Page 1 of 1

URL Values going missing

Posted: Wed Apr 02, 2008 9:16 am
by Addos
The code below has values passed via the URL from another page.

audio_insertDEV.php?product_ID=30

But when the conditional statement returns an empty field error (if the forms field is left blank etc) the URL looses it’s parameters and ends up just being:

audio_insertDEV.php

I’m not sure what to do here. Is it just the way I have the code running or is there something more I need to add?
Thanks

Code: Select all

<?php $colname_GetAudioUpdate = "1";
if (isset($_GET['product_ID'])) {
  $colname_GetAudioUpdate = (get_magic_quotes_gpc()) ? $_GET['product_ID'] : addslashes($_GET['product_ID']);
}
mysql_select_db($database_******, $*****);
$query_GetAudioUpdate = sprintf("SELECT * FROM tbl_products WHERE product_ID = %s", $colname_GetAudioUpdate);
$GetAudioUpdate = mysql_query($query_GetAudioUpdate, $armstrong) or die(mysql_error());
$row_GetAudioUpdate = mysql_fetch_assoc($GetAudioUpdate);
$totalRows_GetAudioUpdate = mysql_num_rows($GetAudioUpdate);
 
 
$nomessage = '';
if ($_POST && array_key_exists('MM_update',$_POST)) {
        //test to see it contains a MP3
    if ($_FILES['fupload']['type'] == "audio/mpeg") {
        } else { 
                $nomessage = '<br>'.'<span class="erroradmin"><strong>Opps! You must fill out the field and <br>make sure it\'s an MP3 you\'re uploading.</strong></span>';
            }
 
if (!$nomessage )  {
    // upload file
 
            }
 
    if ((isset($_POST["MM_update"])) && ($_POST["MM_update"] == "form1")) {
     
//insert into database 
}}
?>

Code: Select all

 <form enctype="multipart/form-data" action="<?php print $_SERVER['PHP_SELF']?>" method="post">
 
 
     Upload MP3 File: <?php  if (isset($nomessage) && !empty($nomessage)) { echo $nomessage ; }  ?>
 
      <input type="file" name="fupload" value="<?php if (isset($_POST['fupload'])) echo $_POST['fupload'];?>"></td>
  
      <input type= "hidden" name="MAX_FILE_SIZE" value="102400"/>
      <input type= "submit" class="formButton" value="Upload MP3"/>
      <input type="hidden" name="product_ID" value="<?php echo $row_GetAudioUpdate['product_ID']; ?>">
      <input type="hidden" name="MM_update" value="form1">
        
</form>

Re: URL Values going missing

Posted: Wed Apr 02, 2008 9:53 am
by thaynejo
The primary issue I see is that you have set the form action to "post", but are trying to access the variables via "get". You need to change one or the other. If you are insistent on using GET (which will display the values in the URL), then make the change to the form as follows:

Code: Select all

<form enctype="multipart/form-data" action="<?php print $_SERVER['PHP_SELF']?>" method="[color=#FF0000]get[/color]">

Re: URL Values going missing

Posted: Wed Apr 02, 2008 10:03 am
by John Cartwright
thaynejo wrote:The primary issue I see is that you have set the form action to "post", but are trying to access the variables via "get". You need to change one or the other. If you are insistent on using GET (which will display the values in the URL), then make the change to the form as follows:

Code: Select all

<form enctype="multipart/form-data" action="<?php print $_SERVER['PHP_SELF']?>" method="[color=#FF0000]get[/color]">
This is incorrect. You can just as easily use $_POST and $_GET in the same request, in fact I do it all the time. Also, you should not be using $_SERVER['PHP_SELF'], considering it allows the user to exploit XSS injection.

I would set the action with the parameters manually set in it, and/or alternatively you can pass the $_GET['product_id'] as a hidden field in the form.

Code: Select all

<form action="/process.php?product_id=<?php echo intval($_GET['product_id']); ?>">
Notice I applied intval() on the product id, this is also to avoid XSS injection by only allowing numbers. As a rule of thumb, never output anything that comes from the user without validating/sanitizing (this include $_SERVER['PHP_SELF'])

Re: URL Values going missing

Posted: Wed Apr 02, 2008 10:09 am
by thaynejo
Jcart wrote:This is incorrect. You can just as easily use $_POST and $_GET in the same request, in fact I do it all the time.
There is no problem using them both. I use them all the time as well. What I was trying to point out is that the values in the $_POST array cannot be accessed via the $_GET array. The easiest way to fix his issue is to change the action to GET. That would solve the issue of the missing variables.

Re: URL Values going missing

Posted: Wed Apr 02, 2008 10:11 am
by John Cartwright
thaynejo wrote:
Jcart wrote:This is incorrect. You can just as easily use $_POST and $_GET in the same request, in fact I do it all the time.
There is no problem using them both. I use them all the time as well. What I was trying to point out is that the values in the $_POST array cannot be accessed via the $_GET array. The easiest way to fix his issue is to change the action to GET. That would solve the issue of the missing variables.
Ah sorry for misunderstanding. But still, your suggestion has some ugly side effects. :wink:

Re: URL Values going missing

Posted: Wed Apr 02, 2008 10:24 am
by thaynejo
Jcart wrote:Ah sorry for misunderstanding. But still, your suggestion has some ugly side effects. :wink:
No problem, and I agree. Always clean the input first so that you don't have to cry later. I am a fairly new user to PHP, so my code can always be improved. Thank you for the assistance.

Re: URL Values going missing

Posted: Wed Apr 02, 2008 12:15 pm
by Addos
As a matter of interest what about doing this? I have to say I don’t always understand this enough but try to learn from a few angles about attacks etc.

Code: Select all

<form method="post" name="form1" action="<?php echo $editFormAction; ?>">
 
$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}
Thanks for the help!