1

I have the basic html form echoed through php:

<html>
<body>
<?php 
if (isset($_GET["pk"]))
 { $pk = $_GET["pk"];}
echo '<form action="up.php" method="post"
enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file" /> 
<br />
<input type="submit" name="submit" value="Submit" />
</form>';
?>
</body>
</html>

I would like to pass the value of pk to up.php

Modifying action="up.php?pk=$pk" did not work.

Improve this question
2
  • 2
    Caution!!! DO NOT print out unformatted values (e.g. echo $_GET['pk']) to a page! It is a security hole which introduces a world of issues (XSS just to name one). If "pk" is the primary key of a database and it is a number, you can either sanitize with a regex or with the intval() function Commented Apr 29, 2009 at 19:11
  • I won't be printing it out to a page, it will be passed to up.php where it will be inserted into a database via a parametrized query Why is there a need to sanitize it in transit? Commented Apr 30, 2009 at 12:42

4 Answers 4

Reset to default
12

Use a hidden field:

<input type="hidden" name="pk" value="<?php echo $pk; ?>">

By the way, printing large amounts of HTML like you have there is ugly. Consider either stepping out of PHP to do so, using HEREDOC, a template engine, or a framework.

EDIT:

As noted below, you should not print GET and POST data back to the page without sanitizing it first. Assuming pk is a primary key, you should wrap $pk above with the intval function, at the very least.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Upvoted this, but see my note attached to the question about printing values from GET/POST data.
Sigh. Yeah, yeah, I know. I can only say it so many times in answers here until I stop caring. Edited to reflect this.
3

I agree with all the comments regarding some kind of input control of the $_GET['pk'] variable. I would recommend the filter module in php, which is pretty much a default installed module I believe.

<html>
<body>
<?php 
 $param = filter_input(INPUT_GET, 'pk', FILTER_SANITIZE_ENCODED);
?>
<form action="up.php<?php echo (isset($param) && $param != false) ? '?pk=' . $params : ''); ?>" method="post"enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file" /> 
<br />
<input type="submit" name="submit" value="Submit" />
</form>
</body>
</html>

You can find more information about the filter module here: link text

I also agree with Paolo Bergantino, this is not the prettiest way to do it, and a template engine, heredocs or regexp could be a better way of increasing the readability and maintainability of the system.

Improve this answer

Comments

2

You can't use a variable inside a single-quoted string:

$pk = 123;
echo 'Hello $pk'; // echos Hello $pk
echo "Hello $pk"; // echos Hello 123
echo 'Hello ' . $pk; // echos Hello 123

The best way to pass it through would be as a hidden field inside the form

Improve this answer

Comments

0

Try sth like this:

<html>
<body>
<?php 
$params = "";
if (isset($_GET["pk"]))
  { $params = "?pk=" . $_GET["pk"];}
echo '<form action="up.php' . $params . '" method="post"
enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file" /> 
<br />
<input type="submit" name="submit" value="Submit" />
</form>';
?>
</body>
</html>

Of course you should be aware that $_GET["pk"] may contain pretty much anything, so think about some kind of input sanitization.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.