Is it possible to append a parameter to a PHP Header Location? I'm having trouble getting it to work. Is this syntax actually allowed?
$qry = $_SERVER['QUERY_STRING'];
header('Location: http://localhost/blast/v2/?$qry ') ;
it just won't replace $qry wit its actual value....why??
in the browser it ends up looking like this:
http://localhost/blast/v2/?$qry
thanks
Change the single quotes to double quotes:
header("Location: http://localhost/blast/v2/?$qry");
A single quoted string in PHP is treated as a string literal, which is not parsed for variables. Double quoted strings are parsed for variables, so you will get whatever $qry contains appended, instead of literally $qry.
You can also add multiple parameters via a header like:
$divert=$row['id']."¶m1=".($param1)."¶m2=".($param2);
header("Location:showflagsab.php?id=$divert");
which adds the two additional paramaters to the original id
These can be extracted using the $get method at their destination
I know this is a very old post, but please, do not do this. Parameters in a header are XSS vulnerable. You can read more about XSS'ing here: owasp.org/index.php/Cross-site_Scripting_(XSS)
wiles How to Fix the XSS attack on header location
$param = $_REQUEST['bcd'];
header("Location: abc.php/?id=$param");
Related
I am working on a project that requires me to redirect the user to a php page. And the name of the page to be redirected to is stored as a php variable.This is what I tried. Suppose $var is the name of the php file. I want to do something like this,
if(condition)
{
header("Location: '$var'.php");
}
How do I do this?
You simply need to follow string concatenation here. Try this:
if (condition) {
header("Location: ".$var.".php");
}
Refer to String Operators
You have to concatenate the string which you have stored the page name into the header location tag so that then only it will read the name that you have stored.
More Clear Explanation: You have used double quoted string over to the header location and hence you need to close of with the double quoted string and then reopen again with the double quoted string alone. This might be the correct procedure for appending or concatenating it into the variables.
Example:
<?php
$page='index';
$page_one ='about';
?>
Hence you need to concatenate the variable as follows into the PHP tags.
<?php
if (condition) {
header("Location: ".$page.".php");
}
?>
i'm passing variables through url to function but it not reflect anything
here is the code for url:
$result = file_get_contents('http://localhost/service/service.php?action=update_details&id=$id,&name=$name,&lname=$lname,&email=$email,&username=$username,&password=$password,&gender=$gender,&mobile=$mobile,&address=$address');
and function is on other php file. Here is code:
if($tag == 'update_details') {
$id = $_GET["id"];
$name=($_GET['name']);
$lname=($_GET['lname']);
$gender=($_GET['gender']);
$email=($_GET['email']);
$username=($_GET['username']);
$password=($_GET['password']);
$mobile=($_GET['mobile']);
$address=($_GET['address']);
if ->updateUser($id,$name,$lname,$username,$password,$gender,$email,$mobile,$address)) {
$app_info = "success";
exit (json_encode($app_info));
} else {
$error="not done";
exit(json_encode($error));
}
}
Remove comma from url:
$result = file_get_contents('http://localhost/service/service.php?action=update_details&id=$id&name=$name&lname=$lname&email=$email&username=$username&password=$password&gender=$gender&mobile=$mobile&address=$address');
First you must take in account all the advices you already got:
replace simple quotes by double quotes (as noticed by #Rasclatt), in order to have your embedded variables interpreded
suppress commas (as already by #Jayesh Chitroda) to get a normally built url
Then in addition you must take care of this PHP manual advice :
If you're opening a URI with special characters, such as spaces, you need to encode the URI with urlencode().
So if some of your variables may contain such characters (which is likely expected in your case) you must also urlencode() them.
Remember: don't urlencode() the whole URI, but each involved variable.
This way you will correctly invoke your service.php script, but there is yet another potential issue (also already noticed by #Rasclatt): if ->updateUser(...)){ has no sense.
Maybe it's a typo in your question? It's now up to you to examine this point.
this is my code:
header("Location: ?pid='".$_GET['pid']."'");
die();
When I write a simple echo $_GET['pid']; the value is good but then when I introduce this variable in the header it return something like 27%27 and thats not true true value
When I use urlencode the probleme persist:
header("Location: ?pid=". urlencode($_GET['pid']);
Whats the problem here?
Thank you
This is because the parameter is being encoded into URL format. Read about urldecode() PHP function.
Also, the %27 is a URL encoded single quote char, therefore you need to remove single quotes from your code:
header("Location: ?pid=".$_GET['pid']);
If you still however will get %27 in your header, then I would suggest stripping it out from var by using trim() like this:
header("Location: ?pid=".trim($_GET['pid'], "'"));
Please i need your help with a small issue i'm having. I'm using the Redirecting users to the page they have just pasted a comment on, and d=3 is suppose to be dynamic i.e take different intergers according to the id .
I've tried to add the php variable like this
Header('Location: http://site/a.php?id=$articleID')
but i get an error.
Header('Location: http://site/a.php?id=3')
Please how can I get over this issue.
Thanks
You can't pass variables into single quoted strings
header("Location: http://site/a.php?id=$articleID");
exit;
don't forget to include exit;, otherwise the rest of the script will still execute until the new page is loaded.
Change your quotes from single to double. Single quotes won't interpret variables inside them.
Header("Location: http://site/a.php?id=$articleID")
I have a URL like:
http://www.google.com/test.html?d=1232&u=32
and I want to add it as a part of a GET query string like:
http://www.mysite.com/index.html?a=123&d=http://www.google.com/test.html?d=1232&u=32
Note the double "d" used. I want the URL sent to be just a url and not be read for it's query string...
What is the best way to do this to avoid problems?
You can use the urlencode() function.
Example:
$url = 'http://www.mysite.com/index.html?a=123&d='
. urlencode('http://www.google.com/test.html?d=1232&u=32');
You can use urlencode() to put that in the URL without having it interfere with anything else you have in there.
URL-encode the second url:
http://mysite.com/index.html?a=123&d=<?php echo urlencode('http://google.com/etc..'); ?>
You can assign a url to a variable and have it be query-string safe by using urlencode() (http://us3.php.net/urlencode). So you could do:
$url = 'http://www.mysite.com/index.html?a=123&d=' . urlencode('http://www.google.com/test.html?d=1232&u=32');
In this example the query-string var 'd' now houses all the contents of the second url. You will have to urldecode() it on the receiving end in order to extrapolate the data.