<!-- on the sending page: -->
<form action="viewpage.php?page_id=8" method="post">
<select name="id" type="hidden">
<?php
echo "<option value='$id'></option>\n";
?>
<input type="submit" value="Reviews">
</form>
<!-- on the receiving page: -->
<?php
$id = $_POST['id'];
?>
echo "<imput type='hidden' name='id' value='".$id."'>";
<form action="viewpage.php?page_id=8" method="post">
<?php
echo "<input type='hidden' name='id' value='".$id."'>";
?>
<input type="submit" value="Reviews">
</form>
<?php
$id = stripinput($_POST['id']);
?>
Quote
googlebot wrote:
And while that solution is all well and good, it is not secure. I recommend just using the $id variable in the PHP code if you already have it set, instead of putting it into a hidden input field, because you still have access to the variable and you wouldn't be leaving it open to script manipulation.
$id = (isnum($_GET['id']) ? $_GET['id'] : "1");
echo "<form action='".FUSION_SELF."?id=".$id."' method='post'>\n";
echo "<input type='hidden' name='id' value='".$id."' />\n";
echo "<input type='text' class='textbox' name='text' value='Type some text here' />\n";
echo "<input type='submit' class='button' name='submit' value='Send' />\n";
echo "</form>\n";
if (isset($_POST['submit']) && isnum($_POST['id'])) {
$text = stripinput($_POST['text']);
$result = dbquery("UPDATE ".DB_TABLE." SET text='".$text."' WHERE id='".$_POST['id']."'");
redirect(FUSION_SELF."?id=".$_POST['id']);
}
<input type='hidden' name='id' value='2' />\n
// We check if the ID is numeric, if not we send them back
if (!isset($_GET['id']) || !isnum($_GET['id'])) { redirect("../index.php"); }
// Check if item exists and that the user have access to it
$result = dbquery("SELECT id, text FROM ".DB_TABLE." WHERE id='".$_GET['id']."' AND ".groupaccess('access')." LIMIT 1");
if (dbrows($result) {
// We can now safely use the $_GET['id'] as we know it exists in the DB and the user have access to the item
if (isset($_POST['submit'])) {
$text = stripinput($_POST['text']);
$result = dbquery("UPDATE ".DB_TABLE." SET text='".$text."' WHERE id='".$_GET['id']."'");
redirect(FUSION_SELF."?id=".$_GET['id']);
}
$data = dbarray($result);
echo "<form action='".FUSION_SELF."?id=".$_GET['id']."' method='post'>\n";
echo "<input type='text' class='textbox' name='text' value='".$data['text']."' />\n";
echo "<input type='submit' class='button' name='submit' value='Send' />\n";
echo "</form>\n";
} else {
echo "Item does not exists or you do not have access to it.";
}
Category Forum
General DiscussionLabels
None yet
Statistics
9 participants
Notifications
You are not receiving notifications from this thread.
Related Questions