This could be a duplicate, but i couldn't find any one that helped.
I'm trying to pass an array of all the data to another page, throught the post method of a form. It looks like this:
<form method="post" action="../resource_load/export.php" target="_blank">
<input type="hidden" name="tipo" value="<?=$_GET['tipo']?>">
<input type='hidden' name='excel_array' value='<?php echo htmlentities(serialize($_SESSION['excel_array']))?>'>
<input type='submit' class='submit' id='btnExport' value='Export to Excel' />
So here i serialize the $_SESSION data. and this is what it looks like:
value="a:1:{s:12:"dpi_strategy";a:1:{s:5:"Plan1";a:1:{i:0;a:9:{i:0;s:3:"PCR";i:1;s:11:"Description";i:2;s:4:"Task";i:3;s:8:"Resource";i:4;s:13:"Baseline Plan";i:5;s:10:"Trend Date";i:6;s:4:"User";i:7;s:20:"Data Inicialização";i:8;s:6:"Status";}}}}
And here is where i unserialize:
$Excel_array = htmlentities(unserialize($_POST['excel_array']));
Yet, it returns null. Why is that?
If you do this, use htmlentities() to encode and html_entity_decode() to decode with raw values.
Secondly, I don't believe it is a good idea to output the data of serialize and unserialize user submitted data. The reason being is code injection that is a major security issue.
Instead, use json_encode() and json_decode().
Now because I see you have special chars in your array Data Inicialização you are indeed correct to convert those characters to another entity, but aslong if you have everything UTF-8 it will work.
<input type='hidden' name='excel_array' value='<?php echo json_encode($_SESSION['excel_array']) ?>'>
And:
# ../resource_load/export.php
var_dump(json_decode($_POST['excel_array']);
<?php
$temp = array();
$temp['aaa'] = "aaaaaaaaaaaaaaaaaaaaaaa";
$temp['bbb'] = "bbbbbbbbbbbbbbbbbbbbbbb";
$temp['ccc'] = "ccccccccccccccccccccccc";
$arr = array();
$arr['excel_array'] = $temp;
?>
<form method="post" action="">
<input type='hidden' name='excel_array' value='<?php echo htmlentities(serialize($arr['excel_array']))?>'>
<input type='submit' class='submit' id='btnExport' value='Export to Excel' />
</form>
<?php
if( isset($_POST['excel_array']) ) {
echo "<pre>";
$Excel_array = unserialize($_POST['excel_array']);
print_r($Excel_array);
}
?>
remove htmlentities from unserialize because you will unserialize an array and htmlentities use strings
Related
I am sending 2 variables from HTML form to php json decoding from api url but I got empty values.
<form action="2.php" method="post">
Word: <input type="text" name="q">
<input type="hidden" name="langpair" value="en|it">
<input type="submit">
</form>
to php file
$json = file_get_contents('https://api.mymemory.translated.net/get?q=<? echo $_POST["q"]; ?>;&langpair=<? echo $_POST["langpair"]; ?>');
$obj = json_decode($json);
echo $obj->responseData->translatedText;
I am getting empty page!
For security reasons, you should not pass the variables directly to the url, but if you want to do it should be like this:
$json = file_get_contents('https://api.mymemory.translated.net/get?q='.urlencode($_POST["q"]).'&langpair='.urlencode($_POST["langpair"]));
It is because of your URL! Change it for this :
file_get_contents('https://api.mymemory.translated.net/get?q=' . $_POST["q"]. '&langpair=' . $_POST["langpair"]);
I have the following array and form on page1.php:
$my_array = array("Volvo", "BMW", "Toyota");
echo " <form id=\"my_form\" action=\"page2.php\" method=\"post\" enctype=\"multipart/form-data\">
<input type=\"hidden\" name=\"id\" value=\"10\">
<input type=\"hidden\" name=\"input_name\" value=\"".serialize($my_array)."\" />
Send </form>";
On the page2.php I want to print_r the array:
$id = $_POST['id'];
$passed_array = unserialize($_POST['input_name']);
print_r($passed_array);
Why I can't receive my_array on page2? I can't see the mistake I made!
PS: I received id on page2.
i'm glad #ksealey pointed out a more proper method of doing this, but for the sake of answering the question...the reason it's not working is that the serialize alone is not enough to prevent the invalid html. see result of what the serialize leaves in the html:
so you need to be sure the html you produce is valid. you might use encoding like base64 to produce safe html:
echo " <form id=\"my_form\" action=\"\" method=\"post\"";
echo "enctype=\"multipart/form-data\">";
echo "<input type=\"hidden\" name=\"id\" value=\"10\">";
echo "<input type=\"hidden\" name=\"input_name\" ";
echo "value=\"".base64_encode(serialize($my_array))."\" />";
then you can just add the decode to your output:
$passed_array = unserialize(base64_decode($_POST['input_name']));
print_r($passed_array);
If there is data to be passed from page to page use a session
<?php
//Page 1
session_start();
$value = 'Value from page 1';
$_SESSION['page_1_value'] = $value;
?>
<?php
//Page 2
session_start();
echo 'Value from page 1: '.$_SESSION['page_1_value'];
$_SESSION = array(); //If you want to wipe the session data after
OR, pass as value params that get cleaned, JSON object maybe?
<form id="my_form" action="page2.php" method="post" enctype="multipart/form-data">
<input type="hidden" name="id" value="10">
<input type="hidden" name="input_name" value="<?php echo json_encode($my_array); ?>" />
<a href="javascript:{}" onclick="document.getElementById('my_form').submit(); return false;">Send</a
</form>
<?php
//Page 2
$object = json_decode(strip_tags(stripslashes($_POST['input_name'])));
var_dump($object);
I will say the first answer is safer.
This is the HTML that your first page is generating:
<input type="hidden" name="input_name" value="a:3:{i:0;s:5:" volvo";i:1;s:3:"bmw";i:2;s:6:"toyota";}"="">
One easy solution would be to replace your double quotes in
value=\"".serialize($my_array)."\"
with single quotes as so:
value='" . serialize($my_array) . "'
or you can escape the quotes in your serialized array as so:
value=\"". htmlspecialchars(serialize($my_array))."\"
I will just add my 2 cents in here :)
You may want to use a framework of some sort as this will ease the job for you a lot with situations like this (or similar). For example with Codeigniter framework you could have a form (view) that sends data to controller and in controller you could just grab the whole array as so:
$data = $this->input->post('array');
$data[0] should == 'Volvo'
So view:
<?php $my_array = array("Volvo", "BMW", "Toyota"); ?>
<form id="my_form" action="<?php echo site_url(controller_name/controller_function)" method="post" enctype="multipart/form-data">
<input type="hidden" name="id" value="10">
<input type="hidden" name="input_name" value="".serialize($my_array)."" />
Controller:
public function foo() {
$data = $this->input->post('array');
for($i=0; $i<sizeof($data); $i++) {
echo $data[$i];
}
}
<?php
if(isset($_POST['btnLogin'])){
$myVariable = $_POST['fieldParameter'];
if(condition){
//do something
}else{
echo "
<form method='POST' action='submit.php'><br/>
<input type='hidden' name='myVariable' value='<?php echo $myVariable; ?>'/>
<br/>
<input type='submit' name='btnSubmit' id='submit' value='Submit'>
</form>
";
}
}
?>
Notice that the variable $myVariable is contained in the main IF block. I'm trying to send the value of $myVariable to submit.php as hidden field.
Also, i enclosed all the html tags using one echo statement with double quotes.
I found related questions here in SO but can't find similar to embedding php within a long echo of html tags
I tried to put value='<?php echo $studentNo; ?>' with no success.
I want to access it in a submit.php file like this,
submit.php
<?php
$aVariable = $_POST['myVariable'];
echo $aVariable;
?>
How can I pass the value contained in $myVariable as hidden field? Is there something wrong with the way I use double and single quotes?
If you are already echoing a string you shouldn't put <?php echo "" ?> inside it again. You should concatenate your string instead. But in your case you don't even need to do that, because you're using double quotes for echoing which means you can simply just write your variable in it.
echo "<form method='POST' action='submit.php'><br/>
<input type='hidden' name='myVariable' value='$myVariable;'/>
<br/>
<input type='submit' name='btnSubmit' id='submit' value='Submit'>
</form>";
If you were using single quotes for your echo, it would look like this:
echo '<form method="POST" action="submit.php"><br/>
<input type="hidden" name="myVariable" value="' . $myVariable . '"/><br/>
<input type="submit" name="btnSubmit" id="submit" value="Submit">
</form>';
You just need to type $myVariable instead of in your string. Double quotes "" only creates a string literal. It doesn't directly output data like inline HTML. As you can see from the syntax coloring in StackOverflow, the
You can try these variants (simplified):
// code before
echo "<input type='hidden' name='myVariable' value='$myVariable'/>";
// code after
// OR //
// code before
?>
<input type='hidden' name='myVariable' value='<?= $myVariable ?>'/>
<?php
// code after
Note that the quotes you use in HTML don't affect PHP, as long as you escape them properly (use \" and \' where appropriate).
I try to make a editor for a job offer. It must have a preview function. There are 2 form. First form submits the preview, the second one appears when the preview is there and sends the variables to save them in the database. The problem is, that when the second form get submitted, all quotes disappear. I tryed mysql_real_escape_string, htmlspecialchars, htmlentitles, but nothing works. Do you got an idea where the problem is?
Could it be that there's a problem, because I use the variable '$content' to store the site's content, instead to make a direct output with 'echo'?
Thanks!
<td><input style='float:left;' type='submit' name='jobpreview' value='preview' />
</form>";
if(isset($_GET['preview']))
{
$_POST['titel'] = htmlentities($_POST['titel']);
$_POST['elm1'] = htmlentities($_POST['elm1']);
$content .= " <td><form action='?s=intern&sub=neuerjob&preview' method='POST'>
<input type='hidden' name='titel' value='".$_POST['titel']."' />
<input type='hidden' name='elm1' value='".$_POST['elm1']."' />
<input style='float:left;' type='submit' name='jobsave' value='save' />
</form></td></tr></table>";
}
You need to use the second parameter to htmlentities() to encode the quotes.
$titel = htmlentities($_POST['titel'], ENT_QUOTES);
$elm1 = htmlentities($_POST['elm1'], ENT_QUOTES);
<input type='hidden' name='titel' value='".$titel."' />
<input type='hidden' name='elm1' value='".$elm1."' />
For this purpose, htmlentities() is overkill though, and you can use htmlspecialchars()
also with the ENT_QUOTES param.
$titel = htmlspecialchars($_POST['titel'], ENT_QUOTES);
$elm1 = htmlspecialchars($_POST['elm1'], ENT_QUOTES);
I want to send data from one page to the other via a form in PHP. In the initial page I have included the following PHP script that generates an input form with hidden fields. The names of these hidden fields are generated by the PHP:
<?php
echo "<form class='available-form' name='available_os' method='get' action='process-results.php'>";
echo "<input type='hidden' name='$software'></input>";
echo "<input type='hidden' name='$version'></input>";
echo "<input type='submit' name='available-button' value='Find Available Libraries for this Software'></input>";
echo "</form>";
?>
In the second page, named process-results.php, I would like to get the names of these hidden fields via the $_GET method but of course using $_GET[$software] and $_GET[$version] wouldn't work...Can someone tell me if there is a solution to this issue or if there is a better alternative? Thanks in advance
Instead of
"<input type='hidden' name='$software'></input>";
you should use
"<input type='hidden' name='software' value='".$software."'></input>";
for each. This way, you can use $_GET['software'] to retrieve the value. Do this for each of your hidden inputs.
I think you may want something like:
<form ... >
<input type="hidden" name="software" value="<?php echo $software ?>" />
<input type="hidden" name="version" value="<?php echo $version ?>" />
</form>
and then
$_GET['software'];
$_GET['version'];
I'm not sure what you're trying to accomplish, but this looks odd to me. Isn't the below code more of what you're looking for?
<?php
echo "<form class='available-form' name='available_os' method='get' action='process-results.php'>";
echo "<input type='hidden' name='software' value='$software'></input>";
echo "<input type='hidden' name='version' value='$version'></input>";
echo "<input type='submit' name='available-button' value='Find Available Libraries for this Software'></input>";
echo "</form>";
?>
That way you will get a query string in form of ?software=yoursoftwarename&version=yourversion and it will be available via $_GET["software"] and $_GET["version"] on the next page.
You could iterate over each of the items in the $_GET array on process-results.php. The problem is that the keys for the value will be whatever $software and $version are set to on the first page. Try something like this:
foreach($_GET as $key=>$string) {
// Do stuff with them
}
Add
enctype="multipart/form-data"
To the tag... so it looks like
<form enctype="multipart/form-data" method......
If you really need to have the dollar-sign inside the name, escape it:
echo "<input type='hidden' name='\$software'>";
or put the string in single-quotes:
echo '<input type="hidden" name="$software">';
Otherwise PHP is looking for a variable named "$software", if you look inside the browser-source you will see that the name-attributes are empty(except you're having those variables defined somewhere).