0

hi friends
how to send post value in url
code is:
header('Location:edit_products.php?catid=$_POST[catidHd]&catname=$_POST[catnameHd]');
the $_POST[catidHd] value coudnt taken how to give this $_POST[catidHd] in url

tnx

6
Contributors
11
Replies
15
Views
6 Years
Discussion Span
Last Post by ddymacek
0
header("Location:edit_products.php?catid={$_POST['catidHd']}&catname={$_POST['catnameHd']}");

it doesnt take the value

0

You can't do that unless a form is actually posting those values. what does your form look like? and when are you calling this code?

0

It's very bad practice to input raw $_POST data in your URLs, this can be subject to MySQL Injection.

You should be capturing/sending your $_POST values as such:

if(isset($_POST['var'])) {
  $var = mysql_real_escape_string($_POST['var']);
   header("Location: mypage.php?value=" . $var . "");
  }

With the above code, you capture $_POST only if it is actually set (this prevents having empty variables). The following line escapes the string from any attempts at SQL injection.

Hope this helps.

Edited by stoopkid: left out an apostrophe

0

@stoopkid, can you explain why you'd bother to escape the post input when you're just exposing the variables to the user again on the URL? There is no point.

Instead, you would escape the input before you use it internally within your application.

Edited by blocblue: n/a

0

$_POST data comes from something submitted. If users are submitting data, you'll want to escape characters.

The bottom line is don't trust your users. All it takes is one SQL Injection to wipe out your work.

You should post your code so we actually know what you're trying to do.

0

why are we passing posted variables in the url anyway, why not just submit the form to that url in the first place off of form action='x.php', and process the posted values on x.php which I am assuming the original poster is doing anyway.
stoopkid has a point: "The bottom line is don't trust your users. All it takes is one SQL Injection to wipe out your work."
and I would also agree that:
'You should post your code so we actually know what you're trying to do.'
which I also asked for earlier in this thread.
why show/explain to somebody how to build their form incorrectly when there is probably 'a better way'.

0

@stoopkid
If the form values ($_POST) are being used to access an underlying database, then you're correct the values should be escaped to avoid MySQL injection attacks.

If however, the values are just being used to create and redirect to another URL, then there is no reason to escape the values, because they will be accessible again on the next page, hence they could be tampered with again.

On the next page, if the URL values ($_GET) are being used to access an underlying database, then the values should be escaped to avoid MySQL injection attacks.


@ddymacek
The OP might be entering the details into a database and then redirecting to a subsequent page based on their selection. Using method="get" is one option, but if the follow on page could be one of many, then a redirect works just as well.


R.

0

sure blocblue: I understand why certain things are done and when and how to do them, but that is just it, this is all speculation the OP has yet to reply about what they are doing and why, which is a relevant question, because they might not understand what they are actually doing or how stuff works.
you have now replied to stoopkid 2x, somehow denouncing (or attempting to clarify) their answer, which he has a valid point, just perhaps not useful at that exact moment but you do not know that and neither do I, it's all speculation on what is actually happening and when it is happening in this code, stoopkid made a good point to never trust user input, so how much closer are we to an answer... still nowhere until the OP either tells us what is going on, or closes the thread, I'll leave the speculating to you.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.