tags:

views:

258

answers:

4

How can you get the variables in URL to the next page in PHP?

The user is at the URL

 http://localhost/codes/index.php?ask_question&[email protected]&passhash_md5=202cb962ac59075b964b07152d234b70

He sends a question and he goes to the following url where variables lost their values for some unknown reason.

http://localhost/codes/index.php?question_sent&email=&passhash_md5=

The following code is the code *handle_a_new_question.php*.

 $result = pg_prepare($dbconn, "query77", "INSERT INTO questions
     (body, title, users_user_id)
     VALUES ($1, $2, $3);");
 $result = pg_execute($dbconn, "query77", array($body, $title, $user_id));

 if(isset($result)) {
     $header = ("Location: /codes/index.php?"                                                                                                                                                           
         . "question_sent"
         . "&"
         . "email="
         . $_GET['email']             // this seems to be correct to me
         . "&"
         . "passhash_md5="
         . $_GET['passhash_md5']      // this seems to be correct to me too
         );
     header($header);
  }

Do you see any mistake in the code?

+1  A: 

Print your $_GET and check if vars are empty before create the header:

print_r($_GET);

or try with

$_REQUEST['email']

instead of

$_GET['email']

Oh! and don't forget to add

exit();

after:

header($header);

If you do something if there's no valid $result, for example:

 if(isset($result)) {
     $header = ("Location: /codes/index.php?"                                                                                                                                                           
         . "question_sent"
         . "&"
         . "email="
         . $_GET['email']             // this seems to be correct to me
         . "&"
         . "passhash_md5="
         . $_GET['passhash_md5']      // this seems to be correct to me too
         );
     header($header);
  }

  sendEmailToMe('FAILED!!');

Is possible that "sendEmailToMe('FAILED!!')" can be executed, even if $result is valid.

inakiabt
I have never used the command `exit();` before. I put it to the end of my handlers and it made my pages not to work. It does not cause any conflicts only in the file handle_a_new_question.php.
Masi
It's a good practice.
inakiabt
Your two first commands give me only `Array ( ) `.
Masi
How can you make PHP send you an email? I run unsuccessfully `mail([email protected], foo, foo foo);`
Masi
print $_REQUEST array: print_r($_REQUEST);try to print it at first PHP line, if you get nothing you're not requesting with GET params.
inakiabt
Send emails with PHP: http://stackoverflow.com/questions/1261995/php-mail-tutorials/1262062#1262062
inakiabt
+1  A: 

For sure the data is sent by POST. So it can be retrieved like this:

$_POST['email']

BTW:

  1. do not forget to sanitize the data before doing the redirection (it is not done in your example).
  2. do not forget to "salt" your hash or it may be insecure.
Toto
I do not understand the point (1), since the code uses pg_prepare that is prepared statements. This should sanitize the data. - I am newbie so feel free to comment. - (2): I will when I get my code first to work.
Masi
You need to HTTP/URL sanitize the $_GET variables before using them in your header() call
Frank Farmer
+3  A: 

what does the form code look like? the problem is on the page that is directing you to the question_sent page, not on the question_sent page itself.

are you passing these variables along in hidden fields or in the action of the form, eg

<form method="post" action="index.php?question_sent&email=<?php echo $_GET['email']?>&passhash_md5=<?php echo $_GET['passhash_md5']?>">

or are you using hidden variables

<form method="post" action="index.php?question_sent">
   <input type="hidden" name="email" value="<?php echo $_GET['email']?>" />
   <input type="hidden" name="passhash_md5" value="<?php echo $_GET['passhashmd5']?>" />
   ...
</form>

because either of those should work, the first you can retrieve ur variables from $_GET the second you can retrieve them from $_POST.

also for user sessions, you should probably be storing their login info in a cookie, take a look at this when you get a chance

http://www.tizag.com/phpT/phpcookies.php

Neil Sarkar
This is the form code: http://github.com/vilsu/codes/blob/cb4714b1fd4773e35d140c108ca1b152f90b9a3c/lomakkeet/lomake_ask_question.php
Masi
I do not use hidden variables.
Masi
you probably should be using hidden variables. you have to be passing the email and passhash_md5 variables through to the next script using one of those three methods, in order of correctness:1. using cookies2. using hidden variables in the form3. in the action attribute of the form itself
Neil Sarkar
also, just for the purposes of testing stuff like this you should replace $_GET in your if(isset($result)) block to $_REQUEST.that will look for variables in $_POST, $_GET, and $_COOKIE. but like i said if you're not passing the variables through from the form in one of these arrays, you won't be able to access the data
Neil Sarkar
@Neil: How can you access hidden variables in the form?
Masi
Hidden variables, like any form <input> elements, are accessed with `$_GET["elementName"]` if the form is submitted with method=get, or `$_POST["elementName"]` if the form is submitted with method=post, or `$_REQUEST["elementName"]` for either (but I recommend specifying one or the other just for a little added safety).
Platinum Azure
+1  A: 

Try using session handlers in place of the GET variables. It does add a few keystrokes to your code but saves you a lot of headeache, in my point of view.

If I use SESSION handlers, I do not need to sanitize my data in $_GET. Hmm - I need to study that.
Masi