Assigning variable to hidden form element

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
mhouldridge
Forum Contributor
Posts: 267
Joined: Wed Jan 26, 2005 5:13 am

Assigning variable to hidden form element

Post by mhouldridge »

Hi,

I have a page

http://www.something.com/imageupload?var=13

This takes you to a page with an upload form which has a hidden element. I have used the following code to set the hidden element's value;

Code: Select all

<input name="var" type="hidden" id="var" value="<? $_GET['var']; ?>">
When the form is posted to uploadprocess.php I then use the following to display the var value;

Code: Select all

echo $_POST['var'];

However nothing is displayed. I know my upload form hidden element code is wrong, but not sure how to fix this.

Please help.
User avatar
mhouldridge
Forum Contributor
Posts: 267
Joined: Wed Jan 26, 2005 5:13 am

Post by mhouldridge »

Ignore this,

I forgot that you had to echo hidden ones too.
User avatar
R4000
Forum Contributor
Posts: 168
Joined: Wed Mar 08, 2006 12:50 pm
Location: Cambridge, United Kingdom

Post by R4000 »

I'm not quite sure what you want/need.
But i think you want to turn the _GET into _POST but want to use forms to do it, (heh dunno why but here goes...):

Code: Select all

if($_GET['var']){
 echo "<form action="".$_SERVER['PHP_SELF']."" method="POST">\n";
 echo "<input type="hidden" value="".$_GET['var']."" />\n";
 echo "<input type="submit" value="Next Page >>" />\n";
 echo "</form>\n";
} elseif($_POST['var']){
 echo "var is now in $_POST :)";
}
If you use this, i'd watch out for register_globals, because its easier than normal to fake a post request.

Code: Select all

page.php?var=lol"><input type="text" name="sql" value="SELECT * FROM TABLE
with that, it would echo:
html wrote:<input type="hidden" value="lol"><input type="text" name="sql" value="SELECT * FROM TABLE" />
And if you had register_globals on, $sql would = SELECT * FROM TABLE. without you even knowing. Then it only takes a minor coding bug to exploit it.

The worst 'sploits are the small ones! - If you remember that you'll allways be safe :)
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Why use $_SERVER['PHP_SELF'] as action if '#' does all the same without the security problems...
Post Reply