...

View Full Version : $_POST and $_GET a variable from url



myedinu
03-12-2007, 07:13 PM
I am new in php:

I want to pass a variable to url from a link and than get it from there....

Can someone give me an idea or a piece of script...

Fou-Lu
03-13-2007, 01:49 AM
Sure.


<?php

if(isset($_GET['variable']))
{
echo $_GET['variable'];
}
?>

$_* is a superglobal construct, so you don't need to globalize anytime you make use of them in function calls. They also have priority overrides, if I'm not mistaken its: $_ENV->$_GET->$_POST->$_REQUEST->$_COOKIE->$_SESSION, but someone may need to confirm that.
Anyway, you pass through whats called the 'querystring', for example:
http://www.yoursite.com/page.php?var1=1&var2=2...
Anything past the ? is part of the query string. PHP has an optional configuration setting called register_globals which allows you to register any of your superglobals as $GLOBAL variables. This was necessary way back in the past, but it is no longer wise to make use of them. With the uri querystring given, the accessors would be:
$_GET['var1'] and $_GET['var2']
$_REQUEST exists on your system as well depending on the version of php. I believe it was 4.4.1 which $_REQUEST was released which simply merges together the $_GET and $_POST superglobals, giving $_POST priority. Don't rely too much on $_REQUEST if you can avoid it.
Querystrings are always considered a $_GET superglobal. While forms can be either, generally you will send data via a post method, hense the $_POST superglobals (with the exception of $_FILES which also comes from forms).
Does that answer any questions about the querystring?

Inigoesdr
03-13-2007, 06:48 AM
They also have priority overrides, if I'm not mistaken its: $_ENV->$_GET->$_POST->$_REQUEST->$_COOKIE->$_SESSION, but someone may need to confirm that.
*snip*
$_REQUEST exists on your system as well depending on the version of php. I believe it was 4.4.1 which $_REQUEST was released which simply merges together the $_GET and $_POST superglobals, giving $_POST priority. Don't rely too much on $_REQUEST if you can avoid it.
Close! The $_REQUEST superglobal is populated in the order of the variables_order directive in php.ini. $_REQUEST should be avoided at all costs. There is basically no need to use it, and if you do then you should rewrite your script so it won't need it. You should only pass variables with one method at a time and validate them as such. ie. Form variables should pretty much always be posted, there's no need to get them from $_GET, $_COOKIE, or $_SESSION, and doing so could easily open up your script to XSS vulnerabilities. That's not to say that only using $_POST will prevent attacks; you should always validate any user input.

aedrin
03-13-2007, 04:28 PM
$_REQUEST should be avoided at all costs.

And why is this?

the-dream
03-13-2007, 04:36 PM
or



<?php
$url = $_GET['variable'];

echo $url;
?>

aedrin
03-13-2007, 04:39 PM
Google for a beginners PHP tutorial.

There are hundreds, if not thousands, of them.

the-dream
03-13-2007, 04:41 PM
or try:

http://php.about.com/

Inigoesdr
03-14-2007, 12:16 AM
And why is this?
Because depending on the order, if you were expecting a POSTed variable for instance and someone sent a cookie with that same name, it would be overwritten by their variable. This could potentially allow malicious code to be executed among other potential serious problems.

Fou-Lu
03-14-2007, 02:12 AM
$_REQUEST is not only a rewritable variable, you can also control your variables_order in a PHP_INI_ALL fashion. MY request variables only contain $_GET and $_POST, but this is mainly due to support for pre 4.2.0 php systems when creating a "superglobal" look-alike.
Granted, because of the fact that $_REQUEST normally merges the $_COOKIE superglobal, it should not be relied on.
However, saying that $_REQUEST should not be used at all costs is the same as saying that creation of userdefined variables and functions should also be avoided at all costs. If $_REQUEST was a protected core variable, I would agree. But since it is not, I will have to say I disagree.

StupidRalph
03-14-2007, 02:28 AM
Form variables should pretty much always be posted, there's no need to get them from $_GET, $_COOKIE, or $_SESSION, and doing so could easily open up your script to XSS vulnerabilities. That's not to say that only using $_POST will prevent attacks; you should always validate any user input.

Should you use POST when you are doing something like recieving results from a database from some search terms. I was taught to use the GET method since the GET method is idempotent. Meaning that no matter how many times a person searches for "red car" the results are going to be the same regardless of how many times they click the search button.

I'm just curious to hear your input on this.

Inigoesdr
03-14-2007, 02:53 AM
Should you use POST when you are doing something like recieving results from a database from some search terms. I was taught to use the GET method since the GET method is idempotent. Meaning that no matter how many times a person searches for "red car" the results are going to be the same regardless of how many times they click the search button.

I'm just curious to hear your input on this.
The results will be the same no matter what method you use because it's being passed to the database the same way with the same text. Using either method isn't necessarily better than the other; it's dependent on preference or circumstance.

aedrin
03-14-2007, 04:10 PM
Because depending on the order, if you were expecting a POSTed variable for instance and someone sent a cookie with that same name, it would be overwritten by their variable. This could potentially allow malicious code to be executed among other potential serious problems.

Which is why you never trust any outside input, and filter for bad things?

Inigoesdr
03-14-2007, 09:23 PM
Which is why you never trust any outside input, and filter for bad things?
Yes, but why put yourself in position to have this problem to begin with?



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum