0

I'm trying to create a form where the user can input their id (username) and it will be appended as a variable in a url that is used in my php script. This is what I have.

<?php
if(isset($_POST['submit']))
{
    $id = $_POST['id'];
    echo 'http://example.com/default.asp?action=data&id=$id';
}
?>
<form method="post" action="<? echo $_SERVER['PHP_SELF']; ?>">
   <input type="text" name="id"><br>
   <input type="submit" name="submit" value="Submit Form"><br>
</form>

It collects the user's id properly, and if i just echo $id, it outputs the proper value, but when I try to echo the url, it just outputs $id instead of the actual value of the $id variable. What am I doing wrong?

Improve this question
3
  • Why not use GET method and add hidden fields for other parameters? Commented Apr 16, 2012 at 22:00
  • use double quotes for the echo. or using single quotes and concatenate $id to the url string. Commented Apr 16, 2012 at 22:01
  • You should really lookup cross site scripting or XSS on google, currently you have 2 avenues of attack within 10 lines of code...smell Commented Apr 16, 2012 at 22:04

3 Answers 3

Reset to default
4 
echo "http://example.com/default.asp?action=data&id=$id";
     ^---wrong quotes                                  ^--- ditto

single-quoted strings do not interpolate variables.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Single quotes won't interpolate the variable, either use double quotes or use string concatenation.... Three options:

    echo "http://example.com/default.asp?action=data&id=".$id;

or

    echo "http://example.com/default.asp?action=data&id=$id";

or 

    echo 'http://example.com/default.asp?action=data&id='.$id;
Improve this answer

1 Comment

fixed... sorry, I was typing fast :(
1

This line:

echo 'http://example.com/default.asp?action=data&id=$id';

Should be 

echo 'http://example.com/default.asp?action=data&id='.$id;

If you are using single quotes in PHP with a string it will print whatever is inside the string without evaluating anything (ie no variables are evaluated). So you can either use double quotes or append the variable like I did above.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.