Trouble passing variables through url of a second page

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
drayarms
Forum Contributor
Posts: 134
Joined: Fri Dec 31, 2010 5:11 pm

Trouble passing variables through url of a second page

Post by drayarms »

Here is a simplified version of a script which I named register.php that processes user input from a registration form.

Code: Select all

<?php
if (isset($_POST['submitted'])) {
 
$firstname = mysql_real_escape_string($_POST['firstname']);

$lastname = mysql_real_escape_string($_POST['lastname']);

header("Location: register_confirm_page.php?firstname=$firstname&lastname=$lastname");

}
 ?>


As intended, the firstname and lastname posted variables are carried over to a redirected page register_confirm_page.php where the user is supposed to review his registration details before clicking the final submit button to be registered. Below is a simplified version of the register confirm page:
So far everything works just fine as intended.

Code: Select all


<?php

//Retrieve variables from previous page

$firstname=$_GET['firstname'];

$lastname=$_GET['lastname'];

//Show user his details

echo "Firstname:" .$firstname. "<br/>"  ; 
echo "Lastname:" .$lastname

//Show the submit button.
echo'<form method="post" action="register_confirm.php?firstname=$firstname&lastname=$lastname"> <input type="submit" name="submit" value="Register!"  /> </form>   ';

?>

Now the intent is to send the first name and last name to yet another page register_confirm.php, where the value is finally submitted into my database. To keep it simple, I won't include this third page, but what I basically did there was use the GET method as above, to retrieve the values again. Well this time around, the first and last names are not sent to the third page. Instead, the literal values '$firstname' and '$lastname' are passed through the url to the third page and I know this because that's what shows up in the url when I click the submit button and that's also what shows up in my database table. Does anyone understand why this may be happening and not what I expected would happen? I have passed variables between more than 2 pages before but this is the first time I am encountering this problem. I really can't see what is being done wrong here. Perhaps someone can.
cwheel3915
Forum Commoner
Posts: 28
Joined: Wed Apr 28, 2010 8:02 pm

Re: Trouble passing variables through url of a second page

Post by cwheel3915 »

Code: Select all

 <?php

//Retrieve variables from previous page

$firstname=$_GET['firstname'];

$lastname=$_GET['lastname'];

//Show user his details

echo "Firstname:" .$firstname. "<br/>"  ; 
echo "Lastname:" .$lastname;
?>

<form method="post" action="register_confirm.php?firstname=<?php echo $firstname; ?>&lastname=<?php echo $lastname; ?>"> 
<input type="submit" name="submit" value="Register!"  /> </form>  
That should work. I think there was a problem with your echo.
User avatar
AbraCadaver
DevNet Master
Posts: 2572
Joined: Mon Feb 24, 2003 10:12 am
Location: The Republic of Texas
Contact:

Re: Trouble passing variables through url of a second page

Post by AbraCadaver »

cwheel3915 wrote:

Code: Select all

 <?php

//Retrieve variables from previous page

$firstname=$_GET['firstname'];

$lastname=$_GET['lastname'];

//Show user his details

echo "Firstname:" .$firstname. "<br/>"  ; 
echo "Lastname:" .$lastname;
?>

<form method="post" action="register_confirm.php?firstname=<?php echo $firstname; ?>&lastname=<?php echo $lastname; ?>"> 
<input type="submit" name="submit" value="Register!"  /> </form>  
That should work. I think there was a problem with your echo.
Yes, read about the differences between single and double quotes: http://us.php.net/manual/en/language.types.string.php
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
User avatar
McInfo
DevNet Resident
Posts: 1532
Joined: Wed Apr 01, 2009 1:31 pm

Re: Trouble passing variables through url of a second page

Post by McInfo »

What is the point of calling mysql_real_escape_string() in register.php if the escaped values are immediately released back into the public scope? It would make a little more sense to use urlencode() to prepare the values for the Location header, but the real problem here is that register.php does not have a meaningful role. If it were excluded from the flow entirely by making two small changes to the submission form, the script's absence would have no effect on the application.

The register_confirm_page.php page is vulnerable to cross-site scripting. Use htmlspecialchars() or htmlentities(). Do not assume that the only way to access a script is through another script just because that is the only way you access the script.
Post Reply