URL Values going missing

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Addos
Forum Contributor
Posts: 305
Joined: Mon Jan 17, 2005 4:13 pm

URL Values going missing

Post by Addos »

The code below has values passed via the URL from another page.

audio_insertDEV.php?product_ID=30

But when the conditional statement returns an empty field error (if the forms field is left blank etc) the URL looses it’s parameters and ends up just being:

audio_insertDEV.php

I’m not sure what to do here. Is it just the way I have the code running or is there something more I need to add?
Thanks

Code: Select all

<?php $colname_GetAudioUpdate = "1";
if (isset($_GET['product_ID'])) {
  $colname_GetAudioUpdate = (get_magic_quotes_gpc()) ? $_GET['product_ID'] : addslashes($_GET['product_ID']);
}
mysql_select_db($database_******, $*****);
$query_GetAudioUpdate = sprintf("SELECT * FROM tbl_products WHERE product_ID = %s", $colname_GetAudioUpdate);
$GetAudioUpdate = mysql_query($query_GetAudioUpdate, $armstrong) or die(mysql_error());
$row_GetAudioUpdate = mysql_fetch_assoc($GetAudioUpdate);
$totalRows_GetAudioUpdate = mysql_num_rows($GetAudioUpdate);
 
 
$nomessage = '';
if ($_POST && array_key_exists('MM_update',$_POST)) {
        //test to see it contains a MP3
    if ($_FILES['fupload']['type'] == "audio/mpeg") {
        } else { 
                $nomessage = '<br>'.'<span class="erroradmin"><strong>Opps! You must fill out the field and <br>make sure it\'s an MP3 you\'re uploading.</strong></span>';
            }
 
if (!$nomessage )  {
    // upload file
 
            }
 
    if ((isset($_POST["MM_update"])) && ($_POST["MM_update"] == "form1")) {
     
//insert into database 
}}
?>

Code: Select all

 <form enctype="multipart/form-data" action="<?php print $_SERVER['PHP_SELF']?>" method="post">
 
 
     Upload MP3 File: <?php  if (isset($nomessage) && !empty($nomessage)) { echo $nomessage ; }  ?>
 
      <input type="file" name="fupload" value="<?php if (isset($_POST['fupload'])) echo $_POST['fupload'];?>"></td>
  
      <input type= "hidden" name="MAX_FILE_SIZE" value="102400"/>
      <input type= "submit" class="formButton" value="Upload MP3"/>
      <input type="hidden" name="product_ID" value="<?php echo $row_GetAudioUpdate['product_ID']; ?>">
      <input type="hidden" name="MM_update" value="form1">
        
</form>
thaynejo
Forum Newbie
Posts: 14
Joined: Tue Apr 01, 2008 9:06 am

Re: URL Values going missing

Post by thaynejo »

The primary issue I see is that you have set the form action to "post", but are trying to access the variables via "get". You need to change one or the other. If you are insistent on using GET (which will display the values in the URL), then make the change to the form as follows:

Code: Select all

<form enctype="multipart/form-data" action="<?php print $_SERVER['PHP_SELF']?>" method="[color=#FF0000]get[/color]">
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: URL Values going missing

Post by John Cartwright »

thaynejo wrote:The primary issue I see is that you have set the form action to "post", but are trying to access the variables via "get". You need to change one or the other. If you are insistent on using GET (which will display the values in the URL), then make the change to the form as follows:

Code: Select all

<form enctype="multipart/form-data" action="<?php print $_SERVER['PHP_SELF']?>" method="[color=#FF0000]get[/color]">
This is incorrect. You can just as easily use $_POST and $_GET in the same request, in fact I do it all the time. Also, you should not be using $_SERVER['PHP_SELF'], considering it allows the user to exploit XSS injection.

I would set the action with the parameters manually set in it, and/or alternatively you can pass the $_GET['product_id'] as a hidden field in the form.

Code: Select all

<form action="/process.php?product_id=<?php echo intval($_GET['product_id']); ?>">
Notice I applied intval() on the product id, this is also to avoid XSS injection by only allowing numbers. As a rule of thumb, never output anything that comes from the user without validating/sanitizing (this include $_SERVER['PHP_SELF'])
thaynejo
Forum Newbie
Posts: 14
Joined: Tue Apr 01, 2008 9:06 am

Re: URL Values going missing

Post by thaynejo »

Jcart wrote:This is incorrect. You can just as easily use $_POST and $_GET in the same request, in fact I do it all the time.
There is no problem using them both. I use them all the time as well. What I was trying to point out is that the values in the $_POST array cannot be accessed via the $_GET array. The easiest way to fix his issue is to change the action to GET. That would solve the issue of the missing variables.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: URL Values going missing

Post by John Cartwright »

thaynejo wrote:
Jcart wrote:This is incorrect. You can just as easily use $_POST and $_GET in the same request, in fact I do it all the time.
There is no problem using them both. I use them all the time as well. What I was trying to point out is that the values in the $_POST array cannot be accessed via the $_GET array. The easiest way to fix his issue is to change the action to GET. That would solve the issue of the missing variables.
Ah sorry for misunderstanding. But still, your suggestion has some ugly side effects. :wink:
thaynejo
Forum Newbie
Posts: 14
Joined: Tue Apr 01, 2008 9:06 am

Re: URL Values going missing

Post by thaynejo »

Jcart wrote:Ah sorry for misunderstanding. But still, your suggestion has some ugly side effects. :wink:
No problem, and I agree. Always clean the input first so that you don't have to cry later. I am a fairly new user to PHP, so my code can always be improved. Thank you for the assistance.
Addos
Forum Contributor
Posts: 305
Joined: Mon Jan 17, 2005 4:13 pm

Re: URL Values going missing

Post by Addos »

As a matter of interest what about doing this? I have to say I don’t always understand this enough but try to learn from a few angles about attacks etc.

Code: Select all

<form method="post" name="form1" action="<?php echo $editFormAction; ?>">
 
$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}
Thanks for the help!
Post Reply