I understand how a PHP URL works - I think ... but I'm having problems getting the actual value of the variable to be passed in the example below.
Example
Note: I am adding the below form into a data cell (as part of a table being read via PHP).
$currentrowid = 1;
echo '<td>
<div class="editdelete">
<form action="phpindex.php?page=edit&thisrow=<?php echo $currentrowid;?>" method="post">
<input type="submit" value="Edit" >
</form>
</div>
</td>';
... Some other section of code to read the URL output by the form above:
$val = $_POST['thisrow'];
echo "the value is: " .$val; //Outputs "$currentrowid"
So, as you can see the code returns the actual name of the variable being passed, NOT the value of the variable being passed.
Any ideas here?
Since you are already within a PHP block, you should not wrap your variable within <?php ... ?>. This will give you an error.
To make this work, you can choose 1 of 2 options:
1) String Concatenation:
echo '... <form action="phpindex.php?page=edit&thisrow='.$currentrowid.'" method="post"> ...';
2) Wrap your string in " (double quotes) instead of ' (single quotes):
echo "... <form action=\"phpindex.php?page=edit&thisrow=$currentrowid\" method=\"post\"> ...";
Note that the second method forces you to escape all the double quotes inside of your string.
2 point.
<form action="index.php?thisrow=<?php echo $currentrowid ?>"
method="post">
You should use $_POST not $_GET to get the post value.
As what was answered above,
<form action="index.php?thisrow=<?php echo $currentrowid; ?>" method="post">
is correct.
The reason behind this is you are passing HTML and you have to use an echo from php to output to the html. Otherwise you just get exactly what you put, which is $currentrowid.
Not the easiest, but a quick way to solve your problem. Change your form method to get method="get">, then
$val = $_GET['thisrow'];
Related
I have a piece of php code inside html tag which is supposed to change the tag's style in accordance with the contents of the URL.
There is an html login form which looks like this:
<form class="userdata" action="login.php" method="post">
<input type="text" name="email" placeholder="E-mail" <?php fillin('email'); enlight_unfilled('email');?>><br>
<input type="password" name="pwd" placeholder="Password"><br>
<button type="submit" name="login-submit">Login</button>
</form>
Here are the functions fillin and enlight_unfilled:
<?php
function fillin($key) {
if (isset($_GET[$key])) echo "value=".$_GET[$key];
else echo NULL;
}
function enlight_unfilled($key) {
if (isset($_GET['error']))
if (isset($_GET[$key]) and $_GET[$key] !== "") echo NULL;
else echo "style='border-color: red'";
else echo NULL;
}
?>
If I only apply one of the functions within the tag, they both do what they are expected to – either save the email in the field if it has been already typed in or enlighten the email field if it has been left empty. But if I apply them together, when the field is empty, php assigns the field value 'style='border-color:. I also tried to use functions like print and printf, but the result is the same:
I am a beginner at php coding and mixing it with html, so the question may appear to be dumb, but I did not manage to find any sort of a solution to this issue, so thanks for help and patience in advance!
It looks like you don't properly encase value in quotes, so it just renders the 'style='border-color:.
Let's assume that $_GET[$key] has a value of hello#hello.com. What your PHP & HTML renders is the following:
value=hello#hello.com
See the problem? There are no quotes. That's why the renderer goes forward searching for a valid value. To fix the issue you must add quotes around your $_GET[$key] in the fillin function. Something like this should do the job:
if (isset($_GET[$key])) echo "value='".$_GET[$key] . "'";
It works when ran alone because it reaches the end > and just assumes the value to be hello#hello.com
I'm trying to build a comment system, each comment has a unique id, many comments can be associated with a post, and each post has a unique id. I want to pass the post id to a submit.php file (where comments are update to the database), but no matter what I tried I just can't pass the data. Currently I have something like this:
$sql="SELECT postid,post,pdate FROM posts";
$result = mysql_query($sql);
while($row = mysql_fetch_array($result)) {
echo '$row["post"]';
echo '<form action="submit.php" method="POST">';
echo '<input name="comment" type="text" id="comments"></input>';
echo '<input type="hidden" name="id" value="$row["postid"]" />';
echo '<input type="submit" value="enter comments" />';
}
?>
for testing purpose I have submit.php as follows,
<?php
$ha=$_POST['id'];
echo $ha;
?>
data of postid is not passed, and I just got "$row[" as output.
inside the while loop if I say $haha=$row["postid"]; echo "$haha"; then each individual post id will be printed correctly, but I just cannot pass the data to submit.php file.
update: I just changed my code to :
echo '<input type="hidden" name="id" value="' . $row["postid"] . '" />';
Now a number is succesfully passed to submit.php, the problem is ,it's always "3". My post id ranges from 3 to 13, post with id=3 is at the bottom of the page and post with id=13 is at the top.However,if I write a comment at the post with id=13(same issue occur to other posts as well), after clicking submit, the data passed to submit.php is always 3. Is there something wrong with the while loop?
Another update: it's always 3 because i forget to close the form tag, now everything worked perfectly
you're using single quote, so you cannot insert variables inside of string, use
echo '<input type="hidden" name="id" value="' . $row["postid"] . '" />';
In PHP, you can wrap a string in single-quotes ('), or double quotes (").
When you use single quotes, the string is not interpreted - this means that all the characters are left intact, and no variables are parsed.
When you use double quotes, any variables in the string will be replaced with their value.
In your case, you're using single quotes, so your variable is not being interpreted and converted. Instead, use double quotes:
$sql="SELECT postid,post,pdate FROM posts";
$result = mysql_query($sql);
while ($row = mysql_fetch_array($result)) {
echo $row["post"];
echo '<form action="submit.php" method="POST">';
echo '<input name="comment" type="text" id="comments"></input>';
echo "<input type=\"hidden\" name=\"id\" value=\"{$row["postid"]}\" />";
//Alternatively, keep the single quotes and use the concatenation method:
//echo '<input type="hidden" name="id" value="' . $row["postid"] . '" />';
echo '<input type="submit" value="enter comments" />';
//Also, if you're opening a form tag in this loop, be sure to close it
echo '</form>';
}
Some other things to note:
When you use double quotes to wrap your string, and you have double quotes inside your string, you must escape them (using a \). Notice name="id" became name=\"id\"; and
When referencing an item in an array within a string, you can either use string concatenation to ensure the full variable is interpreted correctly (value=\"" . $row["postid"] . "\"), or you can leave the variable in place and wrap it in curly brackets - which is my preference and is what is used above. If you're going to use the concatenation method, then you can keep the single quotes wrapping everything else - there are no variables to parse.
When echoing a variable value, you don't need to wrap it in anything - notice I removed the quotes from the first echo.
Here is PHP's documentation on strings, including single and double quoted strings: http://php.net/manual/en/language.types.string.php.
And here is PHP's documentation on string operators: http://php.net/manual/en/language.operators.string.php.
Try adding a conditional at the start of your file like this just to be sure the form is actually submitted properly:
<?php
if(isset($_POST['submit_form'])) {
$ha=$_POST['id'];
echo $ha;
}
with your button like this
<input type="submit" value="enter comments" name="submit_form"/>
and please close your form tag.
You can pass value as follow,
echo '<input type="hidden" name="id" value="' . $row["postid"] . '" >';
I have this set in top of page
if (isset($_GET["edit"]) and !empty($_GET["edit"])) {
$edit_id=(int)$_GET["edit"];
$edit_id=sanitize($edit_id);
}
and then i do this with my action on the topbar it shows the number of id
but if i do ""view source" i see this:
<form class="form" action="categories.php<?=((isset($_GET['edit']))?'?edit=.$edit_id':'');?>" method="post">
Why is it not getting the id?
because you are setting it as a literal string. try
action="categories.php<?php echo (isset($_GET['edit'])) ? '?edit='.$edit_id :'');?>"
There are a couple issues going on here:
You are trying to use variables inside single quotes
You are using string concatenation from within a string, which is effectively a period
Try this:
<?php
// We can check this way since you sanitize it at the top
$param = is_numeric($edit_id) ? 'edit='.$edit_id : '';
?>
<form
class="form"
action="categories.php<?php echo($param); ?>"
method="post">
So I have a php file that retrieves some variables with the $_GET method and then outputs the result. I would want to send one of these retrieved variables to another php file (if it was possible to the same file would be fine also) through a form along with other variables which then are stored in a database. I tried putting the variable in the "action" attribute of the form like this but it didn't appear in the url when I submitted the form values:
Here is all my code:
<?php
$nome=$_GET[nome];
$cognome=$_GET[cognome];
echo "<form action='salva_citazione.php"."?autore=".$nome."+".$cognome."&' method='GET'>"
....
You can use hidden input fields, also you forgot to use ' in your $_GET variables:
<?php
$nome = htmlspecialchars($_GET['nome']);
$cognome = htmlspecialchars($_GET['cognome']);
$fullname = $nome.' '.$cognome;
echo '<form action="salva_citazione.php" method="GET">';
echo '<input type="hidden" name="autore" value="'.$fullname.'" />';
// ...
?>
Note that this way of using $_GET results in XSS vulnerabilities, so I've used htmlspecialchars function to convert special characters to HTML entities.
Put this inside the form:
echo "<input type='hidden' name='autore' value='$nome+$cognome'/>";
I'm trying to create a form where the user can input their id (username) and it will be appended as a variable in a url that is used in my php script. This is what I have.
<?php
if(isset($_POST['submit']))
{
$id = $_POST['id'];
echo 'http://example.com/default.asp?action=data&id=$id';
}
?>
<form method="post" action="<? echo $_SERVER['PHP_SELF']; ?>">
<input type="text" name="id"><br>
<input type="submit" name="submit" value="Submit Form"><br>
</form>
It collects the user's id properly, and if i just echo $id, it outputs the proper value, but when I try to echo the url, it just outputs $id instead of the actual value of the $id variable. What am I doing wrong?
echo "http://example.com/default.asp?action=data&id=$id";
^---wrong quotes ^--- ditto
single-quoted strings do not interpolate variables.
Single quotes won't interpolate the variable, either use double quotes or use string concatenation.... Three options:
echo "http://example.com/default.asp?action=data&id=".$id;
or
echo "http://example.com/default.asp?action=data&id=$id";
or
echo 'http://example.com/default.asp?action=data&id='.$id;
This line:
echo 'http://example.com/default.asp?action=data&id=$id';
Should be
echo 'http://example.com/default.asp?action=data&id='.$id;
If you are using single quotes in PHP with a string it will print whatever is inside the string without evaluating anything (ie no variables are evaluated). So you can either use double quotes or append the variable like I did above.