Hi everyone,
quick question:
I need to transfer a variable - $name, that contains a string to another page. Will I have to use cookies or sessions? The string will actually contain conditionals that are used in the WHERE part of a SELECT query to retrieve info from a database. In other words, the string will contain column names and values. Is it secure to use a query string to transfer such information?
page3.php?name=$name”>
page3.php:
$name = $_GET['name'];
Thank you very much!
In short - No. Not unless you have very robust error checking on the information passed over, and even then - No. Use your favourite search engine to look for “SQL injection attacks”.
I 100% agree with that statement. You can use Session if you’d like, don’t use Cookies – same attack vector as GET/POST! Personally, I’d argue you should send over multiple variables and then re-build the query on the receiving page so you can properly sanitize and verify the data sent before using it. Sending pre-made queries to be executed by another page is just bad practice all around.
Just re-read the OP to see that point you picked up! 
Hi Ian and cpradio,
thank you for the information!
Is it not enough to run the variable through FILTER_SANITIZE_STRING and mysqli_real_escape_string on the receiving page? How else could I transfer this variable? I’m using pagination together with checkboxes to filter a query (where…&& something=something). I somehow need to pass the string containing the conditionals to the other pages. And its not like someone can tell what the contents of the variable could be just by looking at the variable name.
I’m no PHP guru so perhaps there’s something I’m overlooking.
Thanks.
Can you tell me if your query string would simply be:
?name=redbishop&numposts=25&type=posts
Or would it be
?query=name=redbishop && numposts == 25 && type == posts
The first is more than acceptable and utilizing the two techniques you suggested are file (except for numerics, you should use is_int, is_decimial, whatever fits).
Hi there cpradio,
it is the former. My query string will be .php?city=london&name=$name.
$name will contain a string such as:
something=‘something’&&something=‘something’. I assign this string to the $name variable.
When I tried to echo out the $name variable after receiving it on another page with $_GET, it would remain $name and not echo out the string. Maybe it will echo out the string if I use sessions or cookies?
Ideally I don’t want to resort to using either sessions or cookies for this functionality. Do you know of any other way that I could pass the variable to the other pages? What if I pass the checkbox values to a function which I call on every page and then build the query?
Thank you for your help.
So $name is the result of multiple checkboxes? If so, that makes things a bit easier.
Send it to another page:
$name = implode(',', array_map('urlencode', $_POST['names'])); // take all checkbox values and pass them to urlencode, then concatenate them with implode.
// pass $name via the query string
// ?city=london&name=$name
Receiving page:
$name = array_map('urldecode', explode(',', $_GET['name'])); // Receive the list of names, split it back to an array using explode, then use urldecode on each value.
// you need to still use filter_value (or any logic that you can think of to verify each value is appropriate) and mysqli_real_escape_string at this point before you build a query with the data.
Thank you for replying. What if I just wanted to pass the $name variable that already contains the string something=‘something’&&something=‘something’ to the other page? I’m asking because when the page loads after a checkbox has been checked, I have already used that string in the query. So all I need to do is then pass the variable to the other pages.
As mentioned, I tried to pass this variable with the string, but it would not echo out the string on the receiving page. Is there a reason this won’t work?
Thanks again.
You definitely would need to use urlencode (most likely). I still wouldn’t recommend passing such a string via the query string, as there isn’t a good way to validate it. It is part of an already established query, so you can’t re-use mysqli_real_escape_string on it or parse it easily to verify a hacker didn’t inject anything. You really need to just pass the form elements forward again and rebuild the query.
Sorry to keep on asking, but didn’t you earlier say that it was okay to do so?
The first is more than acceptable and utilizing the two techniques you suggested are file (except for numerics, you should use is_int, is_decimial, whatever fits).
If I do use the array_map technique to pass the checkbox values, do you know if I can use multiple $_POST[‘’] variables in the array_map function? My form has checkboxes with different names, for example, name=“price” and name=“colour” ?
Thank you.
Yes and No. Yes if each variable you pass is a single value. You are sending a formatted query as the value, that is bad.
Certainly, you’d just either run the code multiple times.
$name = implode(',', array_map('urlencode', $_POST['names'])); // take all checkbox values and pass them to urlencode, then concatenate them with implode.
$color = implode(',', array_map('urlencode', $_POST['colour']));
$price = implode(',', array_map('urlencode', $_POST['price']));
// pass $name via the query string
// ?city=london&name=$name&price=$price&color=$color
Same thing for the receiving page:
$name = array_map('urldecode', explode(',', $_GET['name'])); // Receive the list of names, split it back to an array using explode, then use urldecode on each value.
$color = array_map('urldecode', explode(',', $_GET['color']));
$price = array_map('urldecode', explode(',', $_GET['price']));
// you need to still use filter_value (or any logic that you can think of to verify each value is appropriate) and mysqli_real_escape_string at this point before you build a query with the data.
Okay, thank you for all of your assistance. I appreciate it.
Hope you have a great day!
I would recommend placing the data in the session so that the search results can be rebuilt regardless of the other pages visited by the user. Otherwise in order to rebuild the search results you would have to always pass that search criteria to each page via query string. I know you are just referring to pagination but typically it is a better user experience to rebuild search results from their current state based on the search criteria a user has selected.
Hi cpradio,
how are you doing?
May I just ask you something? If my checkbox has a value with a space between the words, such as New York, the query string will be && name=new+york after using the array_map/urlencode combo. Then on the receiving page it will again be new+york after the array_map/urldecode combo. Is this normal to have the addition symbol between the words?
Thank you.
Hi everyone,
I’m still stuck trying to pass a variable to another page. Can someone please confirm whether or not the following works? I am unable to echo out the value of the variable on the receiving page - it just says $key is $value, instead of the names fred, megan and susan. Is this because I need to use sessions or cookies?
Thank you for your time!!!
$test = array('fred', 'megan', 'susan');
if (isset($test)){
$name = implode(',', array_map('urlencode', $test));
}
The url:
&name=$name">
The receiving page:
if (isset($_GET['name'])){
$getname = array_map('urldecode', explode(',', $_GET['name'])); // Receive the list of names, split it back to an array using explode, then use urldecode on each value.
foreach ($getname as $key => $value) {
echo '$key is $value';
}}
Sorry, I just saw this (I was on vacation for a few days due to the Holiday), give me a few minutes to try and reproduce the scenario locally, and I’ll get back to you on this.
No, it is because you used single quotes instead of double. Remember that single quotes mean output this text literally (don’t evaluate it).
Hmm… you must be doing something wrong…
Here is my test:
sending_file.php
<?php
$names = array('test', 'test with spaces', 'test+space+already+encoded');
$value = implode(',', array_map('urlencode', $names));
var_dump($value);
?>
<br /><br />
<a href="receiving_file.php?names=<?= $value ?>">Send value to Receiving File</a>
output:
string 'test,test+with+spaces,test%2Bspace%2Balready%2Bencoded' (length=54)
<a href="receiving_file.php?names=test,test+with+spaces,test%2Bspace%2Balready%2Bencoded">Send value to Receiving File</a>
receiving_file.php
<?php
var_dump($_GET['names']);
$values = array_map('urldecode', explode(',', $_GET['names']));
var_dump($values);
output:
string 'test,test with spaces,test+space+already+encoded' (length=48)
array (size=3)
0 => string 'test' (length=4)
1 => string 'test with spaces' (length=16)
2 => string 'test space already encoded' (length=26)
So as you can see, the spaces were converted to + in the sending_file.php, and was received that way in receiving_file.php. Once the array_map with urldecode was called, the + are gone…
Hi cpradio,
it is working now, thank you. I did however notice a problem after the second or so page - the checkbox values disappear from the urls. I have thus added this code to the pagination urls:
if (isset($name))
{echo '&name='.$name.'';}
elseif(isset($_GET['name'])) {
$getname = array_map('urldecode', explode(',', $_GET['name'])); // Receive the list of names, split it back to an array using explode, then use urldecode on each value.
foreach ($name as $key => $value) {
echo '&name='.$value.'';
}
}
Do you think this is an OK technique or have I done something wrong? I also have a question about which checkbox values I’m including in the url since I don’t know beforehand which checkboxes have been selected. Should I thus have:
page.php? if (isset($name)) {echo '&name='.$name.'';} if (isset($color)) {echo '&color='.$color.'';} if (isset($price)) {echo '&price='.$price.'';}
Thanks for all of your help.
If you simply just need to pass the data along, look at using $_SERVER[‘QUERY_STRING’] to get the query string sent to the page.
page.php?<?php echo $_SERVER['QUERY_STRING']; ?>
That will take what was received and just pass it on. If you need to alter a value, you can use the following:
parse_str($_SERVER['QUERY_STRING'], $query_string);
$query_string['page'] = 2;
$new_query_string = http_build_query($query_string);
echo 'page.php?' . $new_query_string;