Php get posted parameters

Lesson 10: PHP GET and POST parameters

This lesson shows step-by-step how PHP inter-script GET and POST parameters are to be used in dynamic web pages. Within WordPress, you see that just by editing a post. Look at your browsers URL when your post editor is open. It says “?post=1008&action=edit&lang=en”. The variables “post”, “action” and “lang” are all variables being filled by WordPress according to what you just clicked in the backend. Let us talk about that.

Why script parameters?

Basically, you could use just one script (file) for your entire website project. However, your code will get rather long, maintenance will get harder and errors more difficult to track. So you may want to exclude certain functionality to other script files. However, every PHP script file works on its own. That means, you will need to transfer data from one script to another. You want to parameterize them.

Based on the purpose of the data being transferred and the origin that data is coming from, there are different types of methods to transfer parameters between PHP scripts. Two of the major methods we are going to discuss here are: GET and POST.

PHP script parameters via GET

GET parameters are coming from the URL, that means the web sites link address within the browser’s address line.

This is how a link within any HTML or PHP file looks like which points to a script.php whilst providing it with a GET parameter.

a href="script.php?var_a=abc123">Anchor text/a> 

The parameter’s name is “var_a”, which is completely irrelevant, you can name your parameters as you like, as long as you are able to distinguish between them.

If a user clicks the link above, he will get to the target called “script.php”. Within the file script.php, parameters can be obtained as follows:

 $your_variable_name = $_GET["var_a"]; ?>

In this example, we’re trying to get a parameter called “var_a” and store its value in a variable called $your_variable_name. I would recommend naming that variable the same as as the parameter, but that is not necessary. In the example code above, the variable $your_variable_name will carry the value “abc123”, since that is what the link pointed to.

PHP script parameters via POST

POST parameters are most commonly coming from HTML forms as discussed within the HTML basics article.

The following form will send a parameter named “var_b” to a script called script.php as soon as it is submitted.

form action="script.php" method="POST"> input type="text" name="var_b" /> input type="submit" /> /form>

The PHP script script.php now has to do the following to obtain parameter var_b:

 $your_variable_name = $_POST["var_b"]; ?>

Of course you can name the variable storing the parameter’s value the same as the parameter again. In the example code above, the variable $your_variable_name will carry the value the user entered in the input text field.

This is all you need to transfer and collect parameter data between two script files using both GET and POST. You can see that what a CMS like WordPress is doing can be richly complex, yet the underlying structure is never complicated. Otherwise the whole system would suffer under its own weight.

The next lessons:

Источник

How to retrieve URL parameters in PHP.

In this beginner PHP tutorial, we will show you how to retrieve query string parameters from a URL. We will also tell you about some of the most common pitfalls.

Take the following URL as an example, which contains two GET parameters:

In the URL above, we have two GET parameters. id, which contains the value 23, and page, which contains the value 34.

Let’s say that we want to retrieve those values so that we can use them in our PHP script.

If we want to retrieve the values of those two parameters, we can access the $_GET superglobal array like so:

//Get our two GET parameters. $id = $_GET['id']; $page = $_GET['page'];

Although the PHP code will work, it wrongly assumes that the GET parameters in question will always exist.

As a result, there is a possibility that our script will throw an ugly undefined index notice if a user removes one of the parameters from the URL.

This will result in PHP spitting out the following message:

Notice: Undefined index: id in /path/to/file.php on line 4

To guard against this kind of issue, you will need to check to see if the GET variable exists before you attempt to use it:

$id = false; if(isset($_GET[‘id’])) < $id = $_GET['id']; >$page = false; if(isset($_GET[‘page’]))

In the example above, we use PHP’s isset function to check whether or not the parameter in question actually exists.

If it does exist, we assign it to one of our variables. If it doesn’t, then our variables will retain their default FALSE values.

Never trust GET parameters. Always validate them.

GET parameters should always be treated with extreme caution.

1. You cannot assume that they will always exist.
2. If they do exist, you can’t discount the possibility that the user has tampered with them.

In other words, if you expect id to be an integer value and a user decides to manually change that to “blahblahblah”, your PHP script should be able to handle that scenario.

URL parameters are external variables, and external variables can never ever be trusted.

Never directly print GET parameters onto the page.

Printing out GET parameters without sanitizing them is a recipe for disaster, as it will leave your web application wide open to XSS attacks.

Take the following example:

$page = false; if(isset($_GET['page'])) < $page = $_GET['page']; >if($page !== false)< echo '
Page: ' . $page . '
'; >

Here, we’ve done everything right except the final step:

1. We check to see if the GET parameter exists before we access its value.
2. We do not print the page number out if it doesn’t exist.

However, we did not sanitize the variable before we printed it out. This means that an attacker could easily replace our GET variable with HTML or JavaScript and have it executed when the page is loaded.

They could then redirect other users to this “tainted” link.

To protect ourselves against XSS, we can use the PHP function htmlentities:

//Guarding against XSS if($page !== false)< echo '
Page: ' . htmlentities($page) . '
'; >

The htmlentities function will guard against XSS by converting all special characters into their relevant HTML entities. For example, will become <script>

Источник