SitePoint Sponsor

User Tag List

Results 1 to 23 of 23
  1. #1
    SitePoint Addict
    Join Date
    Jul 2013
    Location
    South of the equator, then turn left
    Posts
    364
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Pass content of variable to another page

    Hi everyone,

    quick question:

    I need to transfer a variable - $name, that contains a string to another page. Will I have to use cookies or sessions? The string will actually contain conditionals that are used in the WHERE part of a SELECT query to retrieve info from a database. In other words, the string will contain column names and values. Is it secure to use a query string to transfer such information?

    PHP Code:
    page3.php?name=$name”
    page3.php:

    PHP Code:
    $name $_GET['name']; 


    Thank you very much!

  2. #2
    SitePoint Wizard siteguru's Avatar
    Join Date
    Oct 2002
    Location
    Scotland
    Posts
    3,631
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by RedBishop View Post
    Is it secure to use a query string to transfer such information?
    In short - No. Not unless you have very robust error checking on the information passed over, and even then - No. Use your favourite search engine to look for "SQL injection attacks".
    Ian Anderson
    www.siteguru.co.uk

  3. #3
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,217
    Mentioned
    153 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by siteguru View Post
    In short - No. Not unless you have very robust error checking on the information passed over, and even then - No. Use your favourite search engine to look for "SQL injection attacks".
    I 100% agree with that statement. You can use Session if you'd like, don't use Cookies -- same attack vector as GET/POST! Personally, I'd argue you should send over multiple variables and then re-build the query on the receiving page so you can properly sanitize and verify the data sent before using it. Sending pre-made queries to be executed by another page is just bad practice all around.

  4. #4
    SitePoint Wizard siteguru's Avatar
    Join Date
    Oct 2002
    Location
    Scotland
    Posts
    3,631
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Just re-read the OP to see that point you picked up!

    Ian Anderson
    www.siteguru.co.uk

  5. #5
    SitePoint Addict
    Join Date
    Jul 2013
    Location
    South of the equator, then turn left
    Posts
    364
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi Ian and cpradio,

    thank you for the information!

    Is it not enough to run the variable through FILTER_SANITIZE_STRING and mysqli_real_escape_string on the receiving page? How else could I transfer this variable? I'm using pagination together with checkboxes to filter a query (where...&& something=something). I somehow need to pass the string containing the conditionals to the other pages. And its not like someone can tell what the contents of the variable could be just by looking at the variable name.

    I'm no PHP guru so perhaps there's something I'm overlooking.


    Thanks.

  6. #6
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,217
    Mentioned
    153 Post(s)
    Tagged
    0 Thread(s)
    Can you tell me if your query string would simply be:
    ?name=redbishop&numposts=25&type=posts

    Or would it be
    ?query=name=redbishop && numposts == 25 && type == posts

    The first is more than acceptable and utilizing the two techniques you suggested are file (except for numerics, you should use is_int, is_decimial, whatever fits).

  7. #7
    SitePoint Addict
    Join Date
    Jul 2013
    Location
    South of the equator, then turn left
    Posts
    364
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi there cpradio,

    it is the former. My query string will be .php?city=london&name=$name.

    $name will contain a string such as:

    something='something'&&something='something'. I assign this string to the $name variable.

    When I tried to echo out the $name variable after receiving it on another page with $_GET, it would remain $name and not echo out the string. Maybe it will echo out the string if I use sessions or cookies?

    Ideally I don't want to resort to using either sessions or cookies for this functionality. Do you know of any other way that I could pass the variable to the other pages? What if I pass the checkbox values to a function which I call on every page and then build the query?


    Thank you for your help.

  8. #8
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,217
    Mentioned
    153 Post(s)
    Tagged
    0 Thread(s)
    So $name is the result of multiple checkboxes? If so, that makes things a bit easier.

    Send it to another page:
    PHP Code:
    $name implode(','array_map('urlencode'$_POST['names'])); // take all checkbox values and pass them to urlencode, then concatenate them with implode.
    // pass $name via the query string
    // ?city=london&name=$name 
    Receiving page:
    PHP Code:
    $name array_map('urldecode'explode(','$_GET['name'])); // Receive the list of names, split it back to an array using explode, then use urldecode on each value.
    // you need to still use filter_value (or any logic that you can think of to verify each value is appropriate) and mysqli_real_escape_string at this point before you build a query with the data. 

  9. #9
    SitePoint Addict
    Join Date
    Jul 2013
    Location
    South of the equator, then turn left
    Posts
    364
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank you for replying. What if I just wanted to pass the $name variable that already contains the string something='something'&&something='something' to the other page? I'm asking because when the page loads after a checkbox has been checked, I have already used that string in the query. So all I need to do is then pass the variable to the other pages.

    As mentioned, I tried to pass this variable with the string, but it would not echo out the string on the receiving page. Is there a reason this won't work?



    Thanks again.

  10. #10
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,217
    Mentioned
    153 Post(s)
    Tagged
    0 Thread(s)
    You definitely would need to use urlencode (most likely). I still wouldn't recommend passing such a string via the query string, as there isn't a good way to validate it. It is part of an already established query, so you can't re-use mysqli_real_escape_string on it or parse it easily to verify a hacker didn't inject anything. You really need to just pass the form elements forward again and rebuild the query.

  11. #11
    SitePoint Addict
    Join Date
    Jul 2013
    Location
    South of the equator, then turn left
    Posts
    364
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Sorry to keep on asking, but didn't you earlier say that it was okay to do so?

    The first is more than acceptable and utilizing the two techniques you suggested are file (except for numerics, you should use is_int, is_decimial, whatever fits).
    If I do use the array_map technique to pass the checkbox values, do you know if I can use multiple $_POST[''] variables in the array_map function? My form has checkboxes with different names, for example, name="price[]" and name="colour[]" ?


    Thank you.

  12. #12
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,217
    Mentioned
    153 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by RedBishop View Post
    Sorry to keep on asking, but didn't you earlier say that it was okay to do so?
    Yes and No. Yes if each variable you pass is a single value. You are sending a formatted query as the value, that is bad.

    Quote Originally Posted by RedBishop View Post
    If I do use the array_map technique to pass the checkbox values, do you know if I can use multiple $_POST[''] variables in the array_map function? My form has checkboxes with different names, for example, name="price[]" and name="colour[]" ?
    Certainly, you'd just either run the code multiple times.
    PHP Code:
    $name implode(','array_map('urlencode'$_POST['names'])); // take all checkbox values and pass them to urlencode, then concatenate them with implode.
    $color implode(','array_map('urlencode'$_POST['colour']));
    $price implode(','array_map('urlencode'$_POST['price']));
    // pass $name via the query string
    // ?city=london&name=$name&price=$price&color=$color 
    Same thing for the receiving page:
    PHP Code:
    $name array_map('urldecode'explode(','$_GET['name'])); // Receive the list of names, split it back to an array using explode, then use urldecode on each value.
    $color array_map('urldecode'explode(','$_GET['color']));
    $price array_map('urldecode'explode(','$_GET['price']));
    // you need to still use filter_value (or any logic that you can think of to verify each value is appropriate) and mysqli_real_escape_string at this point before you build a query with the data. 

  13. #13
    SitePoint Addict
    Join Date
    Jul 2013
    Location
    South of the equator, then turn left
    Posts
    364
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Okay, thank you for all of your assistance. I appreciate it.


    Hope you have a great day!

  14. #14
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2006
    Location
    Augusta, Georgia, United States
    Posts
    4,182
    Mentioned
    16 Post(s)
    Tagged
    4 Thread(s)
    I would recommend placing the data in the session so that the search results can be rebuilt regardless of the other pages visited by the user. Otherwise in order to rebuild the search results you would have to always pass that search criteria to each page via query string. I know you are just referring to pagination but typically it is a better user experience to rebuild search results from their current state based on the search criteria a user has selected.
    The only code I hate more than my own is everyone else's.

  15. #15
    SitePoint Addict
    Join Date
    Jul 2013
    Location
    South of the equator, then turn left
    Posts
    364
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi cpradio,

    how are you doing?

    May I just ask you something? If my checkbox has a value with a space between the words, such as New York, the query string will be && name=new+york after using the array_map/urlencode combo. Then on the receiving page it will again be new+york after the array_map/urldecode combo. Is this normal to have the addition symbol between the words?

    Thank you.

  16. #16
    SitePoint Addict
    Join Date
    Jul 2013
    Location
    South of the equator, then turn left
    Posts
    364
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi everyone,

    I'm still stuck trying to pass a variable to another page. Can someone please confirm whether or not the following works? I am unable to echo out the value of the variable on the receiving page - it just says $key is $value, instead of the names fred, megan and susan. Is this because I need to use sessions or cookies?



    Thank you for your time!!!




    PHP Code:
    $test = array('fred''megan''susan');  
    if (isset(
    $test)){    
    $name implode(','array_map('urlencode'$test));
    }  


    The url:

    &
    name=$name">


    The receiving page:

    if (isset(
    $_GET['name'])){
    $getname = array_map('urldecode', explode(',', $_GET['name'])); // Receive the list of names, split it back to an array using explode, then use urldecode on each value.
    foreach (
    $getname as $key => $value) {
             echo '
    $key is $value';
        }} 

  17. #17
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,217
    Mentioned
    153 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by RedBishop View Post
    Hi cpradio,

    how are you doing?

    May I just ask you something? If my checkbox has a value with a space between the words, such as New York, the query string will be && name=new+york after using the array_map/urlencode combo. Then on the receiving page it will again be new+york after the array_map/urldecode combo. Is this normal to have the addition symbol between the words?

    Thank you.
    Sorry, I just saw this (I was on vacation for a few days due to the Holiday), give me a few minutes to try and reproduce the scenario locally, and I'll get back to you on this.

    Quote Originally Posted by RedBishop View Post
    Hi everyone,

    I'm still stuck trying to pass a variable to another page. Can someone please confirm whether or not the following works? I am unable to echo out the value of the variable on the receiving page - it just says $key is $value, instead of the names fred, megan and susan. Is this because I need to use sessions or cookies?



    Thank you for your time!!!




    PHP Code:
    $test = array('fred''megan''susan');  
    if (isset(
    $test)){    
    $name implode(','array_map('urlencode'$test));
    }  


    The url:

    &
    name=$name">


    The receiving page:

    if (isset(
    $_GET['name'])){
    $getname = array_map('urldecode', explode(',', $_GET['name'])); // Receive the list of names, split it back to an array using explode, then use urldecode on each value.
    foreach (
    $getname as $key => $value) {
             echo '
    $key is $value';
        }} 
    No, it is because you used single quotes instead of double. Remember that single quotes mean output this text literally (don't evaluate it).

  18. #18
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,217
    Mentioned
    153 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by RedBishop View Post
    Hi cpradio,

    how are you doing?

    May I just ask you something? If my checkbox has a value with a space between the words, such as New York, the query string will be && name=new+york after using the array_map/urlencode combo. Then on the receiving page it will again be new+york after the array_map/urldecode combo. Is this normal to have the addition symbol between the words?

    Thank you.
    Hmm... you must be doing something wrong...

    Here is my test:
    sending_file.php
    PHP Code:
    <?php
    $names 
    = array('test''test with spaces''test+space+already+encoded');
    $value implode(','array_map('urlencode'$names));
    var_dump($value);
    ?>
    <br /><br />
    <a href="receiving_file.php?names=<?= $value ?>">Send value to Receiving File</a>
    output:
    Code:
    string 'test,test+with+spaces,test%2Bspace%2Balready%2Bencoded' (length=54)
    
    
    <a href="receiving_file.php?names=test,test+with+spaces,test%2Bspace%2Balready%2Bencoded">Send value to Receiving File</a>
    receiving_file.php
    PHP Code:
    <?php
    var_dump
    ($_GET['names']);
    $values array_map('urldecode'explode(','$_GET['names']));
    var_dump($values);
    output:
    Code:
    string 'test,test with spaces,test+space+already+encoded' (length=48)
    
    array (size=3)
      0 => string 'test' (length=4)
      1 => string 'test with spaces' (length=16)
      2 => string 'test space already encoded' (length=26)
    So as you can see, the spaces were converted to + in the sending_file.php, and was received that way in receiving_file.php. Once the array_map with urldecode was called, the + are gone...

  19. #19
    SitePoint Addict
    Join Date
    Jul 2013
    Location
    South of the equator, then turn left
    Posts
    364
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi cpradio,

    it is working now, thank you. I did however notice a problem after the second or so page - the checkbox values disappear from the urls. I have thus added this code to the pagination urls:


    PHP Code:
    if (isset($name))
                
                
                {echo 
    '&name='.$name.'';}
                
                elseif(isset(
    $_GET['name'])) {
    $getname array_map('urldecode'explode(','$_GET['name'])); // Receive the list of names, split it back to an array using explode, then use urldecode on each value.
    foreach ($name as $key => $value) {
              echo 
    '&name='.$value.'';
        }


    Do you think this is an OK technique or have I done something wrong? I also have a question about which checkbox values I'm including in the url since I don't know beforehand which checkboxes have been selected. Should I thus have:
    PHP Code:
    page.php? if (isset($name)) {echo '&name='.$name.'';} if (isset($color)) {echo '&color='.$color.'';} if (isset($price)) {echo '&price='.$price.'';} 

    Thanks for all of your help.

  20. #20
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,217
    Mentioned
    153 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by RedBishop View Post
    Do you think this is an OK technique or have I done something wrong? I also have a question about which checkbox values I'm including in the url since I don't know beforehand which checkboxes have been selected. Should I thus have: [PHP]page.php?
    If you simply just need to pass the data along, look at using $_SERVER['QUERY_STRING'] to get the query string sent to the page.
    PHP Code:
    page.php?<?php echo $_SERVER['QUERY_STRING']; ?>
    That will take what was received and just pass it on. If you need to alter a value, you can use the following:
    PHP Code:
    parse_str($_SERVER['QUERY_STRING'], $query_string);
    $query_string['page'] = 2;
    $new_query_string http_build_query($query_string);

    echo 
    'page.php?' $new_query_string

  21. #21
    SitePoint Addict
    Join Date
    Jul 2013
    Location
    South of the equator, then turn left
    Posts
    364
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you simply just need to pass the data along, look at using $_SERVER['QUERY_STRING'] to get the query string sent to the page.
    Thank you for that info! Just out of curiosity, if I don't use $_SERVER['QUERY_STRING'], is my code a feasible alternative?

    And I would still need to structure my code in the following manner in order to build the query the first time around?

    PHP Code:
    page.php? if (isset($name)) {echo '&name='.$name.'';} if (isset($color)) {echo '&color='.$color.'';} if (isset($price)) {echo '&price='.$price.'';} 

    Sorry for the questions, but I need to ask them.

    Thanks again.

  22. #22
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,217
    Mentioned
    153 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by RedBishop View Post
    Thank you for that info! Just out of curiosity, if I don't use $_SERVER['QUERY_STRING'], is my code a feasible alternative?
    Yes, you can use what you have, it will continue to work.

    Quote Originally Posted by RedBishop View Post
    And I would still need to structure my code in the following manner in order to build the query the first time around?
    Yes you can.

  23. #23
    SitePoint Addict
    Join Date
    Jul 2013
    Location
    South of the equator, then turn left
    Posts
    364
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ok, thanks. I just wanted to make sure.


    Cheers.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •