0

In particular, I have a form with some parameters to POST which submits to itself, but I would like to preserve the GET parameters when the form is submitted.

For example, if the original URL is http://mydomain.com/download.php?fname=foobar.bin, I want that to be the URL when I make the POST. But the foobar.bin part of the URL might change.

Here is a minimum working example

<?php

$pass = $_POST['pass'];

$filename = $_GET['p'];

$file = "../../cgi-secret/$filename";

if($pass == "foobar")
{
    header('Content-type: application/octet-stream');
    header("Content-Disposition: attachment; filename=\"$filename\"");
    header('Content-Transfer-Encoding: binary');
    header('Content-Length: ' . filesize($file));
    ob_clean();
    flush();
    // The PDF source is in original.pdf
    readfile($file);
}
if(isset($_POST))
{?>
    <form method="POST" action="download.php?p=$file">
        Password <input type="password" name="pass"></input>
        <input type="submit" name="submit" value="Get File" ></input>
        </form>
<?}
?>

On this line, I want to post to the current URL, whatever that happens to be

    <form method="POST" action="download.php?p=$filename">

To give some context, I am trying to modify the answer to my question How can I password protect a binary file download? so that I can pass the filename as a GET parameter.

Community
  • 1
  • 1
merlin2011
  • 71,677
  • 44
  • 195
  • 329

1 Answers1

0

Have you seen $_SERVER['QUERY_STRING']? Short of looping the existing $_GET array when you render the form it's probably the most straightforward approach.

An example:

<form method="POST" 
      action="download.php?p=$filename&<?php echo $_SERVER['QUERY_STRING']; ?>">

In the case that you don't have access to $_SERVER['QUERY_STRING'], you could use:

    <form method="POST" 
          action="download.php?p=$filename&<?php foreach($_GET as $key => $val) echo $key.'='.urlencode($val).'&'; ?>">
calcinai
  • 2,567
  • 14
  • 25
  • I have not seen that, I will try that. – merlin2011 Apr 22 '13 at 07:01
  • I just tried a simple page with `echo $_SERVER['QUERY_STRING'];` and it is printing nothing. Does this variable exist if PHP is executing under cgi-bin? – merlin2011 Apr 22 '13 at 07:11
  • See revised answer - you should consider pre-calculating that query string rather than generate mid-template. – calcinai Apr 22 '13 at 07:20
  • (I think, ) Using an empty action attribute submits to the current URI, query string included. `
    `
     – Michel Feldheim Apr 22 '13 at 07:23
  • (I think) You're right, but I think @merlin2011 is wanting to add to the existing query string, not just post to the same one. – calcinai Apr 22 '13 at 07:29
  • I want to preserve the original query string, but just POST more information, so Michel's solution may work for me. I can't test right it right now because I'm at work behind a proxy, but I'll try it when I get home. – merlin2011 Apr 22 '13 at 17:40