I have 2 php variables:
$account_name
$my
If I use function:
var_dump($account_name);
I get:
string(192) "admin"
$account_name is displayed like a link to account name
If I use function:
var_dump($my);
I get:
string(5) "admin"
How can I change variable $account_name that return my only "admin" String.
I have problem because if I use $account_name in SQL query nothing happens but if I use $my it works.
It might be the case that your $account_name contains html tags. Since you are viewing it in browser, it is processed as html. You need to extract the value from those tags.
Take a look at this post.
Try:
$account_name = strip_tags($account_name);
strip_tags reference
It is likely that your string contains non readable characters.
Try to strip the string using this example:
var_dump(preg_replace("/[^(\x20-\x7F)]*/", '', $account_name));
If it works it should return: string(5) "admin"
How are you setting your variables?
If you're getting it from a form like this:
<form action="/" method="get">
<input name="username" placeholder="Username">
<button>click me</button>
</form>
you should simply collect the value of the input extracting the value in php
<?php
$account_name = $_GET["username"];
echo $account_name;
?>
In some cases you might want to strip the variables strip($_GET["username"]); to remove spaces before and after the string
Related
I have this set in top of page
if (isset($_GET["edit"]) and !empty($_GET["edit"])) {
$edit_id=(int)$_GET["edit"];
$edit_id=sanitize($edit_id);
}
and then i do this with my action on the topbar it shows the number of id
but if i do ""view source" i see this:
<form class="form" action="categories.php<?=((isset($_GET['edit']))?'?edit=.$edit_id':'');?>" method="post">
Why is it not getting the id?
because you are setting it as a literal string. try
action="categories.php<?php echo (isset($_GET['edit'])) ? '?edit='.$edit_id :'');?>"
There are a couple issues going on here:
You are trying to use variables inside single quotes
You are using string concatenation from within a string, which is effectively a period
Try this:
<?php
// We can check this way since you sanitize it at the top
$param = is_numeric($edit_id) ? 'edit='.$edit_id : '';
?>
<form
class="form"
action="categories.php<?php echo($param); ?>"
method="post">
Every piece of research I look up refers to replacing the ampersand with %26, when in fact I want to replace %26 in the URL with the ampersand.
At the moment each time I pass the url under the GET command I get %26 back.
For example the code I am passing in the form is as follows
<form method="get" action="<?php echo $SERVER['PHP_SELF'];?>">
<input type="text" id="stg" name="stg" size = "25" value="<?php echo '?pn=' . $sub1 .'%26'.$jrny.'&Subject='.$Subject.'&pn2='.$sub1. '&arc='.$sess.'&Table_Id='.$Table_Id; ;?>" />
When I try string replace or rawurlencode functions I still end up with %26. What am I doing wrong?
Thanks
You can use the urldecode function:
print_r(urldecode ( "%26" ));
will print out:
&
I am currently writing some search engine, where this page is retrieving some _GET variables from a previous page. This is working as intended.
Now I am using those variables as default value in a POST form. However, for some reason, only the first word for each of them is showing up. The form code is as follows:
<form action = "insert.php" method = 'POST'>
<Place name <input type="text" name="name" size = "30" value= <?php echo $_GET['name']; ?> />
Note that when echoing $_GET['name'] anywhere else in the page, everything is fine. Multiple words show up as expected, but when I use it as a text box default value, only the first word shows up on the textbox.
At first, I thought it had something to do with the way those $_GET variables are sent in the URL so I tried this:
$fullname = array();
$fullname = explode("%20", $_GET['name']);
$aaa = implode (' ',$fullname);
...
Place name <input type="text" name="name" size = "30" value= <?php echo $aaa; ?> />
but the result is still the same. If I echo it anywhere else in the page I get the full string, but if it's inside the form only the first word shows up.
What am I missing here?
The value attribute of the input tag needs to be in quotes:
<input type="text" name="name" size = "30" value="<?php echo $_GET['name']; ?>" />"
Otherwise, if $_GET['name'] contains spaces you'll end up with something like: value=John Smith. That will be understood as value=John with an invalid Smith attribute floating around.
Also, consider sanitizing $_GET['name'] with htmlspecialchars. Consider what would happen if $_GET['name'] was "/><script>alert(0)</script><. You'd end up embedding user-controlled code on your website, resulting in a reflected XSS.
I am sending info from an HTML form through the URL to be used at the destination web page.
One of these bits of info is a user defined message from a textarea, potentially with line breaks. I've encoded the linebreaks as %0A.
I wanted to use $var = $_GET["param"] to retrieve the message and store in a variable, but of course $_GET strips the %0A and replaces with spaces, which is killing the user formatting.
Is there someway I can get this into the variable either with the %0A in tact, or converted to <br>'s.
Thanks for you help.
UPDATE: Here's the code
Example URL:
http://blahblahblah.com/thankyou.php?type=e&gift=1&remail=simon#shokstudio.com&rname=Simon&demail=simon#shokstudio.com&dname=Simon&msg=e.g.%20Dear%20Bob,%20%0A%0AMerry%20Christmas%20and%20a%20Happy%20New%20Year%20to%20you.%20I%20hope%202014%20brings%20you%20much%20joy%20and%20happiness%20to%20you%20and%20your%20loved%20ones.%0A%0ABest%20Wishes,%0A%0ADave%0A%0A%20
PHP processing URL:
<?php
if ( "e" == $_GET["type"]) :
$gift_type = "Ecard";
else :
$gift_type = "PDF";
endif;
$gift_number = $_GET['gift'];
$donor_name = $_POST['dname'];
$donor_email = $_GET['demail'];
$recipient_name = $_POST['rname'];
$recipient_email = $_GET['remail'];
$custom_text = $_POST['msg'];
echo $_POST['msg'];
Use POST instead of GET. This works fine.
form.php
<form method="POST" action="my_form.php">
<input type="text" name="param">
<input type="submit">
</form>
my_form.php
<?php
echo $_POST['param'];
?>
you can either use nl2br or str-replace or preg_replace. But to use POST instead of GET that would be a better and safe solution solution.
Since you are using a web-form with a text-area, i would suggest using the POST method and then using the $_POST (or $_REQUEST) variable instead. All entered data should be in there, with enters and all special characters.
I understand how a PHP URL works - I think ... but I'm having problems getting the actual value of the variable to be passed in the example below.
Example
Note: I am adding the below form into a data cell (as part of a table being read via PHP).
$currentrowid = 1;
echo '<td>
<div class="editdelete">
<form action="phpindex.php?page=edit&thisrow=<?php echo $currentrowid;?>" method="post">
<input type="submit" value="Edit" >
</form>
</div>
</td>';
... Some other section of code to read the URL output by the form above:
$val = $_POST['thisrow'];
echo "the value is: " .$val; //Outputs "$currentrowid"
So, as you can see the code returns the actual name of the variable being passed, NOT the value of the variable being passed.
Any ideas here?
Since you are already within a PHP block, you should not wrap your variable within <?php ... ?>. This will give you an error.
To make this work, you can choose 1 of 2 options:
1) String Concatenation:
echo '... <form action="phpindex.php?page=edit&thisrow='.$currentrowid.'" method="post"> ...';
2) Wrap your string in " (double quotes) instead of ' (single quotes):
echo "... <form action=\"phpindex.php?page=edit&thisrow=$currentrowid\" method=\"post\"> ...";
Note that the second method forces you to escape all the double quotes inside of your string.
2 point.
<form action="index.php?thisrow=<?php echo $currentrowid ?>"
method="post">
You should use $_POST not $_GET to get the post value.
As what was answered above,
<form action="index.php?thisrow=<?php echo $currentrowid; ?>" method="post">
is correct.
The reason behind this is you are passing HTML and you have to use an echo from php to output to the html. Otherwise you just get exactly what you put, which is $currentrowid.
Not the easiest, but a quick way to solve your problem. Change your form method to get method="get">, then
$val = $_GET['thisrow'];