Pull parameter value form url and insert into function

PHP
1

I am trying pull the the value of ?id from the url store it as $idd and then insert into the function. Eveything works fine if i add the value manually inside the function. But when i try to url and insert the value from url things dont work. Any idea what im doing wrong.

Value of ?id=$order->add_product(get_product(368),5);

My function is :


add_shortcode('my_form_shortcode', 'create_order');

function create_order() {

 //Get info from url 
 $idd = $_GET['id'];

	
	global $woocommerce;
	
	$address = array(
		'first_name' =>  'ali' ,
		'last_name'  => 'Corson',
		'company'    => 'Automattic',
		'email'      => 'no@spam.com',
		'phone'      => '123-123-123',
		'address_1'  => '123 Main Woo st.',
		'address_2'  => '100',
		'city'       => 'San Francisco',
		'state'      => 'Ca',
		'postcode'   => '92121',
		'country'    => 'US'
	);
	
	// Now we create the order
	$order = wc_create_order();
	
    
    
    //insert the info from url here 
    $idd ;  
	
	// Set addresses
	$order->set_address( $address, 'billing' );
	$order->set_address( $address, 'shipping' );
	
	// Set payment gateway
	$payment_gateways = WC()->payment_gateways->payment_gateways();
	$order->set_payment_method( $payment_gateways['bacs'] );
	
	// Calculate totals
	$order->calculate_totals();
	$order->update_status( 'Completed', 'Order created dynamically - ', TRUE); 
}
3

Just to be clear, you want to put code in the URL and then when the page is hit execute that code? If so, that’s a horrible idea from a security point of view, as anyone can just run any code they like.

Better would be to only pass the product ID and quantity to the URL, like ?id=368&quantity=5 and then in the code do something like so:

function create_order($productId, $quantity) {
	
	global $woocommerce;
	
	$address = array(
		'first_name' =>  'ali' ,
		'last_name'  => 'Corson',
		'company'    => 'Automattic',
		'email'      => 'no@spam.com',
		'phone'      => '123-123-123',
		'address_1'  => '123 Main Woo st.',
		'address_2'  => '100',
		'city'       => 'San Francisco',
		'state'      => 'Ca',
		'postcode'   => '92121',
		'country'    => 'US'
	);
	
	// Now we create the order
	$order = wc_create_order();
	
        $order->add_product(get_product($productId), $quantity);
 	
	// Set addresses
	$order->set_address( $address, 'billing' );
	$order->set_address( $address, 'shipping' );
	
	// Set payment gateway
	$payment_gateways = WC()->payment_gateways->payment_gateways();
	$order->set_payment_method( $payment_gateways['bacs'] );
	
	// Calculate totals
	$order->calculate_totals();
	$order->update_status( 'Completed', 'Order created dynamically - ', TRUE); 
}

$id = null;
if (isset($_GET['id']) && filter_var($_GET['id'], FILTER_VAR_INT) !== false) {
    $id = $_GET['id'];
}

if ($id === null) {
    exit ('Product ID missing or not a number');
}

$quantity = null;
if (isset($_GET['quantity']) && filter_var($_GET['quantity'], FILTER_VAR_INT) !== false) {
    $quantity = $_GET['quantity'];
}

if ($quantity === null) {
    exit ('Product quantity missing or not a number');
}

create_order($id, $quantity);
4

I don’t… understand what you’re trying to do at this point? What’re you trying to DO with $idd? $idd is a string, simply sticking the variable name on a line and putting a semicolon after it doesn’t tell PHP to do anything.

If for some reason you were trying to accept PHP code through your URL (which, as @rpkamp points out, is insanely dangerous), then you would eval() the string.

Otherwise, you’ll have to explain to us a bit better what you’re trying to do with this string, which appears to be some sort of ID?

5

Your approach will only work if the number of products is 1 or predefined. But here i donot know if the url will be sending over 1 product and qty or 15. With each new product a new line needs to inserted. For example if there are 3 products and qty coming over it should look like this inside the function.

$order->add_product(get_product(36),7);
$order->add_product(get_product(38),5);
$order->add_product(get_product(368),15);

How would you approach this problem ? Thanks in advance.

PS : This is a private site so it has only one user and is password protected. Im even willing to try a risky method security wise.

6

Yes i am trying to accept php code through my url and execute it on the exact spot where i put $idd. I understand the security issue but this site has single user and is password protected so i am willing to risk unless there is another solution.

How would u approach the eval() ?

7

I wouldnt.

I would have a series of predefined commands, which my user could send on the URL.

http://example.com/command.php?command=doathing

<?php
//Check That The User Is Logged In Here.

//Now Check the Command.
$validcommands = ['doathing','walkthisway','talkthisway'];
if(!isset($_GET['command']) || !in_array($_GET['command'],$validcommands)) { die("Invalid Command");

//Now execute the command.
$_GET['command']();

function doathing() {
  //Here be stuff..
}

(yeah i have no idea why I have Steven Tyler playing in my head either. Don’t ask.)

8

If you read my reply for @rpkamp above you will be why this will not work for me. But appreciate your feedback. If you have an alternative i would love to know.

9

My first impulse is don’t send data over the url, POST the data instead, and then walk the array of form data in the way that rpkamp showed you, adding the product for each entry in the array in turn.

<input type='number' name='id[]' value=0>
<input type='number' name='quantity[]' value=0>

foreach($_POST['id'] AS $key=>$value) {
  $order->add_product(get_product($value),$_POST['quantity'][$key]);
}

(you’ll want to add some checking in there, of course… if the quantity is 0, continue, etc.)

1 Like
10

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.