$_POST['var'] and $_GET['var']

g0liatH

Hi,

I'm having problems with passing variables which I got from a form from one page to another.

for example; I have a form:

<form name="form1" method="get" action="table.php">
<select name="table" id="table">
<option value="td_news">News</option>
<option value="td_other">Other</option>
</select>
<input name="Submit" type="submit" value="Submit" >
</form>

and a php page:

<?

$table = $_GET['table'];

echo("$table");

?>

this works without problems.

now, I have a form, with behind the form a php script in one file, that php script links to another php script in a new file, and that php script goes to another file. I need the variable called $table which I got from the form in every file.

So I can't use action="" right?
now, it seems that the $POST and $GET functions wont work without the action="".

I tried a cookie, but that isn't working well either, because it gives a header error.

now I tried writing to a file called table.txt and reading it in every file. I think it works but then I have to chmod the map to 777.

Is there an easy way to pass the variable? I'm kinda new to php so all help is appreciated. thanks 🙂

g0liatH

oh wait does this have something to do with register_globals? sorry to bother you then :queasy:

how do I put them on?

g0liatH

no wait that's not possible :glare:

I have to go now, will check tomorrow for replies. please help 🆒

TheDefender

Not too sure what you are having problems with since you are all over the place with your question, but....

It is strongly recommended that you NOT turn on the register globals setting, as it can cause your script to become vulnerable to the injection of malicious script... But, if you must, then the only thing I will say is you need to begin with the php.ini file.

Can you clarify what the problem you are having is, so we can help you find an alternate way to work without turning on the register globals?

g0liatH

my problem is that I can't really use the action="xxx.php" command in the form because after the form I have a php script

well I'll clarify it by posting the script:

list.php

<form name="form2" method="post">

  <table width="100%" border="0" cellspacing="3" cellpadding="0">
    <tr> 
      <td colspan="2"><strong><font size="3">Posting form...</font></strong></td>
    </tr>
    <tr> 
      <td width="8%">Table:</td>
      <td width="92%"><input name='table' type='text' id='table' size='30'></td>
    </tr>

<tr> 
  <td>&nbsp;</td>
  <td width="92%"><input type="submit" name="Submit" value="Submit"></td>
</tr>
  </table>
</form>
<?php

if($_POST['table'] == td_news) {

include('db.php');
$table = $_POST['table'];

$q = mysql_query("SELECT * FROM $table ORDER BY id, date DESC");



echo "<table with='100%' cellspacing='2'>";

while($r=mysql_fetch_array($q)){

$id = $r["id"];

$title = $r["title"];



echo "<tr><td><b>$title - options: <a href=\"edit.php?id=$id\" target=\"_blank\">Edit post</a> | <a href=\"delete.php?id=$id\" target=\"_blank\">Delete Post</a></td></tr>";

}

echo "</table>";


mysql_close($cnx);
}

?>

edit.php

<?

include('db.php');

$table = $_POST['table']; // this isn't working.

$id = $_GET['id'];

$q = mysql_query("SELECT * FROM $table WHERE id='$id'");

$r = mysql_fetch_array($q);

$news = $r["news"];

echo "<form action=\"editprocess.php?id=$id\" method=\"post\">

<textarea id=\"news\" name=\"news\">$news</textarea><input type=\"submit\" id=\"submit\"></form>";


?>

editprocess.php

<?php

include('db.php');

$table = $_POST['table']; // this isn't working!

$news = $_POST['news'];

$id = $_GET['id'];

mysql_query("UPDATE $table SET news='$news' WHERE id='id'");

?>

I need the form variable 'table' in the other scripts.

paulnaj

Hi g0liatH,

I've tweaked your code to make it clearer to me what's going on.

1) Do yourself a favour and always include some 'error/bug' checking.

2) Another thing I always recommend is not to embed variables in strings ... it's hard to read and is actually ever so slightly slower (if you use single-quoted strings to build blocks of HTML, then you can maintain the use double-quoted attributes in the HTML itself).

3) Whereas you can choose GET or POST for the form action, a link to a php page always uses the GET method,

4) I haven't commented on whether passing variables frompage to page is the best way to 'maintain state' ... sessions might be easier, but that's another story.

5) Lastly, because I don't have access to your db, there could be some minor typo's/glitches so you'll to debug this anyway.

list.php

<html>
<head><title>list.php</title></head>
<body>
<form name="form2" method="post"> 
<table width="100%" border="0" cellspacing="3" cellpadding="0"> 
	<tr><td colspan="2"><strong><font size="3">Posting form...</font></strong></td></tr> 
	<tr><td width="8%">Table:</td><td width="92%"><input name="table" type="text" id="table" size="30"></td></tr> 
	<tr><td>&nbsp;</td><td width="92%"><input type="submit" name="Submit" value="Submit"></td></tr> 
</table> 
</form> 
<?php
// Check to see if variable has been sent
if(!isset($_POST['table']){
	die('$_POST[table] not set!');
}

include('db.php');
$q = mysql_query('SELECT * FROM '.$_POST['table'].' ORDER BY id, date DESC'); 
if(mysql_num_rows($q) == 0){
	die('No records found.');
}

$trs = ''
while($r = mysql_fetch_array($q)){ 

$trs .= '<tr>
	<td>
		<b>'.$r['title'].'</b>
		 - options: 
		 <a href="edit.php?id='.$r['id'].'&table='.$r['table'].'" target="_blank">Edit post</a>
		 | <a href="delete.php?id='.$r['id'].'&table='.$r['table'].'" target="_blank">Delete Post</a>
	</td>
</tr>'; 
}
echo '<table width="100%" cellspacing="2">'.$trs.'</table>';

//	Is $cnx defined in db.php ?
mysql_close($cnx); 
?> 

</body>
</html>

edit.php

<html>
<head><title>edit.php</title></head>
<body>
<? 
// Check to see if BOTH variables have been sent
// These will be from a click on a link so 
// MUST be $_GET vars, not $_POST.
if(!isset($_GET['table']){
	die('$_GET[table] not sent!');
}
if(!isset($_GET['id']){
	die('$_GET[id] not sent!');
}

include('db.php'); 
$q = mysql_query('SELECT * FROM '.$_GET['table'].' WHERE id="'.$_GET['id'].'"'); 

if(mysql_num_rows($q) == 0){
	die('No records found.');
}
$r = mysql_fetch_array($q); 

// To include the necessary variable for editprocess.php
// use hidden input fields ... easy to see what's going on
echo '<form action="editprocess.php" method="post">
	<input type="hidden" name="table" value="'.$_GET['table'].'" />
	<input type="hidden" name="id" value="'.$_GET['id'].'" />
	<textarea id="news" name="news">'.$r["news"].'</textarea>
	<input type="submit" id="submit" />
</form>';

// Where's $cnx ? 
// mysql_close($cnx);  

?> 
</body>
</html>

editprocess.php

<html>
<head><title>editprocess.php</title></head>
<body>
<?php 
if(!isset($_POST['table']){
	die('$_POST[table] not sent!');
}
if(!isset($_POST['id']){
	die('$_POST[id] not sent!');
}
if(!isset($_POST['news']){
	die('$_POST[news] not sent!');
}

include('db.php'); 
$sql = 'UPDATE '.$_POST['table'].' SET news="'.$_POST['id'].'" WHERE id="'.$_POST['news'].'"';
mysql_query($sql) or die('Error: '.$sql);

// Where's $cnx ? 
// mysql_close($cnx);  

?> 
</body>
</html>

Paul. 😉

paulnaj

g0liatH,

Had a few probs getting some of my code to display properly ... all OK now.

Paul.

g0liatH

Thanks a lot for your help Paul 🙂

I do get some parse errors, and I don't know why they're coming.

In every page I get the same error:

if(!isset($_POST['table']){ 
    die('$_POST[table] not set!'); 
}

Parse error: parse error, unexpected '{' in /home/virtual/site51/fst/var/www/html/td/mainnew/list.php on line 15

oh and yes, $cnx is defined in db.php 🙂

TheDefender

Missing a close parenthesis on the if statement:

if(!isset($_POST['table'])){  

    die('$_POST[table] not set!');  

}

paulnaj

Hi TheDefender,

Missing a close parenthesis on the if statement:

Er... on virtually EVERY 'if' statement :eek: (cut'n'paste compound error!)

Hi g0liatH, see if you can go and fix 'em all! :queasy:

Paul.

TheDefender

LOL... Been there, done that. If it is a cut 'n paste error, then a "Replace All" in the IDE should work (hopefully). LOL

g0liatH

lol, thanks a lot 😉

I'll do it with hand, because it will fix every single ( if I use replace all :p

now let's hope it works:evilgrin:

g0liatH

now it says

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/virtual/site51/fst/var/www/html/td/mainnew/edit.php on line 18
No records found.

paulnaj

Hi g0liatH,

Looks like it's this line ...

$q = mysql_query('SELECT * FROM '.$GET['table'].' WHERE id="'.$GET['id'].'"');

... thats causing the problem.

If the [id] fieldof the [table] is numeric then we don't need the double-quotes, I think ...

$q = mysql_query('SELECT * FROM '.$GET['table'].' WHERE id='.$GET['id']);

... see if that does the trick!

Paul

PS.

I posted a reply earlier, but realised it was gibberish!!

g0liatH

I saw the earlier reply :p

ok now I tried that line but it gives still the same error :queasy:

I really appreciate your help 🙂

I have to go now but I'll check this topic later and then I will start searching again.

TheDefender

Just want to put it all together for comparison's sake:

// g0liatH's
$q = mysql_query('SELECT * FROM '.$_GET['table'].' WHERE id="'.$_GET['id'].'"');  

// paulnaj's
$q = mysql_query('SELECT * FROM '.$_GET['table'].' WHERE id='.$_GET['id']); 

// TheDefender's
$q = mysql_query("SELECT * FROM ".$_GET['table']." WHERE id='".$_GET['id']."'");

OK, now, g0liatH, are you certain the $GET['table'] and $GET['id'] are being passed in the URL, and if so, are you sure that table exists, and has an id value equal to the one passed set in it, because in theory, your $q has proper syntax?

g0liatH

ok I'm now using The Defender's version. The table variable doesn't get passed. this is the url when I click on 'edit':

http://www.alltimegaming.com/td/mainnew/edit.php?id=1&table=

and I get this error:

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/virtual/site51/fst/var/www/html/td/mainnew/edit.php on line 18
No records found.

now, when I type this in the browser:

http://www.alltimegaming.com/td/mainnew/edit.php?id=1&table=td_news

it does show the right thing in edit.php, but when I click 'send query' to go to editprocess.php, it does nothing!

so I still have 2 problems:

having the table variable passed from list.php to edit.php
-having the table and id variable passed from edit.php to editprocess.php

if any of you guys need the whole script or want to have the script to test it, please contact me via email or via this topic. thanks 🙁

paulnaj

Hi g0liatH,

Ok, the minute I saw the url you gave, cut off at '...table=', I looked at that portion of the code (list.php) and noticed that I was putting $r['table'] !! instead of $_POST['table'] in the while loop ...

Should be ...

while($r = mysql_fetch_array($q)){  

    $trs .= '<tr> 
        <td> 
            <b>'.$r['title'].'</b> 
             - options: 
             <a href="edit.php?id='.$r['id'].'&table='.$_POST['table'].'" target="_blank">Edit post</a> 
             | <a href="delete.php?id='.$r['id'].'&table='.$_POST['table'].'" target="_blank">Delete Post</a> 
        </td> 
    </tr>';  

}

Get that bit working ... the other part ishould be ok now, but remember, I can't run this code here without building a db to match so it still could have other bugs :queasy:

Paul.

paulnaj

Hi g0liatH,

Here I am ... again!!

Ok, another glitch ... on editprocess.php this time. Look at the sql - I've got the news and id round the wrong way.

I've also commented out the call to mysql_query and printed the sql for now. (Good idea 'til things are sorted ... should've mentioned it before!!)

Here's the whole page corrected ...

<html> 
<head><title>editprocess.php</title></head> 
<body> 
<?php  

if(!isset($_POST['table'])){ 
    die('$_POST[table] not sent!'); 
} 
if(!isset($_POST['id'])){ 
    die('$_POST[id] not sent!'); 
} 
if(!isset($_POST['news'])){ 
    die('$_POST[news] not sent!'); 
} 

include('db.php');  

$sql = 'UPDATE '.$_POST['table'].' SET news="'.$_POST['news'].'" WHERE id="'.$_POST['id'].'"'; 
echo 'UPDATE SQL: <pre>'.htmlspecialchars($sql).'</pre><hr>';
//mysql_query($sql) or die('Error: '.$sql); 

?>  

</body> 
</html>

Paul.

g0liatH

thanks paul! I'll try if it works tomorrow, I don't have time now :mad:

I'll let you know if it works tomorrow, thanks again🙂