URL Parameter Retrieving

JavaScript and client side scripting.

Moderator: General Moderators

Post Reply
User avatar
jdhorton77
Forum Commoner
Posts: 56
Joined: Tue Nov 07, 2006 3:29 pm
Location: Charlotte, NC

URL Parameter Retrieving

Post by jdhorton77 »

Ok, I'm working on the customer registration page and when the user clicks on the submit button it sends an email to the address specifiec where they can click a link. This link is has the user's information coded into it as parameters and I know the php variable values are not null, but when it goes to the confirmation page the parameters are empty. I'm sure they are present in the URL. Here's a snippet of the url, could someone can tell me if it looks right.

Code: Select all

$message = "
<html>
<head>
<title>Account Confirmation</title>
</head>
<body>
<table><tr><td width='100'>

<a href='https://somewhere.com/accountConfirmation.php?name='$name'&address='$address'>
Click Here Only Once</a>

</td></tr></table>
</body>
</html>
";

And here is the result when you click on the link:
https://somewhere.com/accountConfirmation.php?name=

So when I try to do $name = $_POST['name']; it turns up blank.

Thanks for any help.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Two things.

You are vulnerable to XSS injection. Any input you are displaying should be passed through htmlspecialchars().
Secondly, your html is malformed. Remove the single quotes around $name and $address?
User avatar
jdhorton77
Forum Commoner
Posts: 56
Joined: Tue Nov 07, 2006 3:29 pm
Location: Charlotte, NC

Post by jdhorton77 »

So what you are saying is that I need to take the url address and put it within the htmlspecialchars()? Something like this:

Code: Select all

$convertedLink = htmlspecialchars( <a href="http://somewhere.com/somefile.php?blah=blah">)
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

You only want to escape the input

Code: Select all

if (isset($_POST['name'], $_POST['address']))
{
   $name = htmlspecialchars($_POST['name']);
   $address = htmlspecialchars($_POST['address ']);

   //do stuff
}
User avatar
jdhorton77
Forum Commoner
Posts: 56
Joined: Tue Nov 07, 2006 3:29 pm
Location: Charlotte, NC

Post by jdhorton77 »

So I should escape the input before I send it as the link correct? Like what you had above and then putting name=$name.
User avatar
jdhorton77
Forum Commoner
Posts: 56
Joined: Tue Nov 07, 2006 3:29 pm
Location: Charlotte, NC

Post by jdhorton77 »

I was reading alittle more into the php website and I found html_entity_decode(). On the page that I'm sending to should I use this to decode the data then put it in the database?
Post Reply