0

I want to pass some value from an HTML page to another PHP page, to do some action about this value. In my HTML code there's also a piece of PHP, that contain my variable (an array).

I've tried to set the variable "var" with this value, but when I'm going to show "var" with the $_GET, on the other PHP page, doesn't work

` 

session_start();
require_once __DIR__ . './db_con_marco.php'; 

if (!isset($_SESSION['userSession'])) {
    $msg ="WARNING";
    header("Location: ../index.php?errorMessage=" . $msg);
    exit;   }


$queryText =  "
        SELECT * 
        FROM account
        WHERE BINARY username = '" . $_SESSION['userSession'] . "' ";

$query = $dbCon->query($queryText);
$userRow = $query->fetch_array();

$uCod = $_POST['codice_dettagli'];

$uCod = $dbCon->real_escape_string($uCod);

$check_cod = $dbCon->query("SELECT codice FROM eventi WHERE codice = '$uCod'");
$count = $check_cod->num_rows;

if($count == 0 ){
    $msg ="Evento non presente nel DB";
    header("Location: account_marco.php?errorMessage=" . $msg); }
?>

SAN SIRO BOOKING

<link rel="stylesheet" href="../css/style.css" type="text/css" media="screen">

</head>


    <div class = "titolo_evento_selezionato">

        <?php

            $queryAlpha =  "
            SELECT NomeEvento, date_format(DataOra, '%d.%m.%y (%H:%i)') 
            FROM eventi
            WHERE BINARY codice = '" .$_POST['codice_dettagli'] . "' ";

            $queryEvento = $dbCon->query($queryAlpha);
            $EventoSelezionato = $queryEvento->fetch_array();


            echo($EventoSelezionato[0]);
            echo
            '<h7> 
                    <br>' . $EventoSelezionato[1] .'
                </h7>';

        ?>

    </div>      





    <form class = "seleziona_posto" method = "post" 
                action = "./acquista_evento_action.php? var = <?= $EventoSelezionato[0]; ?>" >


            <p> Seleziona sulla mappa il settore scelto e premi "Acquista" </p>

            <input class = "input_settore_css" type = "text" placeholder = "Settore posto" name = "input_settore" required >

            <input class = "bottone_settore_css" type = "submit" value = "ACQUISTA" name = "btn_settore">


    </form>



  </body>

`

I need to pass the value "EventoSelezionato[0]" to the page "acquista_evento_action.php"

Improve this question
4
  • you're open to SQL injection and should address immediately Commented Jul 9, 2019 at 16:14
  • where to begin... you have spaces in your action where you are trying to set a GET variable named "var". from your examples i have no idea which block of code is what url, or how you are trying to access your argument named "var". and trey is right, the way you are putting the POST variable "codice_dettagli" directly into your SQL query without first escaping it is leaving your page wide open to hacking. Commented Jul 9, 2019 at 16:22
  • It's only a school project, i haven't the problem of hack Commented Jul 9, 2019 at 16:25
  • but why do it wrong to begin with? If you learn it properly the first time then for life, you'll have secure code Commented Jul 10, 2019 at 8:08

1 Answer 1

Reset to default
2

Change this:

action = "./acquista_evento_action.php? var = <?= $EventoSelezionato[0]; ?>" >

to 

action = "./acquista_evento_action.php?var=<?php echo $EventoSelezionato[0]; ?>" >

It's probably not necessary to remove the short code but it's my preference, you do however need to remove the spaces.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.