homepage Welcome to WebmasterWorld Guest from 54.196.225.45
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
How To Use $ GET Variables
st_7




msg:4691932
 6:16 am on Jul 31, 2014 (gmt 0)

Hi,

This may be a very noobish question, but I don't know how to do it. I've sent few variables from one page to another page through http_build_query(). And I can retrieve the values of all those variables just by $_GET( I just echoed $_GET['fn'] and the value is being echoed). I've some 5 variables like that & can retrieve all of them. Thus far so good. But I can't use them to reflect in a form in the same page(second page in which I'm able to retrieve the values of those variables). Here is the sample code of a form in the second page:
<td><b>Mandatory Parameters</b></td>
</tr>
<tr>
<td>Amount: </td>
<td><input name="amount" value="<?php echo (empty($posted['amount'])) ? '' : $posted['amount'] ?>" /></td>
<td>First Name: </td>
<td><input name="firstname" id="firstname" value="<?php echo (empty($posted['firstname'])) ? '' : $posted['firstname']; ?>" /></td>
</tr>
<tr>
<td>Email: </td>
<td><input name="email" id="email" value="<?php echo (empty($posted['email'])) ? '' : $posted['email']; ?>" /></td>
<td>Phone: </td>
<td><input name="phone" value="<?php echo (empty($posted['phone'])) ? '' : $posted['phone']; ?>" /></td>
</tr>


As you can see there are $posted['amount'], $posted['firstname'] & $posted['email'] in the form, now what I want to do is use the values of $_GET for 'amount', 'firstname' & 'email'. In other words:

'amount' = $_GET['xx']
'firstname' = $_GET['xxx']
'email' = $_GET['xxxx']

I can't(or shouldn't) change the code in the form(otherwise it would've been easy to just echo those $_GET values), so some how I need to use the $_GET values for 'amount', 'firstname' & 'email' without changing any code in the form or the rest of the page.

Is this possible?, I hope I've made myself clear in what I'm asking.

 

penders




msg:4692019
 12:07 pm on Jul 31, 2014 (gmt 0)

Maybe I've missed something, but what's stopping you from simply assigning these $_GET values to your $posted array?

For example:
$posted['amount'] = isset($_GET['amount']) ? $_GET['amount'] : null;

Also, these values must be sanitized before being output to the page in your form (to avoid your page breaking and potential XSS attacks). At the very least you should call htmlentities() on these values before they are output, otherwise your page could easily break if the user submitted special chars like ",',> and <.

Also, I would at least initialise all your form variables first, so you don't need to check every time whether the variable is empty or not and is generally easier to manage...

$posted = array ( 
'amount' => null,
'firstname' => null,
'email' => null,
'phone' => null,
);
// Get submitted values from GET array
foreach ($posted as $name => &$value) {
$value = isset($_GET[$name]) ? htmlentities($_GET[$name]) : null;
}
unset($value); // Unset reference in foreach() loop above


<td><input name="amount" value="<?=$posted['amount']?>"></td>


(Only HTML encode the value that is output in the HTML page. If you are doing anything non-HTML with this value (DB lookups etc.) then it obviously shouldn't be encoded until you are ready.)

st_7




msg:4692076
 4:54 pm on Jul 31, 2014 (gmt 0)

First of all, let me give more information, this is a payment gateway integration page that sits on my server or local website(the code is given by the Payment Gateway personnel). I've to pass some variables(name, email, etc.,) or it's values to this Integration page(which I'm able to do successfully till this part). The integration page has a code to generate a unique transaction id(see below pasted code). It also has necessary code to calculate hass string depending on the variable values that are passed to it(see below code). As soon as all the necessary details are filled, it automatically generates a hash string along with a unique transaction id & the form or page get automatically processed(no need to click 'submit' button), and redirects to a secure payment gateway page.

Now the problem is, if I try your method, I did try that method before posting here for help, although I must say my way of doing was not as professional as the one you laid out(thanks for putting that). There are three issues with this method:
First: there is already a similar code in the page, see below(note: as I said earlier, this page containing all the code is given by the PG personnel). Please see the full at the end of this page to understand why they put that code there.

$posted = array();
if(!empty($_POST)) {
//print_r($_POST);
foreach($_POST as $key => $value) {
$posted[$key] = $value;
}
}


So, when I try to use the method(which is also laid out by you) to populate fields of the form with 'GET' values, it didn't work(I think those two code snippets clashing as they are same, trying to declare same thing).
Second: If I comment or remove the above code from the original page, then I can populate form fields with all the relevant values. Or even simpler if I just replace $_POST with $_GET in the above pasted part of the code, I'm able to populate the form fields with relevant values. But here comes issue, using either of those methods, the hash is not getting generated(the hash depends on the values of 'name' 'email' etc.,). I don't know what's breaking the hash calculating code if we populate the values of fields with GET values using the method similar to the one you laid out.

Anyway here is the full code of the PG integration page. I've also included the file at Pastebin.com [pastebin.com ] for the better viewability.

<?php
// Merchant key here as provided by Payu
$MERCHANT_KEY = "XXXX";

// Merchant Salt as provided by Payu
$SALT = "XXXX";

// End point - change to https://secure.payu.in for LIVE mode
$PAYU_BASE_URL = "https://test.payu.in";

$action = '';

$posted = array();
if(!empty($_POST)) {
//print_r($_POST);
foreach($_POST as $key => $value) {
$posted[$key] = $value;

}

}

$formError = 0;

if(empty($posted['txnid'])) {
// Generate random transaction id
$txnid = substr(hash('sha256', mt_rand() . microtime()), 0, 20);
} else {
$txnid = $posted['txnid'];
}
$hash = '';
// Hash Sequence
$hashSequence = "key|txnid|amount|productinfo|firstname|email|udf1|udf2|udf3|udf4|udf5|udf6|udf7|udf8|udf9|udf10";
if(empty($posted['hash']) && sizeof($posted) > 0) {
if(
empty($posted['key'])
|| empty($posted['txnid'])
|| empty($posted['amount'])
|| empty($posted['firstname'])
|| empty($posted['email'])
|| empty($posted['phone'])
|| empty($posted['productinfo'])
|| empty($posted['surl'])
|| empty($posted['furl'])
|| empty($posted['service_provider'])
) {
$formError = 1;
} else {
//$posted['productinfo'] = json_encode(json_decode('[{"name":"tutionfee","description":"","value":"500","isRequired":"false"},{"name":"developmentfee","description":"monthly tution fee","value":"1500","isRequired":"false"}]'));
$hashVarsSeq = explode('|', $hashSequence);
$hash_string = '';
foreach($hashVarsSeq as $hash_var) {
$hash_string .= isset($posted[$hash_var]) ? $posted[$hash_var] : '';
$hash_string .= '|';
}

$hash_string .= $SALT;


$hash = strtolower(hash('sha512', $hash_string));
$action = $PAYU_BASE_URL . '/_payment';
}
} elseif(!empty($posted['hash'])) {
$hash = $posted['hash'];
$action = $PAYU_BASE_URL . '/_payment';
}
?>
<html>
<head>
<script>
var hash = '<?php echo $hash ?>';
function submitPayuForm() {
if(hash == '') {
return;
}
var payuForm = document.forms.payuForm;
payuForm.submit();
}
</script>
</head>
<body onload="submitPayuForm()">
<h2>PayU Form</h2>
<br/>
<?php if($formError) { ?>
<span style="color:red">Please fill all mandatory fields.</span>
<br/>
<br/>
<?php } ?>
<form action="<?php echo $action; ?>" method="post" name="payuForm">
<input type="hidden" name="key" value="<?php echo $MERCHANT_KEY ?>" />
<input type="hidden" name="hash" value="<?php echo $hash ?>"/>
<input type="hidden" name="txnid" value="<?php echo $txnid ?>" />
<table>
<tr>
<td><b>Mandatory Parameters</b></td>
</tr>
<tr>
<td>Amount: </td>
<td><input name="amount" value="<?php echo (empty($posted['amount'])) ? '' : $posted['amount'] ?>" /></td>
<td>First Name: </td>
<td><input name="firstname" id="firstname" value="<?php echo (empty($posted['firstname'])) ? '' : $posted['firstname']; ?>" /></td>
</tr>
<tr>
<td>Email: </td>
<td><input name="email" id="email" value="<?php echo (empty($posted['email'])) ? '' : $posted['email']; ?>" /></td>
<td>Phone: </td>
<td><input name="phone" value="<?php echo (empty($posted['phone'])) ? '' : $posted['phone']; ?>" /></td>
</tr>
<tr>
<td>Product Info: </td>
<td colspan="3"><textarea name="productinfo"><?php echo (empty($posted['productinfo'])) ? '' : $posted['productinfo'] ?></textarea></td>
</tr>
<tr>
<td>Success URI: </td>
<td colspan="3"><input name="surl" value="<?php echo (empty($posted['surl'])) ? '' : $posted['surl'] ?>" size="64" /></td>
</tr>
<tr>
<td>Failure URI: </td>
<td colspan="3"><input name="furl" value="<?php echo (empty($posted['furl'])) ? '' : $posted['furl'] ?>" size="64" /></td>
</tr>

<tr>
<td>Service Provider: </td>
<td colspan="3"><input name="service_provider" value="<?php echo (empty($posted['service_provider'])) ? '' : $posted['service_provider'] ?>" size="64" /></td>
</tr>
<tr>
<?php if(!$hash) { ?>
<td colspan="4"><input type="submit" value="Submit" /></td>
<?php } ?>
</tr>
</table>
</form>
</body>
</html>


penders




msg:4692113
 7:31 pm on Jul 31, 2014 (gmt 0)

Ok, assuming your GET params (however you are sending these to the script) need to be merged with and overwrite the POST'd form data, then your code must come after the code that initially populates the $posted array. Unfortunately this does mean inserting some code into the provided script - I can't see any way around that unfortunately.

$posted = array();  
if(!empty($_POST)) {
//print_r($_POST);
foreach($_POST as $key => $value) {
$posted[$key] = $value;

}
}
// Overwrite with values passed in GET params...
$getParams = array('amount','firstname','email');
foreach ($getParams as $key) {
if (isset($_GET[$key])) {
$posted[$key] = $_GET[$key];
}
}


Although to be honest, this does beg the question why? The form appears to be expecting these values in the POST'd data. If these values can be set during form submission (which I assume is the goal) then you wouldn't need to do this?

penders




msg:4692150
 10:28 pm on Jul 31, 2014 (gmt 0)

Although to be honest, this does beg the question why?


Sorry, I guess you are trying to initialise these values in the form?

Just a thought... depending on how you are calling this script, you could assign these values directly to the $_POST array at the very start of the script (avoid $_GET altogether) then you wouldn't need to modify the above script. Although you might need to change how you call it?

st_7




msg:4692164
 12:22 am on Aug 1, 2014 (gmt 0)

I guess you are trying to initialise these values in the form?

I guess the same(pls note that, the full page code that I pasted in my previous reply was not mine, it's from Payment Gateway company whose service I'm trying to integrate, I'm just trying to implement the same).

If I un-comment the line "print_r($_POST);" from the following code, all the values(form fields if they are populated) are being shown at the top of the page(when I click 'submit').

$posted = array();
if(!empty($_POST)) {
//print_r($_POST);
foreach($_POST as $key => $value) {
$posted[$key] = $value;

I think it is also being used to check if all the fields are filled(am I wrong, in thinking so?)

Any way after doing what you suggested in your previous reply, keeping the 'GET' parameters code after the POST'd code, the hash calculation does work, albeit I've to click the submit button(still the automation is broken). But, doing this way gives some progress(if you remember putting this GET code before the POST'd code completely breaks the hash calculation, the hash calculation doesn't work even after clicking submit button manually). As a solution, I've used javascript code "document.FormName.submit();" or "document.getElementById("FormName").sbumit();" to automate the submit button clicking, upon which the hash is calculated & redirected to the PG secure page. So, for now I got it working.

Just a thought... depending on how you are calling this script, you could assign these values directly to the $_POST array at the very start of the script (avoid $_GET altogether)


Although I got everything working, Can you elaborate on your above statement further?, how to do this?.

As always, thank you for your help.

penders




msg:4692228
 11:59 am on Aug 1, 2014 (gmt 0)

I think it is also being used to check if all the fields are filled(am I wrong, in thinking so?)


Actually, no. That !empty() check simply checks whether anything (literally anything) has been posted, which in this context is a bit pointless. That little block of code is equivalent to:

$posted = $_POST;

(IMO that little block of code should only copy a known subset of expected fields, similar to my example above - but it doesn't - it just copies everything.)

Can you elaborate on your above statement further?


If the provided script is called "gateway.php" then create a new page call "my-gateway.php" (this is now your "page").

"my-gateway.php" would then contain something like:
<?php 
// Assign your values directly to the $_POST array
// These will override any submitted values, unless you explicitly check for these...
// (Do you still need to use GET params?)
$getParams = array('amount','firstname','email');
foreach ($getParams as $key) {
if (isset($_GET[$key])) {
// Assign directly to the $_POST superglobal
$_POST[$key] = $_GET[$key];
}
}
// Include the original script unmodified...
include "gateway.php";
?>


The original script reads from the $_POST array, to which you have already assigned your values.

If you were linking directly to the original script then you will need to modify these links, or play with Apache mod_rewrite to rewrite the request.

----

This may be out of your control, but just to reiterate what I mentioned above...

...these values must be sanitized before being output to the page in your form (to avoid your page breaking and potential XSS attacks). At the very least you should call htmlentities() on these values before they are output, otherwise your page could easily break if the user submitted special chars like ",',> and <.


The above script does not appear to do this, which is an obvious vulnerability.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved