SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Addict amy.damnit's Avatar
    Join Date
    Sep 2009
    Posts
    336
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    How to Send Variable when clicking on Link?

    Still busy trying to finish up my Seminar Registration site, and piecing things together frantically as I go?!

    Here is my latest issue...

    I have a static HTML/CSS table that lists "Upcoming Seminars".

    Unfortunately, I don't have the time or desire to make that page dynamic, so I was hoping to just assign a "SeminarID" to a session variable depending on the link the user clicks on.

    Is that possible?

    And if so, how would I do it?

    Thanks,


    Amy

  2. #2
    SitePoint Zealot
    Join Date
    Dec 2006
    Posts
    182
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You can pass it via a querystring:

    http://site.com/page.php?id=123

    and retrieve it with $_GET['id'].
    Just make sure you sanitize the input, (e.g. convert $_GET['id'] to a number) so that the script can't be futzed with:

    $seminar_id = filter_var($_GET['id'],FILTER_SANITIZE_NUMBER_INT);

  3. #3
    SitePoint Addict amy.damnit's Avatar
    Join Date
    Sep 2009
    Posts
    336
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by funkdaddy View Post
    You can pass it via a querystring:

    http://site.com/page.php?id=123

    and retrieve it with $_GET['id'].
    Yah, I actually had a moment of "inspiration" and remembered that from my PHP book from last June!!

    Here what I did...

    Page 1:
    HTML Code:
          <!-- SEMINAR LISTING -->
          <table summary="STEP 1: Select a Seminar" id="tb_seminars">
            <tr>
              <th scope="col">TITLE</th>
              <th scope="col">LOCATION</th>
              <th scope="col">DATE</th>
              <th scope="col">VENUE</th>
            </tr>
            <tr class="altrow">
              <td>Some Topic - Beginning</td>
              <td>Los Angeles, CA</td>
              <td>Oct 27, 2009</td>
              <td>[B][COLOR="Red"]<a href="102_SeminarDetails.php?seminar_id=1006">[/COLOR][/B]Hyatt Regency</a></td>
            </tr>
          </table>

    Page 2:

    Code:
    <?php
      // FUNCTION: Handle GET values.
      function input_get($name, $default = NULL) {
        return isset($_GET[$name]) ? $_GET[$name] : $default;
      }
    
      // Define variables.
      $passed_seminar = $_GET['seminar_id'];
      echo "seminar_id (from Page 1) = " . $passed_seminar;
    ?>
    How does that look??


    Just make sure you sanitize the input, (e.g. convert $_GET['id'] to a number) so that the script can't be futzed with:

    $seminar_id = filter_var($_GET['id'],FILTER_SANITIZE_NUMBER_INT);
    How is that different from what I did?

    Should I add that to my code or just use your code and ignore mine?

    Thanks,


    Amy

  4. #4
    SitePoint Zealot
    Join Date
    Dec 2006
    Posts
    182
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Your input isn't sanitized with that code, because someone could change the querystring manually and do an sql injection attack. If you're doing a database call from that:

    SELECT id,name,time FROM seminars WHERE id=$passed_seminar;

    If I change the querystring to ?seminar_id =''; DELETE FROM seminars; ...when your sql query is run, it will delete all the rows in your seminars table. I would do something like this:

    PHP Code:
        //filter and make a number
        
    $passed_seminar filter_var($_GET['seminar_id'],FILTER_VALIDATE_INT);
        
        
    //check to see if seminar_id is a number
        
    if (is_int($passed_seminar)) {
            
    //do your thang
             
    echo "seminar_id (from Page 1) = " $passed_seminar;
        } 
    FILTER_VALIDATE_INT will validate the variable as a number. You can also assign it to only validate numbers of a certain range.

  5. #5
    SitePoint Addict amy.damnit's Avatar
    Join Date
    Sep 2009
    Posts
    336
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by funkdaddy View Post
    Your input isn't sanitized with that code, because someone could change the querystring manually and do an sql injection attack. If you're doing a database call from that:

    SELECT id,name,time FROM seminars WHERE id=$passed_seminar;

    If I change the querystring to ?seminar_id =''; DELETE FROM seminars; ...when your sql query is run, it will delete all the rows in your seminars table.
    Wow! Not good?!


    I would do something like this:

    PHP Code:
        //filter and make a number
        
    $passed_seminar filter_var($_GET['seminar_id'],FILTER_VALIDATE_INT);
        
        
    //check to see if seminar_id is a number
        
    if (is_int($passed_seminar)) {
            
    //do your thang
             
    echo "seminar_id (from Page 1) = " $passed_seminar;
        } 
    FILTER_VALIDATE_INT will validate the variable as a number. You can also assign it to only validate numbers of a certain range.
    Okay, but I am still a bit confused...

    //filter and make a number
    $passed_seminar = filter_var($_GET['seminar_id'],FILTER_VALIDATE_INT);

    It sounds like this takes the value and "casts" it to an INT type, right??

    What happens if someone put in seminar_id=gobblygook ???

    What does that function/filter then assign to my variable, $passed_seminar ??


    In the second bit of code...

    //check to see if seminar_id is a number
    if (is_int($passed_seminar)) {
    //do your thang
    echo "seminar_id (from Page 1) = " . $passed_seminar;
    }

    This seems like it is redundant to the first Filter thingy you did?!

    Thanks,


    Amy

  6. #6
    SitePoint Zealot
    Join Date
    Dec 2006
    Posts
    182
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by amy.damnit View Post
    What happens if someone put in seminar_id=gobblygook ???

    What does that function/filter then assign to my variable, $passed_seminar ??
    Then it returns $passed_seminar as FALSE (boolean)

    Quote Originally Posted by amy.damnit View Post

    In the second bit of code...

    //check to see if seminar_id is a number
    if (is_int($passed_seminar)) {
    //do your thang
    echo "seminar_id (from Page 1) = " . $passed_seminar;
    }

    This seems like it is redundant to the first Filter thingy you did?!

    Thanks,


    Amy
    Basically, that just handles the code if there's an error. So it won't try and run an sql query or some other code that's expecting a number there. If you had an SQL query: SELECT * FROM seminars WHERE id=$passed_seminar, and the filter had filtered out a bad input, it would be an invalid SQL query and you'd get an error.

  7. #7
    SitePoint Addict amy.damnit's Avatar
    Join Date
    Sep 2009
    Posts
    336
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    UGH! Why do things always get more complicated as they unravel?!

    Okay, let me back up and ask "What is the best way to do this with limited time and experience?!"

    I have a page entitled "Select a Seminar". It is a static HTML table which I really don't want to touch at this point. (CSS may be easy for everyone else, but it took me forever to get things just right and I don't have time to "break" this page?!)

    The last column of each row has a link called Details. When the user clicks on said link, I would like them to be taken to the "Seminar Details" page and have it dynamically populated based on the "seminar_id" that was passed from the first page. (Right now, I just created a separate static HTML page for each seminar.)

    Thanks to funkdaddy's help, I have that part working.

    However, now I have a new concern...

    What do I do if something happened to my GET value (e.g. glitch or a hacker), and then when the user goes to "Seminar Details" there would be no details?!

    The original goal of this thread was just to get "seminar_id" in a variable so I can use it during "Check Out".

    Being able to create "Seminar Detail" pages dynamically is a plus, however if it is going to take ages to make it reliable and secure then maybe it will have to wait?!

    Is there a way to do this and not spend a month programming it to handle hackers??

    Hope that makes sense?!



    Amy

  8. #8
    SitePoint Zealot
    Join Date
    Dec 2006
    Posts
    182
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    No worries, if the $passed_seminar ends up invalid, just redirect the user back to the "Select a Seminar" page.
    PHP Code:
    if (is_int($passed_seminar)) {
    //do your thang
    } else {
    header("Location: select_seminar.php"); // or whatever the link is
    exit;

    For now you can just redirect the bad requests, because 99&#37; of the time if they are a legit user clicking on a seminar id, it will be right (test your click-throughs to make sure ).

    Quote Originally Posted by amy.damnit View Post
    UGH! Why do things always get more complicated as they unravel?!

    Okay, let me back up and ask "What is the best way to do this with limited time and experience?!"

    I have a page entitled "Select a Seminar". It is a static HTML table which I really don't want to touch at this point. (CSS may be easy for everyone else, but it took me forever to get things just right and I don't have time to "break" this page?!)

    The last column of each row has a link called Details. When the user clicks on said link, I would like them to be taken to the "Seminar Details" page and have it dynamically populated based on the "seminar_id" that was passed from the first page. (Right now, I just created a separate static HTML page for each seminar.)

    Thanks to funkdaddy's help, I have that part working.

    However, now I have a new concern...

    What do I do if something happened to my GET value (e.g. glitch or a hacker), and then when the user goes to "Seminar Details" there would be no details?!

    The original goal of this thread was just to get "seminar_id" in a variable so I can use it during "Check Out".

    Being able to create "Seminar Detail" pages dynamically is a plus, however if it is going to take ages to make it reliable and secure then maybe it will have to wait?!

    Is there a way to do this and not spend a month programming it to handle hackers??

    Hope that makes sense?!



    Amy

  9. #9
    SitePoint Addict amy.damnit's Avatar
    Join Date
    Sep 2009
    Posts
    336
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the solution, Funkdaddy!!

    (Things always look easy when a pro does them!)


    Amy


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •