Carry text string to another page

[Gene]

Here's what I want to do:

I have a PHP page with hundreds of product names listed. Next to each product listing is a "buy now" graphic.

When someone clicks on the "buy now" graphic, a new page opens. I want the product name to carry over to that new page so the product name can be displayed on the page.

I don't want to hard-code hundreds of different pages (one for each product). I want just one page that will display the product name that was selected from the previous page.

Preferably with PHP code.

Hope that's clear enough...

Any ideas? Thanks!

 

[Eric]

Got a link to the page?

 

[weblord]

same;
http://www.namepros.com/website-development/514199-grab-text-from-another-page.html

 

[Gene]

Got a link to the page?

It is a project being worked on... there is no page on the web yet. I'll see if I can put up a rough example.

same;
http://www.namepros.com/website-development/514199-grab-text-from-another-page.html

Thank you William, that's nice, but way overkill to just carry one word over to the next page.

 

[Dave]

Using a GET request you can append parameters to the query string. In the anchor for your buy now graphic point to the script you want to fetch the product name with like:

<a href="example.php?product=the_name_of_product">PRODUCT</a>

Then on the PHP page.

<?php
// Fetch it.
$product = $_GET['product'];

// Display it :)
echo $product;
?>

Cheers,

Dave

 

[Gene]

Thanks Dave! I'll try that and report back...


EDIT: PERFECT! That's exactly what I needed. Thanks Dave! Rep given.




.

 

[nasaboy007]

The GET URL variable method is great, but one big problem with it is security. However, if you take the proper precautions it should be fine.

On the page where you display $_GET['var'], you should do a few escaping functions. Usually doing something like this should suffice:

$var = striptags($_GET['var']);

That USUALLY is enough, but you may want to look into addslashes/stripslashes if you don't have magic quotes turned on (use <? phpinfo(); ?> to check)

 

[Gene]

nasaboy007, thanks, but I only understood half of what you said. Could you explain how this can be a security problem? Thanks.

 

[nasaboy007]

Sure.

Well basically, what you're doing with the script you use currently (echo $_GET['var'], is that you are simply displaying ANYTHING that is in the url. Since the URL is cleartext (like people can see index.php?page=This+is+cool), it is child's play to edit the "This+is+cool" to something like "THIS+WEBSITE+SUCKS". Since your site would only display what is sent through that URL variable, the web page (when viewed with that editing) will say "THIS WEBSITE SUCKS". Of course, ti will only be visible like that to the user who edited it to be like that, but thats a very innocent example of what can be done.

One type of major vulnerability is called XSS, or Cross Site Scripting. This is basically when a malicious user puts in something like:

<script src="http://www.baddomain.com/evilscript.js"></script>

Now since your page will display anything that is in the URL variable (after the equal sign), if the malicious user edits the url to be http://www.gene.com/index.php?page=<script src="http://www.baddomain.com/evilscript.js"></script>, then that HTML will be in your websites file and it will automatically run the malicious javascript (which can be very harmful). note that this isn't the exact syntax and stuff for XSS, but its just to get the general idea across.

to prevent such "injections", you can do something like this (to use dave's code):

  <?php
// Fetch it.
$product = striptags($_GET['product']);

// Display it :)
echo $product;
?>

Adding the function strip_tags will automatically take out any and all html tags that are in the variable, making <script> (or antyhing else) useless.

hope that helps.

 

[Gene]

Yes, that helps a GREAT DEAL! So much to learn, so little time I really appreciate your taking the time to explain this. Going to apply it now.

Thanks! Rep added.




EDIT: Hmm, do you know why that code would produce this error message?:

Fatal error: Call to undefined function striptags() in /home/username/public_html/includes/priceform.html on line 13





.

 

[nasaboy007]

ugh i ALWAYS do that... change it to strip_tags. sorry lol.

 

[Gene]

ahh. okay thanks! I did a quick search in the meantime, and it seems there is a difference between striptags and strip_tags, both syntaxs seem to be correct?

 

[nasaboy007]

the PHP function is strip_tags, i don't know what striptags is referring to. the function i was referring to is the predefined php function strip_tags.