-1

I am sending an id using the url. However, i can only access the $GET['id'] variable when the page loads. When I go on to submit the form, the variable is undefined. What could be the problem

   if(isset($_GET['id'])) {
        $tripId = htmlspecialchars($_GET['id']);
    }
    
    
    if (isset($_POST['submit'])) {
   
    
        for($i = 0; $i < count($_POST['package']); $i++) {
    
    
            //check if there are any errors before proceeding
            if(array_filter($errors)) {
                print_r($errors);
            } else {
                $package = mysqli_real_escape_string($con, $_POST['package'][$i]);
                $price = mysqli_real_escape_string($con, $_POST['price'][$i]);
                $sql = "INSERT INTO packages(tripId,packageName,packagePrice) VALUES('$tripId','$package','$price')";
            }
    
            //check and redirect 
            if(mysqli_query($con, $sql)) {
                header('location: admin_home.php');
            } else {
                echo 'error' . mysqli_error($con);
            }
         
        }
    
    }
ADyson
  • 57,178
  • 14
  • 51
  • 63
Alex Gooner Arteta
  • 33
  • 7
  • Then the URL provided to the form `action` does not pass along the GET variable, presumably. – Mitya Sep 28 '20 at 22:49
  • If you're submitting the form with a POST then the $_GET array is not populated –  Sep 28 '20 at 22:50
  • is it possible to get the 'id' variable and persist it to the post request? – Alex Gooner Arteta Sep 28 '20 at 22:56
  • @Mitya it does, I can access the variable immediately the page loads, but when I submit the form, it is undefined – Alex Gooner Arteta Sep 28 '20 at 22:57
  • 1
    @AlexGoonerArteta Yes, if you either a) put it in the URL in the "action" method of your form, or b) put it into a hidden field in your form (but you'd have to access it in the PHP via $_POST in that scenario). Either way though that means it gets submitted again when the POST request is sent – ADyson Sep 28 '20 at 22:57
  • The page loading, and submitting the form, are two different things and result in two different URLs being loaded. The URL you end up on after submitting the form - does it include your GET var or not? – Mitya Sep 28 '20 at 22:58
  • @ADyson I ended up putting the id in a hidden field and it worked. – Alex Gooner Arteta Sep 28 '20 at 23:43
  • @Mitya the URL after submitting the form did not include the GET var, but it worked when I stored it in a hidden field and accessed it via $_POST – Alex Gooner Arteta Sep 28 '20 at 23:44
  • **Warning:** You are wide open to [SQL Injections](https://stackoverflow.com/a/60496/1839439) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Sep 29 '20 at 10:32

1 Answers1

2

When you build the form, the target should include the GET parameter too. This is how GET parameters are passed around. $_POST will be populated with the form fields, $_GET will be populated with whatever is in the url.

<?php 

$url = '/process.php?' . http_build_query(['id' => $yourIdHere]);

?>

<form action="<?=$url;?>" method="POST">
  <label for="package">Package:</label>
  <input type="text" id="package" name="package"><br><br>
  <label for="price">Price:</label>
  <input type="text" id="price" name="price"><br><br>
  <input type="submit" value="Submit" name="submit">
</form>
Oliver O'Neill
  • 1,229
  • 6
  • 11
  • For clarity it would be better to say the form's action, not its target (which is a different attribute, though I know what you mean.) – Mitya Sep 28 '20 at 23:08
  • @Mitya yeah, sorry. That would be ideal. I just find less confusion in students to describe it as the target when i'm teaching people. Although i do usually say "the target in the action parameter", i guess i got lazy this evening. – Oliver O'Neill Sep 28 '20 at 23:10