1

Possible Duplicate:
PHP Pass variable to next page

Here is my current code:

$search = $_POST['s'];
$search = strtoupper($search); 
$search = strip_tags($search); 
$search = trim($search); 
$search = mysql_real_escape_string($search);

I need to be able to carry on the $search variable to my second, third, etc, pages.

I'm a beginner in php and i'm sort of stuck here

Community
  • 1
  • 1
Laszki
  • 113
  • 1
  • 3
  • 8
  • 2
    Take a look at [PHP sessions](http://www.php.net/manual/en/book.session.php). The `$_SESSION` superglobal allows you to store information between pages. – Bojangles Mar 01 '12 at 02:03
  • 2
    See http://stackoverflow.com/questions/871858/php-pass-variable-to-next-page – John Flatness Mar 01 '12 at 02:04

4 Answers4

1

It would appear that sessions are your friend here. In the simplest form, sessions will just put data in cookies that are sent to and from the user's browser. Make sure you call session_start() before you do anything with the session, this will start or resume the user's sessions. After that, you can use $_SESSION as a global associative array that will persist between pages.

Xander has already linked you to the docs, Here are some simple examples. Make sure you understand session_start() otherwise you'll have some bugs.

N.B. Do not use this basic session format for sensitive data. Look into using something like memcache to store the data and simply put the memcache key into $_SESSION. Also, consider encrypting the sessions. Those are more advanced things you should think about when dealing with user authentication/login

Endophage
  • 21,038
  • 13
  • 59
  • 90
1

While $_SESSION has been suggested, another option is to use a hidden field (with the same name and filled with the appropriate value) on subsequent generated pages. Then, when those pages are posted back, they too will have the field available in $_POSTS (this time supplied by the hidden field, not the original text field).

Advantages:

  • "Bound to the current page"; really good for some page context-sensitive stuff! (The session is scoped to the browser, not the page.)
  • Avoids the need for session/cookies (which is a non-issue if the session is already required for other purposes).

Disadvantages:

  • "Bound to the current page": value will be lost when navigated away from outside of back/next context. (As Bert notes, a slight modification can use this "breadcrumb" approach to alter the URL and use GET parameters, which can make the data universally persistent, at the expense of a "less pretty" URL.)
  • Data must be treated as untrusted and insecure, just like the original post.
  • Requires population of additional [hidden] fields.

Happy coding.

  • mysql_real_escape_string **is not** a "hack-a-bout". The only this function's drawback is the fact that average PHP user have no idea how to use it. – Your Common Sense Mar 01 '12 at 05:12
  • @Col.Shrapnel I disagree. It **continues to promote the bad practice of manual SQL string building**. Considering the *both* `mysqli` *and* `PDO` are available on many PHP systems, I see *no reason* to keep defending **an old approach *not used* by any other modern wide-spread programming language**. (Oh, please do say *exactly* why the -1's, please, because if it's about my distaste for `mysql_real_escape_string`, it's irrelevant to the answer.) –  Mar 01 '12 at 05:15
  • oh please, do not peddle that old tale to *me*. okay? – Your Common Sense Mar 01 '12 at 05:16
  • @Col.Shrapnel You are free to do as you like (including ignore me); I believe I am justified and there are plenty of SO posts/answers on the topic. `mysql_real_escape_string` came about because both `add_slashes` and `mysql_escape_string` ... failed. –  Mar 01 '12 at 05:17
  • I am free to *think* as I like! Think! To consider the real meaning of different approaches, not blindly follow some gospel! And judge based on my **experience**, not just hundred of "topics" merely copy/pasting each other – Your Common Sense Mar 01 '12 at 05:18
  • Actually you are. You are comparing binding with escaping while it's incomparable matters. One cannot be used in place of another. – Your Common Sense Mar 01 '12 at 05:21
  • @Col.Shrapnel I bet this is one of the "98%" of cases... I could be wrong, just not likely. But, as stated above, it is *irrelevant* to the rest of the answer. –  Mar 01 '12 at 05:22
  • You just spotted the main problem with this site. Well spotted. People here just *do* and never *think.* They just switch gospels they *believe* in but never bother to get the meaning. Your beloved PDO out of the box do the same mysql_escape_string you despise (and even was unable to do `_real_` one up to 5.3.3) – Your Common Sense Mar 01 '12 at 05:32
  • @Col.Shrapnel Some of the issue(s) that I find are that it introduces/maintains a non-ideal style: # makes it harder to ensure all data is sanitized (more prone to "forgetting") # allows sanitized data to be used in contexts where it makes no sense (e.g. auto-addslashes) # generally results it "less tidy" code to build SQL strings (often just plain concatenation) # puts the burden of quoting on the developer (*so SQL injection possible even with it*) # and, finally, there is nothing pretty about a 24 letter identifier that must be used explicitly for *each* input. Programming is abstracting. –  Mar 01 '12 at 11:22
  • Well, let's sort things out. 1. I am with you on using parameterized queries. It's indeed great thing in reducing your code and making it safe at the same time. 2. Yet I couldn't agree that mres is evil *per se*. My parameterized query builder using it all right. So, if you didn't mean to get rid of mres completely but just to remove it from that place in the code - i have no objections. Just one little note: in the real life you cannot avoid manual building completely. Even though my lib have an identifier placeholder, for the keywords like DESC it's still manual building is the only way. – Your Common Sense Mar 01 '12 at 11:53
  • it turned out that I was sort of blinded and misread your point. I am sorry for that. – Your Common Sense Mar 01 '12 at 11:56
  • @Col.Shrapnel I generate a number of SQL queries dynamically (which is actually quite fun at times). I also only use placeholders for data (and the user has no control over the *set* of identifiers/non-data used). Granted this is with ADO.NET, but it's all just a matter of keeping a map from placeholder name to value. –  Mar 01 '12 at 11:57
1

Assuming it is a search string, there is only sane method:

First, change the form's method to GET Next, just pass your search variable in the query string using GET method.

The only modification you have to apply is urlencode()

So, the code should be

$query_string = 'search='.urlencode($_GET['search']);
echo "<a href='?page=2&$query_string'>page 2</a>";

producing an HTML code

<a href="?page=2&search=search+string">page 2</a>

so a user can click this link and you will have your search string back

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
0

Use session_start() in each of the pages you want to access the search varaible

in the first page

$search = $_POST['s'];
$search = strtoupper($search); 
$search = strip_tags($search); 
$search = trim($search); 
$search = mysql_real_escape_string($search);

set a session variable as 

$_SESSION['searchStr']=$search

then in everyother page

session_start(); // at the very begining

if(isset($_SESSION['searchStr'])) {

   $search=$_SESSION['searchStr']
}
Naveen Kumar
  • 4,543
  • 1
  • 18
  • 36