I've never really thought about this, but it helps with some security of something I'm currently working on. Is it possible to submit GET data without an actual input field, and instead just getting it from the URL?
If so, how would I go about doing this? It kind of makes sense that it should be possible, but at the same time it makes no sense at all.
Perhaps I've been awake too long and need some rest. But I'd like to finish this project a bit more first, so any help you can offer would be appreciated. Thanks
Yes. If you add some query-string to yourl url, you can obtain that in php using $_GET without form submitting.
Going to this URL adress http://yoururl/test.php?foo=bar cause echoing foo (if there will be no foo query string, you'll get warning).
# test.php
echo $_GET['foo'] # => bar
Is this what you mean?
Link
// page.php
echo $_GET['type']; // foobar
This is what I understand of your question:
You have a <form method="get" action="foo.php">-like tag on your page
You have a series of <input type="text" name="bar"/> in your page
You want to pass additional GET parameters that are not based on an input from the form
If so, it is possible, but I hardly see how it could help with security. Input from a client cannot be trusted, so even if you hardcode the GET value, you have to check it serverside against SQL injection, HTML injection/XSS, and whatnot.
You have two ways:
Use a hidden input: <input type="hidden" name="myHiddenGetValue" value="foobar"/>
Add the GET parameter to the form action: <form method="get" action="foo.php?myHardcodedGetValue=foobar">
If what you meant is that you want to have a GET request without a form, you just need to pass all the GET parameters to the href of a link:
Click here!
Yes it's possible. Just append the GET data to the link.
For example:
<a href="main.htm?testGet=1&pageNo=54>Test</a>
You can also use Javascript to build the url.
If you happen to be using jQuery and want to build the GET data dynamically you can do this:
var getParams = { testGet:1, pageNo:54 };
$(".myLink").attr("href", url + "?" + $.param(getParams));
Related
I have a search form, and the submit button looks like this:
<input type="submit" name="search_submit" value="Go"/>
I handle this form using the following php:
if (isset($_GET['search_submit'])) {
do blah
}
Works fine. But my url then includes &search_submit=Go. I do not want that to show up.
I know that to fix this, I need to remove the name attribute from my the forms input line.
But then my php no longer works and I'm not sure how to change it to handle the form. I tried changing it to:
if (isset($_GET['submit']))
and
if (isset($_GET['Go']))
But they did not work either. If anyone can help me with an answer, it would be awesome.
You cannot remove the name of the input element, as PHP would not know which value to look for. If you want to completely hide the string after the URL, use the request method POST instead of GET:
<form action='myscript.php' method='POST'>
<input type="submit" name="search_submit" value="Go"/>
</form>
Your PHP will use the following:
$_POST['search_submit']; // Instead of $_GET['search_submit'];
A good answer to when to use GET and POST can be found here.
edit: If you just want to not have the button show up in the URL, but everything else should still be there (according to your comment), you can simply remove both the value and name of the submit button.
Instead of looking for search_submit to be set, you can look for the other values:
if (isset($_GET['username'], $_GET['password'])) {
// Do your stuff here
}
If you don't want to show string in the URL, you can use the POST method. The main difference between GET and POST are listed below as :
GET:
Parameters remain in browser history because they are part of the URL
Can be bookmarked.
GET method should not be used when sending
passwords or other sensitive information.
7607 character maximum
size.
Url example: new.php?category=sport
POST:
Parameters are not saved in browser history.
Can not be bookmarked.
POST method used when sending passwords or other
sensitive information.
8 Mb max size for the POST method.
URL example: new.php
Sample Code :
if (isset($_POST["search_submit"])) {
do blah
}
If the submit button doesn't have a name, then it won't be a successful control and won't appear in the submitted data at all.
Test for the presence of data from some other field in the form instead.
I want to pass an id from one page to another when user clicks a url. There can be multiple url each corresponding to a separate id. Based on url clicked, I want to pass corresponding id and an action. Currently I am using following approach:
<a href="Process.php?action=del&id='.$id.'">
However both action and id are visible in url. Is there any way to hide this information in url and not passing it through url?
Also if I pass them using hidden fields, they can be accessed using browser dev tools. I want to make them secure so they can't be read or modified at all.
I would like to hide this for security purpose so no any user can see this
In HTML only, you'll not able to pass "hidden" variables through $_GET.
If you really want to hide some variables when a user click on a link, you can use Javascript with an auto-submitted form to use $_POST variables.
Example
<form method="POST" action="yourpage.php" id="yourform" style="display:none;">
<input type="hidden" name="hiddenfield" value="__" />
</form>
<a href="" onclick="document.getElementById('yourform').submit();return false;" />
Now, in yourpage.php, you'll be able to obtain the $_POST['hiddenfield'] value.
Edit:
I don't think it can be possible to really hide the values from dev tools. Btw, you can maybe use sessions, it will be more "secure"..
Example:
// page1.php
session_start();
$_SESSION['yourname'] = 'yourvalue';
// page2.php
session_start();
$_SESSION['yourname']; // Contains 'yourvalue'
The best way to hide id(if you mean security) is to encrypt it. You should use MCRYPT function to encrypt the id. You can encrypt both ID and your ACTION in one string and just pass this string to URL and then when you want to use it you can decrypt parameter and split it. When you connect it with MOD_REWRITE in htaccess you can get url like:
<a href="Process,Some title of yourpage,í,eHGxC•z»#”“§``"> to make it more "pretty" you can use base64 on this string.
or with base64, mcrypt and mod_rewrite
<a href="Process,SWRlYW">
to decrypt string you should use base64_decode(), mcrypt_decrypt()
You can use base64 for this (if security is really a big concern). Before passing it to the URL,
you can encode it first and then in the receiving end, you can decode it.
Check this URL : http://www.webtoolkit.info/javascript-base64.html
EDIT:
Please ignore the line above in the bracket.
Based on the comments below, base64 is really not responsible for security. Better approach is to use a server sided language to encrypt/decrypt values. Using base64 through javascript is not a good idea. Thanks Bobby.
I have a page I am constructing and I need to pass in the values of the option dropdowns to the next page. The problem is that these dropdowns are not in a form.
http://posnation.com/test/pre_config/pre_config_step_2.html
Basically what i need to pass to the next page is that when i click "Proceed To Next Step" I need to pass the value of the type of field like "restaurant" and the number of stations "2" if the user selects restaurant and 2.
HTML:
<a id="proceed" href="foo.html">Proceed!</a>
JS:
$('#proceed').click(function() {
location.href = this.href +'?someVal='+ escape($('#my_select').val());
return false;
});
Working example that executes a formless google search: http://jsfiddle.net/CKcbU/
You basically just add what you want to the query string with javascript.
But really, if at all possible, you should use a form with method="get" which pretty much does this for you without any JavaScript at all.
Use a query string.
http://posnation.com/test/pre_config/pre_config_step_2.html?restaurant=The+Eatery&stations=2
In other words, pass them as part of the URL when calling the next page. The next page will be responsible for reading the query string and extracting the values out.
http://en.wikipedia.org/wiki/Query_string
I do not know what you are using to code in so I cannot be detailed regarding the mechanics of constructing the URL or parsing out the values from the query string on the receiving page.
Here is an article on doing it using JavaScript:
http://javascript.about.com/library/blqs.htm
You can use JavaScript for the same. Assign a onclick event with button of proceed and call a function. In this function use:
windows.location=url?rest=valuerest&opt=valueopt
I am not sure what you are working with, but with almost any framework that I know of you can pass a parameter as part of the url.
These would work fine.
http://posnation.com/test/pre_config/step_2
http://posnation.com/test/pre_config/step_3
Then, just grab the parameter and react accordingly.
EDIT: Answer found! Thank you very much people, a lot of answers worked, I chose the hidden field answer as it was easiest :D
I am creating a commenting script and I came across a problem. I am having to use $_POST and $_GET on the same page, which I don't think makes sense.
I am very new to php and am training myself.
I have a page named viewVerses.php - this has a lists of verses. When someone follows the reply link,
echo '<br />Reply';
I'm passing the verseid (commenting on bible verses) into the reply.php, so that a query may be made with that verseid. (This is so that the user can still see the verse he/she is commenting on).
Now reply.php has the form in it for posting a reply. The form goes to postReply.php
This is in postReply.php
$title = $_POST['title'];
$body = $_POST['body'];
$verseid = $_GET[verseid];
Can I get the verseid from the url and the POST the values from the form in the same page?
If not, is there a way I can do this better? Remember, I am new at php and probably won't implement a solution that is super hard. I have to get it for my to put it in my site.
I hope this is clear
I would add a hidden input to the comment form:
<input type="hidden" name="verseid" value="
<?php echo $_GET['verseid']; ?>
" />
That way, in postReply.php, you can access it using $_POST['verseid'].
Yes you can. The method of a form (in a html page) can be POST and the action URL can contain "GET" arguments being something like process.php?vid=1001 so to say. So in process.php you'll have vid as $_GET and the rest of data from the form as $_POST.
Sure you can, just set the action of the form to postReply.php?verseid=id_of_the_verse this way when an user submits a reply, in the POST array will be the reply related data and in the GET the id of the verse.
Yes, it is possible to mix both GET and POST values with one request. The problem you have is probably that you pass the GET value to reply.php, which then passes POST values to postReply.php. So, unless you tell reply.php to send that GET value as well, it will get lost.
You can do this by either specifying the GET value in the action parameter of the form tag, or you could even switch to a POST value with that, by adding a <input type="hidden" name="verseid" value="<?php echo $verseid; ?>" /> to the form.
Although it may seem counter-intuitive an HTTP request can come in with both Form and QueryString data. Like robertbasic says you can access them both via there respective arrays.
Using a form with a hidden input (<input type="hidden" name="verseid" value="..." />) is probably the cleanest way of doing things.
PHP also defines the $_REQUEST global array in addition to $_GET and $_POST. In general you should use either $_GET or $_POST but in this case where verseid is being passed for both methods, it might be more convenient to use $_REQUEST['verseid']. This way you need not care about the HTTP method being used on your script.
Im looking for a way to have a form in cakephp that the user can add and remove form fields before submitting, After having a look around and asking on the cake IRC the answer seems to be to use Jquery but after hours of looking around i cannot work out how to do it.
The one example i have of this in cake i found at - http://www.mail-archive.com/cake-php#googlegroups.com/msg61061.html but after my best efforts i cannot get this code to work correctly ( i think its calling controllers / models that the doesn't list in the example)
I also found a straight jquery example (http://mohdshaiful.wordpress.com/2007/05/31/form-elements-generation-using-jquery/) which does what i would like my form to do but i cannot work out how to use the cakephp form helper with it to get it working correctly and to get the naming correct. (obviously the $form helper is php so i cant generate anything with that after the browser has loaded).
I an new to cake and have never used jQuery and i am absolutely stumped with how to do this so if anyone has a cakephp example they have working or can point me in the right direction of what i need to complete this it would be very much appreciated.
Thanks in advance
I would take the straight jquery route, personally. I suppose you could have PHP generate the code for jquery to insert (that way you could use the form helper), but it adds complexity without gaining anything.
Since the form helper just generates html, take a look at the html you want generated. Suppose you want something to "add another field", that when clicked, will add another field in the html. Your html to be added will be something like:
<input type="text" name="data[User][field][0]" />
Now, to use jquery to insert it, I'd do something like binding the function add_field to the click event on the link.
$(document).ready( function() {
$("#link_id").click( 'add_field' );
var field_count = 1;
} );
function add_field()
{
var f = $("#div_addfield");
f.append( '<input type="text" name="data[User][field][' + field_count + ']" />' );
field_count++;
}
Of course, if a user leaves this page w/o submitting and returns, they lose their progress, but I think this is about the basics of what you're trying to accomplish.
This was my approach to remove elements:
In the view, I had this:
echo $form->input('extrapicture1uploaddeleted', array('value' => 0));
The logic I followed was that value 0 meant, not deleted yet, and value 1 meant deleted, following a boolean logic.
That was a regular input element but with CSS I used the 'display: none' property because I did not want users to see that in the form. Then what I did was that then users clicked the "Delete" button to remove an input element to upload a picture, there was a confirmation message, and when confirming, the value of the input element hidden with CSS would change from 0 to 1:
$("#deleteextrapicture1").click(
function() {
if (confirm('Do you want to delete this picture?')) {
$('#extrapicture1upload').hide();
// This is for an input element that contains a boolean value where 0 means not deleted, and 1 means deleted.
$('#DealExtrapicture1uploaddeleted').attr('value', '1');
}
// This is used so that the link does not attempt to take users to another URL when clicked.
return false;
}
);
In the controller, the condition $this->data['Deal']['extrapicture1uploaddeleted']!='1' means that extra picture 1 has not been deleted (deleting the upload button with JavaScript). $this->data['Deal']['extrapicture1uploaddeleted']=='1' means that the picture was deleted.
I tried to use an input hidden element and change its value with JavaScript the way I explained above, but I was getting a blackhole error from CakePHP Security. Apparently it was not allowing me to change the value of input elements with JavaScript and then submit the form. But when I used regular input elements (not hidden), I could change their values with JavaScript and submit the form without problems. My approach was to use regular input elements and hide them with CSS, since using input hidden elements was throwing the blackhole error when changing their values with JavaScript and then submitting the form.
Hopefully the way I did it could give some light as a possible approach to remove form fields in CakePHP using JavaScript.