Pull parameter value form url and insert into function

I am trying pull the the value of ?id from the url store it as $idd and then insert into the function. Eveything works fine if i add the value manually inside the function. But when i try to url and insert the value from url things dont work. Any idea what im doing wrong.

Value of ?id=$order->add_product(get_product(368),5);

My function is :


add_shortcode('my_form_shortcode', 'create_order');

function create_order() {

 //Get info from url 
 $idd = $_GET['id'];

	
	global $woocommerce;
	
	$address = array(
		'first_name' =>  'ali' ,
		'last_name'  => 'Corson',
		'company'    => 'Automattic',
		'email'      => 'no@spam.com',
		'phone'      => '123-123-123',
		'address_1'  => '123 Main Woo st.',
		'address_2'  => '100',
		'city'       => 'San Francisco',
		'state'      => 'Ca',
		'postcode'   => '92121',
		'country'    => 'US'
	);
	
	// Now we create the order
	$order = wc_create_order();
	
    
    
    //insert the info from url here 
    $idd ;  
	
	// Set addresses
	$order->set_address( $address, 'billing' );
	$order->set_address( $address, 'shipping' );
	
	// Set payment gateway
	$payment_gateways = WC()->payment_gateways->payment_gateways();
	$order->set_payment_method( $payment_gateways['bacs'] );
	
	// Calculate totals
	$order->calculate_totals();
	$order->update_status( 'Completed', 'Order created dynamically - ', TRUE); 
}
Just to be clear, you want to put code in the URL and then when the page is hit execute that code? If so, that’s a horrible idea from a security point of view, as anyone can just run any code they like.

Better would be to only pass the product ID and quantity to the URL, like ?id=368&quantity=5 and then in the code do something like so:

function create_order($productId, $quantity) {
	
	global $woocommerce;
	
	$address = array(
		'first_name' =>  'ali' ,
		'last_name'  => 'Corson',
		'company'    => 'Automattic',
		'email'      => 'no@spam.com',
		'phone'      => '123-123-123',
		'address_1'  => '123 Main Woo st.',
		'address_2'  => '100',
		'city'       => 'San Francisco',
		'state'      => 'Ca',
		'postcode'   => '92121',
		'country'    => 'US'
	);
	
	// Now we create the order
	$order = wc_create_order();
	
        $order->add_product(get_product($productId), $quantity);
 	
	// Set addresses
	$order->set_address( $address, 'billing' );
	$order->set_address( $address, 'shipping' );
	
	// Set payment gateway
	$payment_gateways = WC()->payment_gateways->payment_gateways();
	$order->set_payment_method( $payment_gateways['bacs'] );
	
	// Calculate totals
	$order->calculate_totals();
	$order->update_status( 'Completed', 'Order created dynamically - ', TRUE); 
}

$id = null;
if (isset($_GET['id']) && filter_var($_GET['id'], FILTER_VAR_INT) !== false) {
    $id = $_GET['id'];
}

if ($id === null) {
    exit ('Product ID missing or not a number');
}

$quantity = null;
if (isset($_GET['quantity']) && filter_var($_GET['quantity'], FILTER_VAR_INT) !== false) {
    $quantity = $_GET['quantity'];
}

if ($quantity === null) {
    exit ('Product quantity missing or not a number');
}

create_order($id, $quantity);
I don’t… understand what you’re trying to do at this point? What’re you trying to DO with $idd? $idd is a string, simply sticking the variable name on a line and putting a semicolon after it doesn’t tell PHP to do anything.

If for some reason you were trying to accept PHP code through your URL (which, as @rpkamp points out, is insanely dangerous), then you would eval() the string.

Otherwise, you’ll have to explain to us a bit better what you’re trying to do with this string, which appears to be some sort of ID?

Your approach will only work if the number of products is 1 or predefined. But here i donot know if the url will be sending over 1 product and qty or 15. With each new product a new line needs to inserted. For example if there are 3 products and qty coming over it should look like this inside the function.

$order->add_product(get_product(36),7);
$order->add_product(get_product(38),5);
$order->add_product(get_product(368),15);

How would you approach this problem ? Thanks in advance.

PS : This is a private site so it has only one user and is password protected. Im even willing to try a risky method security wise.

Yes i am trying to accept php code through my url and execute it on the exact spot where i put $idd. I understand the security issue but this site has single user and is password protected so i am willing to risk unless there is another solution.

How would u approach the eval() ?

I wouldnt.

I would have a series of predefined commands, which my user could send on the URL.

http://example.com/command.php?command=doathing

<?php
//Check That The User Is Logged In Here.

//Now Check the Command.
$validcommands = ['doathing','walkthisway','talkthisway'];
if(!isset($_GET['command']) || !in_array($_GET['command'],$validcommands)) { die("Invalid Command");

//Now execute the command.
$_GET['command']();

function doathing() {
  //Here be stuff..
}

(yeah i have no idea why I have Steven Tyler playing in my head either. Don’t ask.)