Page 1 of 1

URL Parameter Retrieving

Posted: Mon Jan 15, 2007 2:32 pm
by jdhorton77
Ok, I'm working on the customer registration page and when the user clicks on the submit button it sends an email to the address specifiec where they can click a link. This link is has the user's information coded into it as parameters and I know the php variable values are not null, but when it goes to the confirmation page the parameters are empty. I'm sure they are present in the URL. Here's a snippet of the url, could someone can tell me if it looks right.

Code: Select all

$message = "
<html>
<head>
<title>Account Confirmation</title>
</head>
<body>
<table><tr><td width='100'>

<a href='https://somewhere.com/accountConfirmation.php?name='$name'&address='$address'>
Click Here Only Once</a>

</td></tr></table>
</body>
</html>
";

And here is the result when you click on the link:
https://somewhere.com/accountConfirmation.php?name=

So when I try to do $name = $_POST['name']; it turns up blank.

Thanks for any help.

Posted: Mon Jan 15, 2007 2:40 pm
by John Cartwright
Two things.

You are vulnerable to XSS injection. Any input you are displaying should be passed through htmlspecialchars().
Secondly, your html is malformed. Remove the single quotes around $name and $address?

Posted: Mon Jan 15, 2007 3:41 pm
by jdhorton77
So what you are saying is that I need to take the url address and put it within the htmlspecialchars()? Something like this:

Code: Select all

$convertedLink = htmlspecialchars( <a href="http://somewhere.com/somefile.php?blah=blah">)

Posted: Mon Jan 15, 2007 3:50 pm
by John Cartwright
You only want to escape the input

Code: Select all

if (isset($_POST['name'], $_POST['address']))
{
   $name = htmlspecialchars($_POST['name']);
   $address = htmlspecialchars($_POST['address ']);

   //do stuff
}

Posted: Mon Jan 15, 2007 4:02 pm
by jdhorton77
So I should escape the input before I send it as the link correct? Like what you had above and then putting name=$name.

Posted: Mon Jan 15, 2007 4:29 pm
by jdhorton77
I was reading alittle more into the php website and I found html_entity_decode(). On the page that I'm sending to should I use this to decode the data then put it in the database?