-1

I have created a form in HTML/CSS on my website.

Now, my idea is to give out links that would contain some string (basically like an affiliate link) and would like that string to be entered in a hidden form field to be submitted, or somehow else, have that string in the submitted data. is there an easy way to do this?

rossi2561
  • 3
  • 2

1 Answers1

0

There are two ways of approaching this, both of which use a GET variable in the link you distribute.

First off, let's assume that--for example's purpose--your special string is abc123. You would then distribute a link that follows the form http://example.com/my/form/?affiliate=abc123.

Assuming that, here are two solutions, one in PHP and another in Javascript.

PHP Solution

This one is fairly easy, as long as you're just setting a hidden field. 

<input type='hidden' name='affiliate' value='<?= htmlspecialchars($_GET['affiliate'], ENT_QUOTES, 'UTF-8'); ?>' />

Update: Added htmlspecialchars() call to escape any input, to prevent security issues with users setting the GET variable manually.

Javascript Solution

HTML

<input type='hidden' id='affiliate-input' name='affiliate' />

Javascript

This solution relies on jQuery. If you want a pure JS solution, let me know.

var $_GET = {};

// When the page loads, set the input value
$(document).ready(function(){
    setupGetVariables();

    var affiliateId = $_GET["affiliate"];

    $("#affiliate-input").val(affiliateId);
});

function setupGetVariables()
{
    if(document.location.toString().indexOf('?') !== -1) {
        var query = document.location
                   .toString()
                   // get the query string
                   .replace(/^.*?\?/, '')
                   // and remove any existing hash string (thanks, @vrijdenker)
                   .replace(/#.*$/, '')
                   .split('&');

        for(var i=0, l=query.length; i<l; i++) {
           var aux = decodeURIComponent(query[i]).split('=');
           $_GET[aux[0]] = aux[1];
       }
    }
}

The setupGetVariables() method was helped by this answer.

Community
  • 1
  • 1
Aeolingamenfel
  • 2,399
  • 1
  • 15
  • 22
  • **Danger**: That PHP is [vulnerable to XSS](https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)). User input needs escaping before being inserted into an HTML document!. – Quentin Mar 14 '16 at 15:46
  • The JavaScript isn't very good either, it fails to URL Decode the data. – Quentin Mar 14 '16 at 15:48
  • Should I wrap it in `addSlashes()` then? – Aeolingamenfel Mar 14 '16 at 15:48
  • Hell no. `addslashes` is a terrible tool for escaping things that use slashes for escape sequences (which is what it is designed for), and HTML doesn't use slashes for escape sequences! http://stackoverflow.com/questions/1996122/how-to-prevent-xss-with-html-php – Quentin Mar 14 '16 at 15:51
  • Yes, that should be safe. – Quentin Mar 14 '16 at 15:55
  • 1
    @Quentin alright, thanks for the heads up. I also swapped out that Javascript for something that actually parses the URL. CSSTricks be distributing poor code :( – Aeolingamenfel Mar 14 '16 at 16:03
  • i am a bit confused by this conversation here now - so is the PHP version "dangerous" and the javascript version suggested? (i am not sure i can add javascript easily on just that single page...) – rossi2561 Mar 14 '16 at 16:19
  • So, the current version of the PHP you see above is safe. I had previously posted a piece of PHP that was vulnerable to a certain type of attack. – Aeolingamenfel Mar 14 '16 at 16:26
  • ok i have implemented the php version but i can not receive that value - it outputs empty... how to debug best? – rossi2561 Mar 14 '16 at 16:52
  • If the form is POSTing back to the server, you should be able to access it's value through `$_POST['affiliate'];`. You have to make sure that there is an affiliate GET variable set, though, ie, that your URL that you use to load the form contains `?affiliate=[some id]` – Aeolingamenfel Mar 14 '16 at 17:01