homepage Welcome to WebmasterWorld Guest from 54.226.252.142
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Converting a Form $Get string to $Post
sssweb




msg:4254864
 10:31 pm on Jan 18, 2011 (gmt 0)

I'm using a Form generator program that lets me submit Form data to a script via a $_GET string added to the URL. For security and other reasons, I want to submit via $_POST method.

Is there some simple php that can convert this, or do I need to set up a loop that goes through each $_GET variable and converts it to $_POST language?

(If it's the latter, I may be able to work it out myself, but if anyone can whip it up quickly, I'd greatly appreciate it.)

 

Matthew1980




msg:4254884
 11:23 pm on Jan 18, 2011 (gmt 0)

Hi there sssweb,

Wouldn't you just need to alter the method="POST" attribute within the <form> tag - by default a form is $_GET so you need to stipulate a value within the method="" to make any changes.

I wouldn't try to write one array to another, because it wouldn't be a genuine server request for the data, and would potentially make debugging harder. <Though I could be wrong:) >

Hope I read the question right, it's late and I'm tired.

Cheers,
MRb

Shingetsu




msg:4254968
 3:50 am on Jan 19, 2011 (gmt 0)

Simple, in the code of the form, change the method
<form ... Method="POST" ...>
it should be originally get.
Then in the php receiver, find all the entries that contain
$_GET
and change those bits to
$_POST
After the post or the get usually comes ['']
just in case. Good luck.

Shingetsu




msg:4254986
 4:24 am on Jan 19, 2011 (gmt 0)

Lol yeah, I always though that
$_POST = $_GET;
Looked weird XD. And that won't solve the problem, he doesn't want it all to go into the URL.
Another option is redirecting everything to a page where...
<form ... Method="POST" ...>
<?php
While(Id <= <total amount of variables you are passing, can be in a hidden field>) :
echo '
<input type="hidden" name="define name any way u can, maybe through the loop again" value="' . $_GET . '" />';
Endwhile;
?>

sssweb




msg:4255159
 1:48 pm on Jan 19, 2011 (gmt 0)

Thanks Shingetsu, I'll play around with the loop idea, but there are some issues to work out:

1) I don't want to redirect to an interim processing script because I'd still have the problem of passing the vars to that script via $_GET. I need to do the loop on the original page; you've got the basic idea, but: value="' . $_GET . '" won't work. The loop needs to read whatever's befor & after the "=" in the $_GET string, e.g. "x=1&y=2&z=3", and output:

<input type="hidden" name="x" value="1">
<input type="hidden" name="y" value="2">
<input type="hidden" name="z" value="3">

I know I could eventually come up with the loop code for this, but it's probably so easy that a better php programmer can do it in 10 seconds, so if anyone wants to try...

2) The other (potential) issue is that the third party form generator I'm working with outputs the $_GET string by calling a function, like so:

header("Location: mydomain.com/script.php?" . formfunction::getString($formmaker->getValues()));

which looks like Greek to me. Like I said, I'll play with it, but not sure if it will be as easy as starting the loop with:

while ( formfunction::getString($formmaker->getValues()) ):

3) That doesn't include any count method for ending the loop, which is the last issue: since the variable string is dynamically generated on each form, the number of variables changes, so before the loop I need to count the variables in the $_GET string (unless there's a way to do the loop w/o relying on var count).

rocknbil




msg:4255261
 5:37 pm on Jan 19, 2011 (gmt 0)

Unless the form action is changed to post, you will always have an ugly query string as the subsequent URL. That's where you start, and it's unclear why you can't - unless its the generator you're using. Or - by the nature of the function call,

formfunction::getString

Suggest maybe there is *another* function in this class that gets the values by post and you're re-inventing the wheel (as we all do, on occasion.)

The best solution would be to find another "form maker" or grow your own. :-) But if you can't, have you tried this?

$getvariables = formfunction::getString($formmaker->getValues());

Then you do some old school parsing like we do in Perl. :-) Looking at your line there, I can assume that's just outputting key=value&pairs=as&a=string so


$getvariables = formfunction::getString($formmaker->getValues());
//
$hiddens = null; // squelch concatenation errors and make error trap easy
$pairs = explode('&',$getvariables);
foreach ($pairs as $pair) {
list($key,$value) = explode('=',$pair);
// Use double quotes and escape output quotes so vars interpolate,
// single quoting 'attributes' is so "duct tape"
$hiddens .= "<input type=\"hidden\" name=\"$key\" value=\"$value\">\n";
}
if ($hiddens) {
echo "
<form method=\"post\" id=\"myform\" action=\"yourscript.php\">
$hiddens
<p>If your browser doesn't redirect you, please use this button to
<input type=\"submit\" value=\"Continue&gt;&gt;\"></p>
</form>
";
}
else { echo "<p>Whoops I tried, didn't work.</p>"; }


Note the bolded ID added to the form; then add to the head (or foot, I guess) of this document for auto-submit if JS is enabled:

<script type="text/javascript">
window.onload=function() {
if (document.getElementById('myform')) {
document.getElementById('myform').submit();
}
};
</script>

This will require some nursing if your key/value pairs contain either & or = as actual content, or an HTML compliant string is output by this form maker (& should always be output as &amp; ), but there are functions to manage that.

WesleyC




msg:4255269
 5:55 pm on Jan 19, 2011 (gmt 0)

As Matthew said, your best bet is to change the <form method="get"> to <form method="post"> in the form. Any reasonable third party form generator will give you some way of doing this.

If you do wish to continue with Shingetsu's second design (with the interim page), you might try something like the following:


<form method="post" id="continueform" action="http://www.example.com/process.php">
<?php

foreach ( $_GET as $name => $value )
{
echo "<input type=\"hidden\ name=\"$name\" value=\"$value\" />";
}

?>
<p>If you are not redirected within 3 seconds, please use this button to continue.</p>
<input type="submit" value="Continue" />
</form>
<script type="text/javascript">
document.getElementById( 'continueform' ).submit();
</script>


I haven't tested it, but I did something like this for a client where no other method would work (long story). Submit your form to a page with this code, and it should convert the GET to POST and resubmit the form, providing a button for users with Javascript disabled. End result: most people will see a white screen with a bit of text on it for about half a second (which will have all the variables in the URL), then will be redirected to the actual processor, with no variables in the URL. It will do this regardless of the number of variables.

The third-party form generator you're using is an object-oriented library. There are many other functions available to it (presumably), but I can't easily tell how to use it without seeing its source code or an API.

Finally, converting to POST doesn't offer any additional security whatsoever. Average Joe may not be able to see and tweak the URL variables, but anyone with a modicum of technical knowledge will be able to change the submitted values easily through a variety of methods (look up TamperData, a FireFox plugin for just one example). You'll still want to sanitize all of your input carefully.

Edit: Post ninja'd while I was in a meeting... That'll teach me to leave a post open without refreshing when I return!

sssweb




msg:4255316
 7:06 pm on Jan 19, 2011 (gmt 0)

Thanks, guys. Yes, I know it all starts with changing the <form> method, and I'll do that; the tricky part is converting the $_GET string to a $_POST string so the vars are read correctly. Rocknbil, your loop looks pretty good; I think that will work. Let me play around with it awhile; I'll re-post if I have problems.

Wesley, thanks for the security tip; yes, I'll validate all vars.

Mikett




msg:4258186
 2:58 am on Jan 26, 2011 (gmt 0)

If you are trying to submit data from a form and you want it to be sent as a $_POST method, but their is a $_GET variable that HAS to be in the url, just add it to the action attribute of the form element.

<form action="mypage.php?example=this+is+an+example" method="POST"></form>

Or to post it using the POST method:

<form action="mypage.php" method="POST">
<input type="text" name="variable_name" value="variable_value" style="display:none;">
</form>

trillianjedi




msg:4258394
 3:40 pm on Jan 26, 2011 (gmt 0)

I had a not-too-dissimilar thing recently - not sure if this helps you or not, but parts of it might:-

[webmasterworld.com...]

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved