ansaurus

Question

Simple Php Echo

Answer 1

+1 A:

You will first need to check if PHP has received your GET parameter using isset or array_key_exists:

if(isset($_GET['name']) && !empty($_GET['name'])) {
    $Name = $_GET['name'];
    echo "Hello $Name";
}

or:

if(array_key_exists('name', $_GET) && !empty($_GET['name'])) {
    $Name = $_GET['name'];
    echo "Hello $Name";
} else {
    //example: default to something if nothing has been passed
    echo "Hello Guest";
}

Also note, if you're submitting to the same page, you can omit the action attribute from your form tag altogether:

<form method="GET">

karim79 2009-09-13 22:00:19

magic quotes "Hello $Name" should be discouraged as they are deprecated in future versions of php

Jonathan Fingland 2009-09-13 22:02:17

I don't think that has anything to do with magic quotes.

Jani Hartikainen 2009-09-13 22:04:02

@Jonathan Fingland, magic quotes is what PHP uses to automatically escape data - karim79's example has nothing to do with that.

Arms 2009-09-13 22:08:12

Answer 2

+2 A:

the correct attribute for your form tag is "action", not "actions"

When the form is submitted, a new request is sent to the server (in your case, using GET).

So to do it all in one page:

form.php:

<form action="form.php" method="GET">
<input type="text" name="name"/>
<input type="submit">
</form>

<?PHP
if (! empty($_GET['name'])){
   echo 'Hello, ' . $_GET['name'];
}
?>

timdev 2009-09-13 22:08:56

Answer 3

A:

echo $hello

You've just gained an HTML-injection vulnerability. If someone sends your user to:

http://www.example.com/madlib01.php?name=&lt;script&gt;stealYourCookies()&lt;/script&gt;

you've got problems.

Yes, this is a My First PHP Script. That doesn't make security optional. This is a mistake every tutorial makes: teaching bad practice from the start, treating correctness (and security, which is a subset of correctness) as an optional extra.

The result is that most PHP code out there is full of holes. But there's no need for yours to be! Every time you place a pure-text string into a surrounding HTML context, escape it properly:

echo htmlspecialchars($hello);

I tend to define a function with a shorter name than ‘htmlspecialchars’ to do that for me, as I'm lazy.

<?php
    function h($text) {
        echo(htmlspecialchars($text, ENT_QUOTES));
    }
    $name= '';
    if (isset($_REQUEST['name']))
        $name= trim($_REQUEST['name']);
?>

...

<?php if ($name!=='') { ?>
    <p> Hello, <?php h($name); ?>! </p>
<?php } ?>

<form method="get" action="madlib01.php">
    <p>
        <label for="namefield">Name:</label>
        <input id="namefield" type="text" name="name" />
    </p>
    <p>
        <input type="submit" />
    </p>
</form>

Now if you say your name is Mister <script>, the page will greet you exactly as such, angle brackets and all, instead of trying to run JavaScript. This is the correct output and thus also secure.

bobince 2009-09-14 01:24:47

+1 for the h() function. They have that in Ruby too (you probably know)

Alex Mcp 2009-10-01 12:31:09

ansaurus

tags:

views:

answers:

Simple Php Echo

related questions