PHP variables

[Hightower]

I'm creating a web script for my school. here's what its supposed to do.

1) Staff enter a web address in a text box and submit using GET method
2) Loads site that was entered with frame at top saying are you sure you want to add this site? The entered value gets stored into $site_address on this page.
3) Adds site to the database and delivers success message

1 & 2 work fine, but when it gets to the third page it seems to have forgotten the value in $site_address

I'm new to PHP so is there something obvious I'm missing? If you need code to help let me know and I'll get it posted up.

[powdarrmonkey]

paste the code? otherwise it's like driving with a blindfold!

[Friez]

Aye post code for sure. Also depends if you're running code across different php pages and/or frames.

You can always do this at opportune locations in your PHP script to try and find out where it drops out:

print_r($_GET);

Will dump out the contents of your $_GET variable.
Also make sure you're using $_GET and not the old-style way of just naming variables the same as a normal variable e.g. $_GET['site_address'] as opposed to $site_address, since accessing GET/POST in this manner can cause some security oopsies (should be locked off for the latest versions of PHP anyway).

What I think is happening is this (Assumptions Made):

You have a page like this:

PHP Code:

$addy = $_GET['site_address'];
Are you sure you want to add this site? <a href="continue.php">Yes</a> <a href="index.php">No</a>

... and in continue.php

database_saving_bits($addy); 


Which of course won't pass on the GET to the next page (it's not carried across through multiple page reloads, you'll have to do that either via stuffing it into a sessioned page using $_SESSION and all the session_start() hoo-hah or, pass it in the URL as a second GET (like follows)

PHP Code:

$addy = $_GET['site_address'];
Are you sure you want to add this site? <a href="continue.php?addy=<?php echo $addy; ?>">Yes</a> <a href="index.php">No</a>

... and in continue.php

$addy = sanitise_all_gets_before_hitting_db($_GET['addy']);
database_saving_bits($addy);

But that's just pure guesswork (and subtle pseudocodish made-up functions to hint some things) as to what your code looks like. I strongly advise you do the $_GET printing so you know exactly what point things dissappear though!

Code would be nice to dissect

[Hightower]

paste the code? otherwise it's like driving with a blindfold!

You can't drive with a blind fold on?! I thought everyone could....

OK, here it goes:

This is the first page - the one where the teacher enters details into a form.

PHP Code:

<p align="center"><strong>Please answer ALL fields!</strong></p>

<form action="checksite.php" method="GET">
    <table width="500" border="0" align="center" cellpadding="3" cellspacing="0">
        <tr>
            <td width="30%"><p align="right">Title of website:</p></td>
            <td width="70%"><input name="txtTitle" type="text" size="50" /> </td>
        </tr>
        <tr>
            <td p align="right">Address of website:</p></td>
            <td><input name="txtAddress" type="text" value="http://" size="50" /></td>
        </tr>
        <tr>
            <td><p align="right">Subject:</p></td>
            <td><select name="subject">
                <option value="All" selected="selected">Please select</option>
                <option value="Art">Art</option>
                <option value="Business">Business Studies</option>
                <option value="DT">DT</option>
                <option value="English">English</option>
                <option value="Humanities">Humanities</option>
                <option value="ICT">ICT</option>
                <option value="Maths">Maths</option>
                <option value="MFL">MFL</option>
                <option value="Music">Music</option>
                <option value="PE">PE</option>
                <option value="Science">Science</option>
                <option value="All">Whole School</option>
            </select></td>
        </tr>
        <tr>
            <td><p align="right">Why do pupils need access to this site?</p></td>
            <td><input name="reason" type="text" size="50" /></td>
        </tr>
        <tr>
            <td>&nbsp;</td>
            <td><input type="submit" name="submit" value="Add to whitelist" /></td>
        </tr>
    </table>
</form> 


This is the second page which asks if the user is sure they want to add the site and displays the website in the page.

PHP Code:

<?php
require "sec/seccheck.php";
$site_title = $_GET["txtTitle"];
$site_address = $_GET["txtAddress"];
$site_subject = $_GET["subject"];
$site_username = $_SESSION['username'];
?>

<html>
<head>
    <title>Please check the website before submitting</title>
</head>
<body style="font-family: Verdana, sans-serif;font-size:12px;text-align:center;">
    <p>You want to add the site <strong><?php echo $site_title; ?></strong>. Please ensure that this is the site you want to add. If the site doesn't
    load please ensure you have the correct address.</p>
    <p><a href="index.php?ad=successadd">This is the site - add it!</a> | <a href="index.php?ad=add">This isn't the site - Don't add it!</a></p>
    
    <iframe src=<?php echo $site_address; ?> height="90%" width="100%">
    </iframe>
</html>

The previous two pages work exactly how I want. Here is the third page that load when the user presses "YES I WANT TO ADD THAT SITE":

PHP Code:

<p>Title: <?php echo $site_title; ?> </p>

This 3rd page will use a mysql_query when I pass the variables properly but just for testing at the minute I only have that echo command. All that is displayed on the page is:

Title:

I'm sure you know what's wrong, but remember I'm a PHP n00b so be kind

[Hightower]

I just stored the value into $_SESSION['Title']. Could of swore I tried it before but this time it worked so thanks!

[CESIL]

Where are you declaring $site_title for the first time?

To pass this variable from page to page you need to set it up as a session variable.

PHP Code:

$_SESSION['site_title'] = $_GET["txtTitle"]; 


Ypu also need session_start() at the top of each page that refers to session variables.

Retrieve it with

PHP Code:

<p>Title: <?php echo $_SESSION['site_title']; ?> </p>

[CESIL]

I dunno...I look away for a moment and someone else posts a solution

[powdarrmonkey]

Mmm, I just went and had my lunch, and he's fixed it himself Wish some of our staff could learn that trick.

[Friez]

I just stored the value into $_SESSION['Title']. Could of swore I tried it before but this time it worked so thanks!

Yeah you could do it that way (session vars are handy especially for data you want to keep lurking around), or if you don't want to clutter up the session space, just make your YES <a href> have a ?somevariable=somevalue on the end to pass it into a $_GET on the page it refers to.

Also beyond the functionality of your actual page some tips or pointers!

Use POST rather than GET for forms unless it's absolutely necessary. Especially if the form is BIG. This Page describes the difference between POST and GET, but mainly a GET is passed via the URL itself. e.g.

hxxp://www.edugeek.net/forums/newreply.php?do=newreply&p=259394

all the stuff after the ? is a GET, the $_GET['do'] is one variable and the $_GET['p'] is another. URLS can only be so long. Imagine if my entire post here was embedded into a GET, it probably won't happen.

Make sure you sanitise your Input variables

This is important. Imagine if I came across your site and decided to say the reason that I want pupils to access your site was because:

'); DELETE * FROM users

(Or something to that extent) be sure that everything that goes into your mysql query that's been provided by a user has been thoroughly sanitised. There are functions out there to do this for you.

Google for SQL Injection Hack for info on this.

Cleanliness!

If you choose to go the way of the $_SESSION variable, when you're totally and utterly sure you're 100% done with the variable and don't need it again for that session be sure to unset($_SESSION['somevar']); otherwise you'll end up with a massive $_SESSION variable list.

Hope that helps!