Are Hidden Variables $_POST variables?

**kuau** · 01-21-2010, 09:38 PM

If you pass some variable values from one form to another using hidden variables, how do you subsequently refer to those variables? For example, through a form on the first page the client indicates their country, so that value would be a $_POST variable (?)...

Code:

<input type="hidden" name="country" value="<?php echo $_POST['country']; ?>">

then on the second page they enter their email address and an email is sent to them showing all their data. When replacing variables for use in the email, is the value of $country referred to as a $_POST variable or as just $country? Which is correct? This...

Code:

$body = str_replace('%country%',$country, $body);

or this?

Code:

$body = str_replace('%country%',$_POST['country'], $body);

Or is there a better way to accomplish this?

Thanks.

**traq** · 01-21-2010, 09:42 PM

Assuming your forms are using the POST method, yes.

PHP Code:


<input type="hidden" name="country" value="<?php echo $_POST['country']; ?>">

As for getting the value, your second example will work, though I prefer doing it like this (cleaner, in my view):

PHP Code:


$country = $_POST['country'];
$body = 'You live in country'; // I assume you have something like this that the line below modifies
$body = str_replace('%country%',$country, $body);

**kuau** · 01-21-2010, 10:19 PM

Thanks, traq. Exactly what I needed to know!

Something I have always wondered... if you refer to a variable as $_POST['country'] and the value has already been put in a regular variable like $country, will it still work? For example if you load $country from a database and refer to it as $_POST['country'], will the value come through?

**Nile** · 01-21-2010, 10:28 PM

You mean like:

Code:

INSERT INTO Persons (country)
VALUES ('".$_POST['country']."')

If so - yes. It will always be there.

**traq** · 01-22-2010, 12:19 AM

The reason I prefer to assign POST (GET, etc.) variables to regular variables is that I run into fewer problems escaping, unescaping, and concatenating when I'm building queries and strings, especially more complicated ones. But it's just a preference.

**kuau** · 01-22-2010, 01:37 AM

So do you reassign them immediately, as soon as the value is retrieved from the form? And then in Nile's example you would use this instead?...

Code:

$country = $_POST['country'];
INSERT INTO persons (country)
VALUES ('".$country."')

I am trying to rewrite a whole website so that it will still work with Register_Globals = Off and am trying to assign $_POST to almost all the variables. It's very tedious (expletives deleted).

**Nile** · 01-22-2010, 02:04 AM

You could do this:

Code:

INSERT INTO persons (country)
VALUES ('".$_POST['country']."')

BUT ALWAYS REAL ESCAPE IT

**kuau** · 01-22-2010, 02:45 AM

This is not the question. I don't have any trouble inserting the values into the database. I already do it exactly as you have there. I was asking if I should do it the other way.

I don't know what "real escape it" means. Something about preventing SQL injection but I can't remember at the moment. I need to get everything working first before I worry about preventing someone from hacking it.

**djr33** · 01-22-2010, 03:34 AM

Referring to the original post: hidden is a type of form field. It is just like any other field that has a value-- text, password, etc. It is just not displayed in the browser or editable by the user (except by someone who knows how to 'hack' it with javascript). Just like any other value in the form it will be sent the same way as a text field (etc):
<input type="hidden" name="f1" value="v1">
<input type="text" name="f2" value="v2">
Once submitted, both will be available in exactly the same way:
$_GET/POST['f1'] == 'v1';
(depending on method="get/post")

About "real escaping":
I think the name is nonsense, but that's what it's called: mysql_real_escape_string($string) (returns 'escaped' string).
Basically this is a function in php that is designed to stop database hacking by injecting mysql code. It escapes certain characters (I have no idea which ones, actually, aside from the obvious things like quotes and semicolons), and returns a now safe string to use in a query.
You should ALWAYS use it (or an equivalent function) on any user-generated text that goes inside a mysql query or a user can add code to hack your database-- delete it, get info they should not have, get around security, whatever.
http://www.php.net/manual/en/functio...ape-string.php

**traq** · 01-22-2010, 03:38 AM

He means mysql_real_escape_string() . Yes, you should always use it before submitting user input to your DB to prevent SQL injection attacks.

"Should" you do it my way? No, not necessarily. If you like it, go ahead, but don't feel compelled to change your method "just because." To answer your question, I assign the variables just before the block of code I'm going to use them in, like so:

PHP Code:


// some code
// some other code

$country = mysql_real_escape_string($_POST['country']);

$SQL = "INSERT INTO persons (country) VALUES ('$country')";
$query = mysql_query($SQL);

// more other code, etc...

just to keep things organized. much easier than assigning all variables at the beginning and then having to remember where, exactly , I'm using them.

On the other hand, rewriting your site to turn register_globals off is definitely something you should do.

Edit:

Originally Posted by php.net

mysql_real_escape_string() ... prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.