in a single click. Help required.
Code:-
<form method="post">
<input name="inwardid" type="text" id="inwardid" />
<?php $inwardid = $_POST['inwardid']; ?>
<input type="submit" value="Next" />
</form>
<a href="addbook.php?up=<?php echo $inwardid; ?>"><button>Proceed</button>
You want to send the value the user typed in to the other page. So use this for your <form>:
<form method="POST" action="addbook.php">
<input name="up" type="text" id="up">
<input type="submit" value="Proceed">
</form>
To access the value in addbook.php, use $_POST['up'].
This will send the value the user typed in the input label (type="text") to the addbook.php page, using a $_POST. No need for a $_GET, $_POST will do just fine.
As you deliberately asked for method GET, my solution shows you GET!
You must know there is no security issue when using GET. It depends what you want to do. GET is useful if you want to use a dynamic code in multiple ways depending on some some variables that you do not want to hard-code in your script, or simply do not want to send files or other huge data.
Lets admit a newspaper has a site called breaking_news.php and you want to access the breaking news of November 8, 2016you could use this as :
breaking_news.php?y=2018&m=11&d=08
The fact that one can see your GET vars means nothing. Even by using POST one can see your variables by looking at your code. And one way or the other you must protect against code injection and brute force.
But if your not in the mood to show this vars to your visitor you can use URL rewriting to rewrite the url above in the browser as
RewriteRule ^breaking/(.*)/(.*)/(.*)/news\.html$ breaking_news.php?y=$1&m=$2&d=$3 [NC,L]
so you send your visitor to see the (rewritten)URL
breaking/2018/11/08/news.html
but what the web-server is showing him is:
breaking_news.php?y=2018&m=11&d=08
A reason to use this if for example when you want your dynamic site to be taken into consideration by some searching engine as a static site, and get indexed. But this is again another battle field.
Second, you want to send the variable to "addbook.php", and not to itself.
Your question sounded like you want to send to "another page" not to the same page.
Third, I can see in your code snippet you want to submit the variable "up" and not "inwardid", as you did in your code.
And also I can see you want the "submit" button to be called "Proceed".
Your code would look like this:
<form method="GET" enctype="application/x-www-form-urlencoded" action="addbook.php" target="_blank">
<input name="up" type="text" id="inwardid" />
<input type="submit" value="Proceed" />
</form>
As I said you must protect against injection, and this means for example, that in the "addbook.php",to whom you are sending the variables you must write some code that protects you against this issues. As your question is not in this direction I will not enter this subject.
To avoid problems with special chars you must "url-encode" your variable specially when sending them per POST method. In this case you must use this enctype if your handling text. Because this enc-type is transforming special chars into the corresponding ASCII HEX-Values.
Using GET your safe, because GET cant send in another enc-type. So your variable will automatically be url-encoded and you receive a string that is compliant to RFC 3986 similar by using:
rawurlencode($str)
Lets admit someone smart guy fills in a your input box the following code, in the desire to break your site. (This here is not exactly a dangerous code but it looks like those who are.)
<?php echo "\"?> sample code in c# and c++"; ?>
using enctype="application/x-www-form-urlencoded" this will become something like this:
%3C%3Fphp%20echo%20%22%5C%22%3F%3E%20sample%20code%20in%20c%23%20and%20c%2B%2B%22%3B%20%3F%3E
what makes it safe to be transported in a URL, and after receiving and cleaning it using
strip_tags(rawurldecode($_GET['str']))
it would output something like this, what is a harmless string.
sample code in c# and c++
I have the following hidden input in a form:
<input type="hidden" name="token" value="<?php echo $token; ?>">
I am posting this input value to another PHP page for processing through a form, however, when I try to read the value of the input field using $_POST["token"], I find it empty. I looked all over the Internet for a solution, but the only one I found is to place everything into one page (the form together with the processing code); but I want the processing code to be in a separate page.
This is the markup:
<form id="registerform" name="registerform" method="post">
First name:<br>
<input type="text" name="firstname"><br>
Last name:<br>
<input type="text" name="lastname">
<input type="hidden" name="token" value="<?php echo $token; ?>">
</form>
The problem here is that I can read the values of the first name and last name. but the value of the hidden input is not accessible.
Your approach is correct. If it won't work like this, you probably made some typo or mistake and need to debug your code. Here is one way to do that.
Check if the value $token is correctly rendered into the <input>. Does it have a value in the PHP script or is already empty there? If it is not empty in the PHP script (you can echo it out, to see its value), you need to check the rendered HTML. Does it have any mistakes? It's best to just open the view-source tab to see what PHP actually renders. Somewhere in the rendered HTML, there needs to be a hidden input field with the value set to the same as in the PHP script. Check also the syntax.
If 1 did not yet resolve your problem, you can try to send the form and observe the request in the DevTools of your browser (it's probably best to use Firefox or Chrome for that). To see the request, you should open the DevTools (push F12) and switch to the Network tab. Make sure, you hit Preserve log to keep the logs on the page switch. Click on the row of the page where your data should have been sent to. You can see the parameters on the bottom of the details. Your hidden parameter needs to be there, if not, you are not correctly sending it to the PHP script. → Go back to step 1.
If the error still resists, enter the following line on top of the PHP page where your form is sent to (the page you have in the action attribute of the form): <?php print_r($_POST); ?>. This will print out all data which is received by the PHP script via POST (change it to $_GET, if you are expecting GET data). Submit your form. If the token key is present on the next page (e.g. [token] => "123" is part of the output), you can definitely access it via $_POST['token'].
I'm trying to send a POST request with part of the webpage URL as the parameter. For instance, in this url:
http://testsite.com/confirmEmail/?token=abcdefg
I want to be able to send the input token with the value abcdefg. I want to make this responsive to different token values. Any ideas?
Thanks
This answer is assuming they will do some action on this page, otherwise you would want a redirect.
<?php
$token=$_GET['token'];
?>
<form method="POST">
<input type="hidden" name="token" value="<?php echo htmlentities($token, ENT_QUOTES);?>" />
<!--other form fields and submit button here-->
</form>
UPDATE:
This was a simple answer, to be easily understood, but of course echoing out a get variable straight from the url opens you up to xss. Someone edited my answer to strip quotes from that variable but htmlentities() is also vulnerable to xss. I believe the appropriate function nowadays is htmlspecialchars($token, ENT_QUOTES, "UTF-8"). If you go this route, you need to be careful about which encoding & characters you put in your tokens now, so they aren't stripped, which would probably break your verification process. Looks like it's numeric in the example, so you should be ok. Also remember someone could still post a modified form, so you need to sanitize this token field to prevent injections, but hopefully that's not relevant to this question.
I'm programming a script that parses some data from <a> and <input> tags on the page (using SIMPLE HTML DOM). The web page requires to log in and to hold COOKIES, by the way. I use CURL. The issue appears when I try to submit POST data with the just extracted keys:
<input type="HIDDEN" name="KeyStr" value="7241e48c3532f85b1ece8c73f2ab5b3f^91157">
<input type="HIDDEN" name="ParamStr" value="af89a26374cf9addc88f1d5fbfa86670|#|STUD_ID|&|91157|~|GROUP_ID|&|4873|~|GROUP_NAME|&|КН-13-2">
<a id="TabLeftBorderLink" href="javascript:GoToSubTable(6, '631495a2fe80603ee352b07ead601fdb^2014|1')">Go</a>
("6" and that 3 long keys are extracted)
The website shows that some key is invalid.
On the another page, where I don't need to POST that "HIDDEN" values, only values from the < a> tag everything works great.
So I thought the problem was caused by incorrect parsing the chars like & or something like this, maybe.
I've tried:
str_replace("&","&",$postdata["ParamStr"]);
//or
str_replace("amp;","",$postdata["ParamStr"]);
as well as:
$postdata["ParamStr"] = htmlspecialchars_decode($postdata["ParamStr"]);
But it doesn't work.
Is it possible in php to include a forms value into the action redirection?
For example:
<form method='POST' name='Select' action='customer.php?CID=xxxxx'>
<input type=text width='5' name='searchVal' />
where xxxxx is the value entered into the form.
I've tried a number of different ways and I'm just not figuring it out! (Still sort of new to php) Any help would be appreciated.
It was looking like I would have to use $_POST and $_GET. A little more information might be in order... customer.php displays a list of customers in order by ID, name, etc. The user currently clicks on the customer ID that they want to display the details for. I'm trying to add a box where they can just enter the customer number to get to the details quickly, but I still want to have the listing displayed. From what it is sounding like, I will have to do this as two separate programs...is that true?
How about this:
<form method='POST' name='Select' action='customer.php'>
<input type='hidden' value='xxxxx' name='CID' />
<input type=text width='5' name='searchVal' />
...
</form>
You are free to add as much hidden values as needed.
Note, that you can even use PHP-like array notation_
<input type='hidden' value='xxxxx' name='CID[1]' />
<input type='hidden' value='yyyyy' name='CID[2]' />
At the PHP-side, access those values using this syntax:
$_POST[ 'CID' ][ 1 ]
$_POST[ 'CID' ][ 2 ]
UPDATE-1
Ah, you want to use a user-entered values to the Action URL just before the form gets submitted?
In this case you need to use JavaScript. Access the DOM to change the Action URL.
But let me ask, why you need to post a form value additionally as a parameter of the Action URL?
UPDATE-2
You wrote: 'From what it is sounding like, I will have to do this as two separate programs...is that true?'
No, actually not. You can still use one customer.php which checks at its beginning, if it was called using a linked customer in the table element or a searched customer in the search field.
In other words: You don't need to prepare two scripts, but two forms for two purposes which call the same script customer.php.
You can include the required value in a hidden field in your form:
<input type="hidden" name="CID" value="xxxxx" />
The reason this is required is that you are submitting the form to your server via POST, but appending parameters to the URL requires submission via the GET method.
Not without a post to the server. The value in the form is filled in client-side, so it has to return to the server before you can add it to the action. (at least, if you want to use php).
You can either
add it after posting (might not be usefull)
use javascript
just not use the GET CID, but get it out of the POST in your customer.php script.
I got it finally! It's actually very simple!
In the body of the code I put this:
<form action='#_SELF' method='GET' name='Projected'>
<input type=text size=5 name='CID' value='' title='Enter Customer number to display' />
<a href='#' onclick='document.Projected.submit();' title='Enter Customer number to display'>Go</a>
And at the top of the code I just do a:
if (!isset($_GET['CID'])) { ...
It works exactly the way I wanted it to!
Thanks everyone for the help! I appreciate it! (And I'm learning more and more about PHP everyday!)
Im pretty sure you cant do that unfortunately