Appending GET parameters to URL from <form> action - php

So say I'm currently on index.php or index.php?p=about within my current web build.
I am trying to build a search form that will be displayed on most pages, but I want the form action to go to http://mywebsiteurl.com/?p=search&q=GETDATA, as my website's paging depends on the data passed to the 'p' attribute.
How would I append the search parameter to the URL in a static fashion, upon submission?

Perhaps something like this:
<form method="get" action="index.php">
<input type="hidden" name="p" value="search" />
<input type="text" name="q" value="" />
<input type="submit" value="search" />
</form>

You can use a hidden field in your form to maintain the value of the p parameter:
<input type="hidden"
name="p"
value="<?= htmlentities($_GET['p'], ENT_QUOTES) ?>" />

You should put the value of the parameter p inside a hidden form field inside the search form; something like:
<input type="hidden"
name="p"
value="<?php echo(htmlspecialchars($_REQUEST["p"])); ?>" />
It's not a good idea to put the parameter to the form action parameter; post requests are handled differently than GET requests, the values in a POST request aren't appended to the URL by ? and & as with GET; meaning that you wouldn't actually get the p parameter into the script handling the POST request from the form...
Also take care not to show the request parameter unreflected (hence the htmlspecialchars, thanks for the hint!), since malicious clients could try to inject code into your page (HTML injection / XSS).

Related

Trying to pass three parameters from one php file to another

I am trying to pass three parameters from one php file to another. Two of those parameters are in variables that are already determined long before the button is clicked to call the second php file, but one will be taken from a text box at the time the button is clicked.
So far I have the following (snippet) in the first php file. The two parameters that are in the existing variables show up in the URL just fine, but I can't figure out how to get the student number to be included. The URL just has "studentNumber=?&club=..."
Thanks!
<input type="text" id="studentNum" placeholder="Student Number">
<input type="button" value="Add Student" onclick="window.location = '<?php $url = 'http://npapps.peelschools.org/editor/add.php?studentNumber='.$_GET["StudentNum"].'&club='.$club.'&type='.$type.''; echo $url;?>'" />
Is it really necessary to use window.location? I would encourage you to use something like this
function doSubmit() {
document.getElementById("myformid").submit();
}
<form id="myformid" action="receivingPHP.php" method="POST">
<input id="studentnr" type="text" value="42" />
<button onclick="doSubmit()">Send</button>
</form>
Of course there is no receivingPHP.php file on the StackOverflow servers, so if you try this script you will reach a white page (close it in the top right corner where it says close)
If you use $_GET["StudentNum"], it must come from an HTML-form or a html-link:
example
or
<form method="GET"><input name="StudentNum" value="1337"></form>
Good luck
The URL of your current page needs to have had studentNum present as a query parameter to be able to use $_GET. For example, if current page URL =
http://npapps.peelschools.org/myotherpage.php?studentNum=100
then you can $_GET["studentNum"]. Also, if you are accessing this URL via ajax
http://npapps.peelschools.org/myotherpage.php
then it must be passed as a data parameter.
Find out what the URL of the page is where you have the HTML that you have shown, and if studentNum has not been passed as a query parameter or data parameter from however you get there (e.g. an anchor tag href) then add that parameter to the URL.
Ended up reworking it so that all the information was sent in a form rather than trying to embed it in a button. The secret came from w3schools where I figured out how to hide the known parameters in a hidden input element in the form, as follows:
<form action="add.php" method="GET">
<input name="studentNo" type="text" placeholder="Student Number" />
<input name="club" type="hidden" value="<?php echo htmlspecialchars($club); ?>" />
<input name="type" type="hidden" value="<?php echo htmlspecialchars($type); ?>" />
<input type="submit" value="Add Student" />
</form>

PHP - $_SERVER['QUERY_STRING'] doesn't include all the <form> entries

Kinda strange...
I'm building a shopping cart. When the user types the quantity he wants and hits "add to cart", the <form> action should redirect them with a PHP $_SERVER['QUERY_STRING'] AND some other information (i.e. the product id, fetched in MySQL).
Here's my form, all in a PHP echo...
<?php
echo '<form method="GET" action="cart.php?'.$_SERVER['QUERY_STRING'].'&action=add&item_id='.$data->item_id.'">
<small>Quantity </small><input type="text" size="2" placeholder="1" name="add_quantity">
<input type="submit" name="add_clicked" class="button" value="Add to Cart">
</form>';
?>
Upon submission, the URL redirects to cart.php but only includes the query string, but leaves out the item id and the action=add.
Supposing I typed '2' in the quantity box, the URL looks like this cart.php?add_quantity=2 and nothing after that.
Would appreciate help!
Thanks!
When you submit a form via GET, the form data submission process will overwrite any existing query string that might be set in the address you put into the action attribute.
Use hidden form fields instead to transport your additional values.
(And as #Simon already said in his comment, go read up on what you have to do to prevent XSS when outputting data that was send from the client before.)
Submitting a form with GET will overwrite any query string you'd put in the url (I'm not sure what you wanted to do with your $_SERVER['QUERY_STRING'] though as that would give the query string used to access the page where your form is.
What you'll want to do is to use hidden input fields in your form for your action and item_id attributes.
<form method="GET" action="cart.php">
<input type="hidden" name="action" value="add"/>
<input type="hidden" name="item_id" value="<?=$data->item_id?>"/>
<small>Quantity </small><input type="text" size="2" placeholder="1" name="add_quantity">
<input type="submit" name="add_clicked" class="button" value="Add to Cart">
</form>
Upon submission this will go to the url cart.php?action=add&item_id=1234&add_quantity=2
Alternatively you could (and most likely should) submit the form via POST; then any data in the form will be sent as POST parameters and the query string parameters defined in your action will be kept.
Pass the info in the query strings via a hidden field. So let's assume you're passing the account number in the query string, it would look like this:
<input type="hidden" name="account_number" value="$account_number">

PHP Form with PHP variable

Im try to Programm some php.
i have a site : /index.php?go=newstep&callid=2
Where i put:
<form method="post" action="addnew.php"> <input type="text" name="user" /> <input type="text" name="text" /> <input type="hidden" value="<?php echo($_GET["callid"]); ?>" name="test" />
This is because the next site "addnew.php" Needs the value "callid" from the link to ?go=newstep&callid=2
Why isn't it working?
Is there another way?
Thank you
If You want to use GET method, You can simply put Your variable as part of the link in action attribute. You don't have to use hidden input. Something like that:
action="addnew.php?callid=<?php echo $_GET['callid']; ?>"
Additionally, '"' char in attribute "value" may cause problems, because HTML may interpret it as end of the attribute value.
EDIT:
Exactly, You are using POST method in form, thus You are sending You variable, callid, by POST method now and it will be available in $_POST global array in addnew.php script, not in $_GET global array.

Getting correct URL when using GET

When clicking a button, I would like my URL to become this:
users.php?action=search&formvar1=value&formvar2=value&...
This is what I've tried:
<form id="search" action="users.php?action=search" method="get">
But this doesn't seem to work (it doesn't add the action=search part). Is there any way to do this? I know it works when using POST instead of GET, so why wouldn't it here?
Thank you
You can do that similarly to a POST form. Simply include the default attribute as hidden form field:
<form id="search" action="users.php" method="get">
<input type="hidden" name="action" value="search">
This way it will be added as parameter to the URL like all other variables.
The browser is building the query string from scratch.
Instead, you can add an <input type="hidden" name="action" value="search" />.

GET variables not passed when mixed in with URL

Why is it that when I pass parameters through encoded URL and GET method in HTML form, the URL encoded parameters are dropped?
e.g. Setup:
<form action="process.php?hello=world" method="GET">
<input type="text" name="foo" value="bar">
<input type="submit">
</form>
Result: the variable hello will not be recognized in process.php.
Is this bad practice?
Is this how PHP processes it, or is it related to how the browser send the request? Is there the same problem in other languages?
Yes, that is bad practice because it just doesn't work.
If you want to pass in "hidden form input" then you must use a hidden form element:
<input type="hidden" name="hello" value="world" />
As rezzif states in his comment, you can mix GET & POST like so:
<form action="/something?foo=bar" method="POST">
<input type="text" name="baz" />
</form>
As a general rule I avoid mixing the two though. I find it bizarre to have GET params in my form action.

Categories