transfer hidden value in html form

Question

I tried to transfer some variable in html which could not be manipulated by user to next page, like the var effort here, but it could not pass to the next page, what's wrong, thanks

    Name <input type="text" name="name" size="35">
    <br /><br />
    Guess <input type="number" name="guessNum" size="35" >
    <br /><br />
    <script >
   var effort=13;

    </script>
     <input type="hidden" name="effort" value="effort" >
    <input type="submit" value="submit">


 </form>
 </div>

once you redirect to another page your variables are got initialized again so obviously you will get different values... for this you need to choose one `state` and then you can pass to another page. — Just code, Mar 19 '15 at 10:04
could you please in a little bit detail talk about "state", or give me some key words for me to search, i am new, thanks~~ — rockmerockme, Mar 19 '15 at 10:09

score 0 · Accepted Answer · answered Mar 19 '15 at 10:10

0

I tried to transfer some variable in html which could not be manipulated by user to next page

That's impossible. You are giving it to the user and asking them to send it back. They can change it as much as they like.

If you don't want it to be changed then store it in on the server (e.g. in a session).

The code isn't working because you are setting a JavaScript variable called effort and not changing the value of the form field (which doesn't event exist when you set the variable).

<input type="hidden" name="effort" value="effort" >
<script>
document.querySelector("input[name=effort]").value = 13;
</script>

You would then need some server side code to read it (unless it is a GET form, in which case you can use JS to pull it from the URL).

As I said, even if you fix that, the user can manipulate it.

answered Mar 19 '15 at 10:10

Quentin

914,110
126
1,211
1,335

I see, but i do not know how to transfer a var effort to $effort, so then i could use session. – rockmerockme Mar 19 '15 at 10:15
If it is in a JavaScript variable then it is already under the control of the user and there is nothing you can do to prevent it from being changed. To send it to a server side variable, you put it in a form as demonstrated in the code in the answer. – Quentin Mar 19 '15 at 10:17
ok, i see. in the next url, i tried to save the effort into a database. $guessNum has been posted

"; } ?> but it could not get the effort value? you suggest i could only use js to get the effort? – rockmerockme Mar 19 '15 at 10:20
Don't use `$_REQUEST`. Don't use `extract` (spewing user defined variables into scope is **dangerous**). The name of the input is `effort` not `name`. You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Mar 19 '15 at 10:24
partly understand what you say, still could not solve the problem, but still thanks a lot. nice day – rockmerockme Mar 19 '15 at 10:41

transfer hidden value in html form

1 Answers1