which is a better way to pass a form variable?

drewbie

is it better to pass the form variable on the end of a url, and use the post method, or store the variable in a hidden field?examples-

function reply_form() {
global $MID;

    if(!isset($MID)) {
            echo "Please select a message to reply to.";
    }
    else {
            $query = mysql_query("SELECT * FROM questions WHERE MID='$MID' && Reply='0'", $link_id);
            if (!$query) {
                    echo "Sorry, this message is either non-existent or is no longer available.";
            }
            else {
                    while ($myrow = mysql_fetch_array($query)) {
                            $Subject = $myrow[Subject];
                            $Question = $myrow[Question];
                            ?>
                            <p><font size="5" face="Arial,Helvetica,Geneva,Swiss,SunSans-Regular"><b>Reply to a Question</b></font></p>
                            <form action="replytoquestion.php?action=reply" method="post">
                            Subject: <? echo $Subject; ?>
                            <p>In Reply to:<br>
                            <i>"<? echo $Question ?>"</i><br>
                            <textarea name="Question" cols="50" rows="12" tabindex="1"></textarea></p>
                            <input type="hidden" name="MID" value="<? echo $MID ?>">
                            <p><input type="submit" name="submit" value="Submit" tabindex="2"></p>
                            </form>
                    <?
                    }
            }
    }

}

or should it be done like so-

function reply_form() {
global $MID;

    if(!isset($MID)) {
            echo "Please select a message to reply to.";
    }
    else {
            $query = mysql_query("SELECT * FROM questions WHERE MID='$MID' && Reply='0'", $link_id);
            if (!$query) {
                    echo "Sorry, this message is either non-existent or is no longer available.";
            }
            else {
                    while ($myrow = mysql_fetch_array($query)) {
                            $Subject = $myrow[Subject];
                            $Question = $myrow[Question];
                            ?>
                            <p><font size="5" face="Arial,Helvetica,Geneva,Swiss,SunSans-Regular"><b>Reply to a Question</b></font></p>
                            <form action="replytoquestion.php?action=reply&MID=$MID" method="post">
                            Subject: <? echo $Subject; ?>
                            <p>In Reply to:<br>
                            <i>"<? echo $Question ?>"</i><br>
                            <textarea name="Question" cols="50" rows="12" tabindex="1"></textarea></p>

<p><input type="submit" name="submit" value="Submit" tabindex="2"></p>
</form>
<?
}
}
}
}

Thanks for your responses!

RedDragon

well i use attaching the var at the end of the url and it works fine,
but hidden field also works...

i think when you use the hidden field its not possible to add the var to the url to get to the page (i tried at my script and it didnt work!)

cgraz

Depends what you're doing. I think passing in the url is easier, but if you do, peple can change your variables. I know I do it on other sites.

Like autotrader only allows you to search cars within a 300 mile radius from your zip code; I like changing that to 800 or whatever. If you pass the variable in your url, expect people to change it. However I like the fact that autotrader does that; makes my search even more efficient, but it really just depends onw hat you're doing. IT doesn't hurt autotrader for me to change the distance variable in the url. If the visitor changin that variable doesn't actually hurt you (or damage your site results too much), then by all means use the url. Hidden inputs can be a pain the a** sometimes, but are really handy!

Cgraz

drewbie

right on, thanks guys