Advanced Search

Page 1 of 4 123 ... LastLast
Results 1 to 10 of 40

Thread: Are Hidden Variables $_POST variables?

  1. #1
    Join Date
    Sep 2007
    Location
    Maui
    Posts
    602
    Thanks
    266
    Thanked 13 Times in 13 Posts

    Default Are Hidden Variables $_POST variables?

    If you pass some variable values from one form to another using hidden variables, how do you subsequently refer to those variables? For example, through a form on the first page the client indicates their country, so that value would be a $_POST variable (?)...
    Code:
    <input type="hidden" name="country" value="<?php echo $_POST['country']; ?>">
    then on the second page they enter their email address and an email is sent to them showing all their data. When replacing variables for use in the email, is the value of $country referred to as a $_POST variable or as just $country? Which is correct? This...
    Code:
    $body = str_replace('%country%',$country, $body);
    or this?
    Code:
    $body = str_replace('%country%',$_POST['country'], $body);
    Or is there a better way to accomplish this?

    Thanks.

  2. #2
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,629
    Thanks
    63
    Thanked 516 Times in 502 Posts
    Blog Entries
    5

    Default

    Assuming your forms are using the POST method, yes.

    PHP Code:
    <input type="hidden" name="country" value="<?php echo $_POST['country']; ?>">
    As for getting the value, your second example will work, though I prefer doing it like this (cleaner, in my view):
    PHP Code:
    $country $_POST['country'];
    $body 'You live in country'// I assume you have something like this that the line below modifies
    $body str_replace('%country%',$country$body); 
    We Only Torture the Folks We Don't Like (You're Probably Gonna Be Okay)
    It's a Party in the CIA

  3. The Following User Says Thank You to traq For This Useful Post:

    kuau (01-21-2010)

  4. #3
    Join Date
    Sep 2007
    Location
    Maui
    Posts
    602
    Thanks
    266
    Thanked 13 Times in 13 Posts

    Default

    Thanks, traq. Exactly what I needed to know!

    Something I have always wondered... if you refer to a variable as $_POST['country'] and the value has already been put in a regular variable like $country, will it still work? For example if you load $country from a database and refer to it as $_POST['country'], will the value come through?
    Last edited by kuau; 01-21-2010 at 09:24 PM. Reason: added more

  5. #4
    Join Date
    Jan 2008
    Posts
    4,158
    Thanks
    28
    Thanked 623 Times in 619 Posts
    Blog Entries
    1

    Default

    You mean like:
    Code:
    INSERT INTO Persons (country)
    VALUES ('".$_POST['country']."')
    If so - yes. It will always be there.
    Jeremy | jfein.net

  6. #5
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,629
    Thanks
    63
    Thanked 516 Times in 502 Posts
    Blog Entries
    5

    Default

    The reason I prefer to assign POST (GET, etc.) variables to regular variables is that I run into fewer problems escaping, unescaping, and concatenating when I'm building queries and strings, especially more complicated ones. But it's just a preference.
    We Only Torture the Folks We Don't Like (You're Probably Gonna Be Okay)
    It's a Party in the CIA

  7. #6
    Join Date
    Sep 2007
    Location
    Maui
    Posts
    602
    Thanks
    266
    Thanked 13 Times in 13 Posts

    Default

    So do you reassign them immediately, as soon as the value is retrieved from the form? And then in Nile's example you would use this instead?...

    Code:
    $country = $_POST['country'];
    INSERT INTO persons (country)
    VALUES ('".$country."')
    I am trying to rewrite a whole website so that it will still work with Register_Globals = Off and am trying to assign $_POST to almost all the variables. It's very tedious (expletives deleted).

  8. #7
    Join Date
    Jan 2008
    Posts
    4,158
    Thanks
    28
    Thanked 623 Times in 619 Posts
    Blog Entries
    1

    Default

    You could do this:
    Code:
    INSERT INTO persons (country)
    VALUES ('".$_POST['country']."')
    BUT ALWAYS REAL ESCAPE IT
    Jeremy | jfein.net

  9. #8
    Join Date
    Sep 2007
    Location
    Maui
    Posts
    602
    Thanks
    266
    Thanked 13 Times in 13 Posts

    Default

    This is not the question. I don't have any trouble inserting the values into the database. I already do it exactly as you have there. I was asking if I should do it the other way.

    I don't know what "real escape it" means. Something about preventing SQL injection but I can't remember at the moment. I need to get everything working first before I worry about preventing someone from hacking it.

  10. #9
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,156
    Thanks
    262
    Thanked 690 Times in 678 Posts

    Default

    Referring to the original post: hidden is a type of form field. It is just like any other field that has a value-- text, password, etc. It is just not displayed in the browser or editable by the user (except by someone who knows how to 'hack' it with javascript). Just like any other value in the form it will be sent the same way as a text field (etc):
    <input type="hidden" name="f1" value="v1">
    <input type="text" name="f2" value="v2">
    Once submitted, both will be available in exactly the same way:
    $_GET/POST['f1'] == 'v1';
    (depending on method="get/post")


    About "real escaping":
    I think the name is nonsense, but that's what it's called: mysql_real_escape_string($string) (returns 'escaped' string).
    Basically this is a function in php that is designed to stop database hacking by injecting mysql code. It escapes certain characters (I have no idea which ones, actually, aside from the obvious things like quotes and semicolons), and returns a now safe string to use in a query.
    You should ALWAYS use it (or an equivalent function) on any user-generated text that goes inside a mysql query or a user can add code to hack your database-- delete it, get info they should not have, get around security, whatever.
    http://www.php.net/manual/en/functio...ape-string.php
    Daniel - Freelance Web Design | <?php?> | <html>| espa˝ol | Deutsch | italiano | portuguŕs | catalÓ | un peu de franšais | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum

  11. The Following User Says Thank You to djr33 For This Useful Post:

    kuau (01-22-2010)

  12. #10
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,629
    Thanks
    63
    Thanked 516 Times in 502 Posts
    Blog Entries
    5

    Default

    He means mysql_real_escape_string() . Yes, you should always use it before submitting user input to your DB to prevent SQL injection attacks.

    "Should" you do it my way? No, not necessarily. If you like it, go ahead, but don't feel compelled to change your method "just because." To answer your question, I assign the variables just before the block of code I'm going to use them in, like so:
    PHP Code:
    // some code
    // some other code

    $country mysql_real_escape_string($_POST['country']);

    $SQL "INSERT INTO persons (country) VALUES ('$country')";
    $query mysql_query($SQL);

    // more other code, etc... 
    just to keep things organized. much easier than assigning all variables at the beginning and then having to remember where, exactly , I'm using them.

    On the other hand, rewriting your site to turn register_globals off is definitely something you should do.

    Edit:
    Quote Originally Posted by php.net
    mysql_real_escape_string() ... prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.
    Last edited by traq; 01-22-2010 at 02:50 AM.
    We Only Torture the Folks We Don't Like (You're Probably Gonna Be Okay)
    It's a Party in the CIA

  13. The Following User Says Thank You to traq For This Useful Post:

    kuau (01-22-2010)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •