Page 1 of 1

Assigning variable to hidden form element

Posted: Sun Apr 23, 2006 5:36 am
by mhouldridge
Hi,

I have a page

http://www.something.com/imageupload?var=13

This takes you to a page with an upload form which has a hidden element. I have used the following code to set the hidden element's value;

Code: Select all

<input name="var" type="hidden" id="var" value="<? $_GET['var']; ?>">
When the form is posted to uploadprocess.php I then use the following to display the var value;

Code: Select all

echo $_POST['var'];

However nothing is displayed. I know my upload form hidden element code is wrong, but not sure how to fix this.

Please help.

Posted: Sun Apr 23, 2006 5:43 am
by mhouldridge
Ignore this,

I forgot that you had to echo hidden ones too.

Posted: Sun Apr 23, 2006 5:52 am
by R4000
I'm not quite sure what you want/need.
But i think you want to turn the _GET into _POST but want to use forms to do it, (heh dunno why but here goes...):

Code: Select all

if($_GET['var']){
 echo "<form action="".$_SERVER['PHP_SELF']."" method="POST">\n";
 echo "<input type="hidden" value="".$_GET['var']."" />\n";
 echo "<input type="submit" value="Next Page >>" />\n";
 echo "</form>\n";
} elseif($_POST['var']){
 echo "var is now in $_POST :)";
}
If you use this, i'd watch out for register_globals, because its easier than normal to fake a post request.

Code: Select all

page.php?var=lol"><input type="text" name="sql" value="SELECT * FROM TABLE
with that, it would echo:
html wrote:<input type="hidden" value="lol"><input type="text" name="sql" value="SELECT * FROM TABLE" />
And if you had register_globals on, $sql would = SELECT * FROM TABLE. without you even knowing. Then it only takes a minor coding bug to exploit it.

The worst 'sploits are the small ones! - If you remember that you'll allways be safe :)

Posted: Sun Apr 23, 2006 8:29 am
by timvw
Why use $_SERVER['PHP_SELF'] as action if '#' does all the same without the security problems...