While building PHP application i have reached the point where i should work on search engine script, however i got few questions about how to.
I have seen many guides and tutorials regarding that matter but none of them explained which method to take.
So options are:
Form with post method which provides posted keywords into function that does query
<?php
$keywords = preg_split('/[\s]+/', $_POST['keywords']);
$products->search($keywords);
?>
<form action="" method="post">
<input type="text" name="keywords">
<input type="submit" value="submit">
</form>
Form with get method which alters http address like this ?keywords=x+y+z, keywords are being passed from $_GET in that case
<?php
$keywords = preg_split('/[\s]+/', $_GET['keywords']);
$products->search($keywords);
?>
<form action="" method="get">
<input type="text" name="keywords">
<input type="submit" value="submit">
</form>
Form with post method which upon submit does redirect to the same page but with ?keywords=x+y+z addon
<?php
header('Location: file.php?keywords=' . $_POST['keywords']);
exit();
?>
<form action="" method="post">
<input type="text" name="keywords">
<input type="submit" value="submit">
</form>
<?php
$keywords = preg_split('/[\s]+/', $_GET['keywords']);
$products->search($keywords);
?>
From what i have learned pure post method is pretty bad if you want to implement pagination. When switching page via $_GET ?page=2, post no longer holds and search results are gone, i gather that i would have to switch pages via post as well, so im confused which approach should i conduct, thank you for all the tips:)
If you are doing a search, the correct method would be a GET, see the description of the various request methods from w3. On that base a GET is more appropriate then a POST.
Having said that, you are retrieving some sort of resource and you could argue that the page is part of this, so either as you seem to propose you can do
/search?keywords=HAL&page=2
or this uri based version where page is part of the definition of the resource:
/search/2/?keywords=HAL
Or even go all out as
/search/keyword1/keyword2/2
(I'm not a fan of the last one per se, I favor the middle or the first; it all has to do with what you define as the resource you are trying to get, and what are the parameters. I'm sure the web is full of discussions that would be rather long-winded to post here)
Realise that you are not talking about $_GET vs $_POST. these are PHP implementations. You should decide what METHOD you will accept as request, and you can then look at those globals to find out where the information lies.
My advice would be to
read up on those methods (see the link to w3)
while you're at it, check out filter_input
Related
I am trying to input submit value and want to pass the value to another page through GET but for that I have to use two Clicks button.
I want the same in a single click. Help required.
Code:-
<form method="post">
<input name="inwardid" type="text" id="inwardid" />
<?php $inwardid = $_POST['inwardid']; ?>
<input type="submit" value="Next" />
</form>
<a href="addbook.php?up=<?php echo $inwardid; ?>"><button>Proceed</button>
You want to send the value the user typed in to the other page. So use this for your <form>:
<form method="POST" action="addbook.php">
<input name="up" type="text" id="up">
<input type="submit" value="Proceed">
</form>
To access the value in addbook.php, use $_POST['up'].
This will send the value the user typed in the input label (type="text") to the addbook.php page, using a $_POST. No need for a $_GET, $_POST will do just fine.
As you deliberately asked for method GET, my solution shows you GET!
You must know there is no security issue when using GET. It depends what you want to do. GET is useful if you want to use a dynamic code in multiple ways depending on some some variables that you do not want to hard-code in your script, or simply do not want to send files or other huge data.
Lets admit a newspaper has a site called breaking_news.php and you want to access the breaking news of November 8, 2016you could use this as :
breaking_news.php?y=2018&m=11&d=08
The fact that one can see your GET vars means nothing. Even by using POST one can see your variables by looking at your code. And one way or the other you must protect against code injection and brute force.
But if your not in the mood to show this vars to your visitor you can use URL rewriting to rewrite the url above in the browser as
RewriteRule ^breaking/(.*)/(.*)/(.*)/news\.html$ breaking_news.php?y=$1&m=$2&d=$3 [NC,L]
so you send your visitor to see the (rewritten)URL
breaking/2018/11/08/news.html
but what the web-server is showing him is:
breaking_news.php?y=2018&m=11&d=08
A reason to use this if for example when you want your dynamic site to be taken into consideration by some searching engine as a static site, and get indexed. But this is again another battle field.
Second, you want to send the variable to "addbook.php", and not to itself.
Your question sounded like you want to send to "another page" not to the same page.
Third, I can see in your code snippet you want to submit the variable "up" and not "inwardid", as you did in your code.
And also I can see you want the "submit" button to be called "Proceed".
Your code would look like this:
<form method="GET" enctype="application/x-www-form-urlencoded" action="addbook.php" target="_blank">
<input name="up" type="text" id="inwardid" />
<input type="submit" value="Proceed" />
</form>
As I said you must protect against injection, and this means for example, that in the "addbook.php",to whom you are sending the variables you must write some code that protects you against this issues. As your question is not in this direction I will not enter this subject.
To avoid problems with special chars you must "url-encode" your variable specially when sending them per POST method. In this case you must use this enctype if your handling text. Because this enc-type is transforming special chars into the corresponding ASCII HEX-Values.
Using GET your safe, because GET cant send in another enc-type. So your variable will automatically be url-encoded and you receive a string that is compliant to RFC 3986 similar by using:
rawurlencode($str)
Lets admit someone smart guy fills in a your input box the following code, in the desire to break your site. (This here is not exactly a dangerous code but it looks like those who are.)
<?php echo "\"?> sample code in c# and c++"; ?>
using enctype="application/x-www-form-urlencoded" this will become something like this:
%3C%3Fphp%20echo%20%22%5C%22%3F%3E%20sample%20code%20in%20c%23%20and%20c%2B%2B%22%3B%20%3F%3E
what makes it safe to be transported in a URL, and after receiving and cleaning it using
strip_tags(rawurldecode($_GET['str']))
it would output something like this, what is a harmless string.
sample code in c# and c++
CMF MODX revolution
There is a template with a form
<form action="http://localhost/index.php?id=3" method="post">
<input type="name" name="name">
<input type="search" placeholder="Все товары" name="search_bar">
<input type="submit" value="">
<div style="clear: both;"></div>
</form>
which call a snippet which contains debugging line:
echo '|||||||||||| ', $_POST['search_bar'];
The problem.
If I put a value into search bar - echo will not show anything. But if I save the template
before I putt the value into the search bar and click submit button, then echo display right value from the search bar
Suppose the problem is in caching. But I cleaned it and it is cancelled everywhere (at least I think so, exploring administrator panel).
For Snippets that depend on user input (like a search query) you will want to call them uncached: [[!mySnippet]]
However if you want to gain a bit of performance you can wrap the Snippet call with Jason Coward's getCache, and by default it caches to a unique cache key based on the $_GET parameters. In other words, each search query would get its own cache object. This helps when there are repeat searches for the same string.
I have a .php file which I will be using to submit requests to a certain API. This API will return information regarding certain domain URLs, such as the domains age, PageRank, etc.
The part of the PHP file which is responsible for feeding the API call URL with the domain names I'm interested in looks as follows:
$batchedDomains = array('www.example.com', 'www.cnn.com', 'www.apple.com');
What I would like to do is feed this array information through a very simple HTML form. My current HTML for the form looks as follows:
<form name="myform" action="apitest.php" method="POST">
<input type="hidden" name="check_submit" value="1" />
URL List:<br />
<textarea name="urls" rows="20" cols="60">Enter URLs</textarea><br />
<input type="submit" />
</form>
Here is what I would like to see happen: whenever I enter a list of domain URLs into the HTML form (one domain per line), I would like the $batchedDomains array to be populated with those values.
Can anyone help me out with this? Or if you have a suggestion for a different solution I'm of course willing to hear it out.
I do not want this information printed anywhere, as it will simply be used by the php script to call the API and display the results.
Thank you.
$urls = array_filter(explode(PHP_EOL, $_POST['urls']), 'parse_url');
Or pass a custom callback with filter_var() + FILTER_VALIDATE_URL for stricter checks
If you're just entering one per line, you can split the textarea string by newlines, see https://stackoverflow.com/a/1483501/2213444.
<?php
// has no error checking, you'll want to check that $_POST['urls'] exists
$textarea = explode("\r\n", $_POST['urls']);
print_r($textarea);
?>
<form action="" method="post">
<textarea name='urls' rows='20' cols='60'>
</textarea>
<input type="submit">
</form>
Working Example
I'm working on building a more user-friendly frontend access page in Wordpress for a content library built on ContentDM (http://www.oclc.org/support/questions/contentdm/default.htm). One of the things that was requested as part of the site was a search form that instead of searching Wordpress, goes to the ContentDM library and searches there.
It appears that the search syntax for ContentDM is as follows:
http://libraryID.contentdm.oclc.org/cdm/search/searchterm/INPUT_TERM/order/nosort
With "INPUT_TERM" being whatever the user searched for.
In other words, in order to create a search form that went directly there, I'd have to dynamically insert the contents of the input element into the middle of the "action" attribute of the form.
I'm guessing my best bet is to just send it to a PHP page that sticks $_POST['whatever'] into the URL and does a redirect. But is there in fact a way to do it dynamically from the form (ideally without Javascript) and save a step?
Thanks!
I guess something like this could work:
<form action="" method="get"
onSubmit="location.href='http://libraryID........./'+this.children[0].value+'/order/nosort; return false;">
Search: <input type="search" />
<input type="submit" value="Go" />
</form>
This will redirect the browser to the search page given in the search box, however it's not terribly reliable.
You might want to see if there's a query string "version" of the URL - maybe that search URL is affected by mod_rewrite to "look pretty", and you might be able to have http://libraryID.contentdm.oclc.org/cdm/search as the action, and have the input field named searchterm:
<form action="http://libraryID.contentdm.oclc.org/cdm/search" method="get">
Search: <input type="search" name="searchterm" />
<input type="submit" value="Go" />
</form>
I understand that I am able to use the POST method for URL parameters to display data according to a specific variable, I know how to make use of the GET method - but I am told that the POST method can be used to hide the part of the URL that is like this.
/data.php?parameter=1234
What is the actual difference of the two methods in terms of URL parameters?
Below is some code that fetches data from a database according to the id of a specific link
<?php
//This includes the variables, adjusted within the 'config.php file' and the functions from the 'functions.php' - the config variables are adjusted prior to anything else.
require('configs/config.php');
require('configs/functions.php');
//This is the actual interaction with the database, according to the id.
$query = mysql_query("SELECT * FROM table WHERE id=" .$_GET['id'] . ";") or die("An error has occurred");
//This re-directs to an error page the user preventing them from viewing the page if there are no rows with data equal to the query.
if( mysql_num_rows($query) < 1 )
{
header('Location: 404.php');
exit;
}
//Here each cell in the database is fetched and assigned a variable.
while($row = mysql_fetch_array($query))
{
$id = $row['id'];
$title = $row['title'];
$month = $row['month'];
$day = $row['day'];
$photo = $row['photo'];
$text = $row['text'];
}
?>
On a separate page I generate links to the data.php file according to the ID like so:
<?php echo $content['title']; ?>
Forgetting that there are potential SQL injections that can occur through the above code, how would I go about making use of the POST method in order to hide the URL parameters, or at least not display them like this:
http://example.com/data.php?id=1
In order to use POST, you will need to use a <form> tag, and depending on how you are pulling up these URLs, it could be easier to use javascript to help out. Here's a basic example:
<form method="post" action="data.php">
<input type="hidden" name="parameter" value="1234" />
<input type="submit" value="Go" />
</form>
The Go button would POST the form data, and now in data.php you will be able to retrieve the value from $_POST['parameter']. Note that when using POST, you will probably want to redirect (HTTP 302) back to a page so that when a user hits the back button, the browser doesn't prompt to resubmit the form.
Using javascript, you could set the parameter input to a different value before posting the form.
Use method "POST" for your form. I had the same issue, just adding POST to the form removed the parameters from the URL
<form id="abc" name="abc" action="someaction.php" method="post">
<input type="text" id="username" name="username"/>
<input type="password" id="password" name="password"/>
<input type="submit" id="submit" name="submit" value="submit"/>
</form>
To POST values, a browser would have to use a form with method="post", or javascript simulating a form. Various developer tools (fireug, etc) can convert GET forms to POST forms, but generally, a form is what is required.
In theory GET requests should not have any side effects, and "should" be consistent from request to request. That is, the server should return the same content. In todays world of just about everything being dynamic, this might be of little practical design significance.
Whether you use GET or POST, the parameters will appear in $_REQUEST. The critical difference is that using POST allows the variables NOT to appear in URL history. This decreases the visibility of data such as passwords which you do not want to show up in URL history. To use POST instead of GET, simply produce <form method="POST" ...> in the document.
Even better is to store sensitive values (like user ids) in cookies, so that they don't appear in $_REQUEST at all. Since the contents of cookies are provided in extra HTTP request headers, not in the content, they are generally not stored as part of the history.
In order to use POST instead of GET, you would need to use an HTML form tag in your html, like so:
<form method="POST" action="/data.php">
<input type="hidden" name="parameter" value="1234" />
<button type="submit">Submit</button>
</form>
When submitted, your URL will just be /data.php and parameter=1234 will be in your (hidden) post buffer.
Make sense?
To do a POST, you have to use a form, or some javascript/ajax trickery. An <a> will only ever cause a GET request.
Note that POST requests can still have query parameters in the URL. It's not "normal" to have them, but they are allowed. The main difference being that with a GET request (ignoring cookies), the URL is the ONLY way to send parameters/data to the server. With POST, you can use both the URL, and the body of the POST request, which is where POSTed form data is normally placed.