PHP Sending parameter to sub procedure 2

[lupidol]

Hi everyone,
It seems I dont understand the mechanism of sending a parameter from one PHP procedure to another.
Here is the code of the main procedure test.php:

<!DOCTYPE html>
<html>
<head>
  <title>Update Records In MYSQL Database Using PHP</title>
</head>
<body>
  <!--connecting to database-->
  <?php
    $con = mysqli_connect('aa', 'bb', 'cc', 'dd');
    IF(!$con)
      DIE('Gevald' .MYSQLI_CONNECT_ERROR());
    $records = mysqli_query($con, "SELECT * FROM stations");
  ?>
  <table>
    <tr>
      <th>ID</th>
      <th>Name</th>
      <th>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</th>
      </tr>
      <?php
        while($row = mysqli_fetch_array($records))
	{
	  echo "<tr><form action = 'test.php' method = 'post'>";
	  echo "<td><input type = 'text' name = 'mkt_id' value = '".$row['id']."'></td>";
	  echo "<td><input type = 'text' name = 'mkt_name' value = '".$row['name']."'></td>";
	  echo "<td><a href='test1.php?edit_mkt=".$row['id']."'>edit</a></td>";
	  echo "</form></tr>";
	}
      ?>
    </table>
</body>		
</html>

When I run the main "test.php", I receive an error message from test1.php that says:
Can anyone explain me why do I get that error and how to pass the parameter from test.php to test1.php?
Thanks

 

[Olaf Doschke]

First of all passing parameters is something you can do when you make a call from some PHP code to a PHP function or method of a class.

What you're doing here can not at all be called passing parameters, your test.php creates HTML sent to a browser, which requests test1.php.
This is running PHP in two separate HTTP requests, this doesn't share anything and test1.php is not called from test,php but as new HTTP GET request coming from the HTML test1.php generates. What you're using is URL parameters of that HTTP GET request.

And there is your error and the answer to your question: Simply look close at the link address you're generating: You make a request passing in a variable edit_[highlight #FCE94F]mkt[/highlight] and your error message says your test1.php code uses a variable name edit_[highlight #FCE94F]task[/highlight].

And that's not all, you don't automatically have PHP variables named the way you name them in your URL parameters. That once was a norm, but would enable anyone injecting any variables into your code, not good for safety. Therefore you find the passed on value in $_GET["edit_mkt"].

Bye, Olaf.

Olaf Doschke Software Engineering

https://www.doschke.name

 

[vacunita]

I agree with Olaf.

However, I will add that if the error is showing up as being in test1.php, why don't you show us that code? Line 17 specifically as estated.

Olaf is very likely correct. You are passing edit_mkt, but expecting edit_task instead.



----------------------------------
Phil AKA Vacunita
----------------------------------
OS-ception: Running Linux on a Virtual Machine in Windows which itself is running in a Virtual Machine on Mac OSx.

Web & Tech

 

[lupidol]

I'm becoming sloppy when it comes to not understanding why things do not work :-(
Here again is the code of "test.php" the way it should have been posted:

<!DOCTYPE html>
<html>
<head>
  <title>Update Records In MYSQL Database Using PHP</title>
</head>
<body>
  <!--connecting to database-->
  <?php
    $con = mysqli_connect('a', 'b', 'c', 'd');
    IF(!$con)
      DIE('Gevald' .MYSQLI_CONNECT_ERROR());
        $records = mysqli_query($con, "SELECT * FROM stations");
  ?>
  <table>
    <tr>
      <th>ID</th>
      <th>Name</th>
      <th>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</th>
    </tr>
		
    <?php
    while($row = mysqli_fetch_array($records))
    {
      echo "<tr><form action = 'test.php' method = 'post'>";
      echo "<td><input type = 'text' name = 'mkt_id' value = '".$row['id']."'></td>";
      echo "<td><input type = 'text' name = 'mkt_name' value = '".$row['name']."'></td>";
      echo "<td><a href='test1.php?edit_task=".$row['id']."'>edit</a></td>";
      echo "</form></tr>";
    }
    ?>
  </table>
</body>		
</html>

Here is the forgotten "test1.php"

<?php
  echo $edit_task;
?>

Here again is the error message:

Notice: Undefined variable: edit_task in C:\xampp\htdocs\update\test1.php on line 17

"test1.php" contains 1 row. And line 17 as the error message says only adds to my perplexity.
I'll read again your posts and see if I can continue with my php.
Thanks a lot !

 

[lupidol]

I changed to:

echo $_GET["edit_task"];

A mentioned above and it worked !
Thanks a lot !

 

[vacunita]

The reason it did not work, and is extremely important you understand is that PHP stopped automatically instantiating variables from the GET values sent to it.

This for security purposes as otherwise, calling any script can overwrite any data with whatever the passed value has potentially causing issues.

Yes, if you are sending values through the URL query string, you need to manually access the $_GET superglobal that contains these variables.

Its also highly recommended to always verify the existence of a variable you are trying to use before actually using it.

if(isset($_GET['edit_task'])
{
//...do stuff with value
}
else
{
[indent]echo "Variable is not set, cannot do things with it.";[/indent]
}

----------------------------------
Phil AKA Vacunita
----------------------------------
OS-ception: Running Linux on a Virtual Machine in Windows which itself is running in a Virtual Machine on Mac OSx.

Web & Tech

 

[Olaf Doschke]

By the way, it's somewhat clear what your intention is, an edit form for your data. But the "edit" link within the HTML form targeting another script than the form action is not very usual and intuitive. Even if you want to split form generation and processing of the form data in separate scripts, you simply do so by setting the form action to test1.php, and since the form action is POST you get the form inputs in $_POST variables instead of $_GET. So you already build a form able to edit the mkt_name field. The HTML form action already could be saving the edits the HTML form allows a user to do.

The user shouldn't be able to edit mkt_id, as that seems to be the records' primary key, but that aside you already established an editing form and if you keep the action at test.php, that script would first test, whether $_POST elements are set and there is something to save.

It's a classic scripting way of doing things, one PHP script that first is requested without $_POST variables and only is creating an HTML form (in this case for a specific existing record, given an id, in other cases you could also create an empty form to enter a new record). In round 2 after form submit the edited data coming back is saved and for example checking whether the id does exist you could switch between update o existing and insert of a new record. Just like a user shouldn't be able to edit an id, he should also not enter it, though. Creating Ids is the job of a database. I can assure the id values are unique.

There are several things to think about. Once such a form is available anyone can save the HTML and edit the HTML file, set any id value, load that HTML and post any other id and name combination than the one your script put into the form, for example. Even if you'd use a hidden input for the mkt_id.

It's clear you're making first steps and still learn, so don't worry about such risks for now, but keep in mind every request to PHP scripts at fist does not tell you who is posting back and whether that's having valid data or even the id is what you sent.

Bye, Olaf.

Olaf Doschke Software Engineering

https://www.doschke.name

 

[lupidol]

Thank you so much Olaf Doschke,
undoubtedly what is my intention is more clear to you the to myself since I'm still searching for how to do it right.
I'll read again both your posts and maybe I'll end up by understanding how to do it