Re: [PHP] passing multiple variables in a url
you will have to use to separate the variables. ie a href=contactus.php?email=directorsubject=job enquiry Otherwise it will be deem as one variable instead CK Ong --- CJ [EMAIL PROTECTED] wrote: I have a contact us php script on my site that allows users to email direct from the webiste. I want to be able to pass the to address and subject line to the script so I can call teh web page from elsewhere on the site and have it automatically choose the correct email address and subject line. EG instad of using a href=mailto:joe;bloggs.mail.com which requires them to have an email client set up on the machine I want to link to a href=contactus.php?email=director subject=job enquiry The script already handles the email=director by setting a default entry in a drop down form but I can't get it to separate the first and second variables in the URL. Also is this a big security risk as I will be echoing the 2nd variable as the contents of a form field. Would it be possible for someone to type in the URL with HTML/php in it that would make a mess of everything? How can I protect against this? Would it be sufficient to just pase the 2nd variable for non alphabetic characters and remove them? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php __ Do You Yahoo!? Play for a chance to win a trip to Sydney! http://sg.mobile.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] passing multiple variables in a url
Does this not work... a href=contactus.php?email=directorsubject=job enquiry On Thu, 2002-11-14 at 14:11, CJ wrote: I have a contact us php script on my site that allows users to email direct from the webiste. I want to be able to pass the to address and subject line to the script so I can call teh web page from elsewhere on the site and have it automatically choose the correct email address and subject line. EG instad of using a href=mailto:joe;bloggs.mail.com which requires them to have an email client set up on the machine I want to link to a href=contactus.php?email=director subject=job enquiry The script already handles the email=director by setting a default entry in a drop down form but I can't get it to separate the first and second variables in the URL. Also is this a big security risk as I will be echoing the 2nd variable as the contents of a form field. Would it be possible for someone to type in the URL with HTML/php in it that would make a mess of everything? How can I protect against this? Would it be sufficient to just pase the 2nd variable for non alphabetic characters and remove them? -- .: B i g D o g :. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] passing multiple variables in a url
Change the space in job enquiry to a + Adam On 14 Nov 2002, BigDog wrote: Does this not work... a href=contactus.php?email=directorsubject=job enquiry On Thu, 2002-11-14 at 14:11, CJ wrote: I have a contact us php script on my site that allows users to email direct from the webiste. I want to be able to pass the to address and subject line to the script so I can call teh web page from elsewhere on the site and have it automatically choose the correct email address and subject line. EG instad of using a href=mailto:joe;bloggs.mail.com which requires them to have an email client set up on the machine I want to link to a href=contactus.php?email=director subject=job enquiry The script already handles the email=director by setting a default entry in a drop down form but I can't get it to separate the first and second variables in the URL. Also is this a big security risk as I will be echoing the 2nd variable as the contents of a form field. Would it be possible for someone to type in the URL with HTML/php in it that would make a mess of everything? How can I protect against this? Would it be sufficient to just pase the 2nd variable for non alphabetic characters and remove them? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] passing multiple variables in a url
that works fine thanks. Now for what to do with the variables (new post scanning for non alpha characters) Bigdog [EMAIL PROTECTED] wrote in message news:1037262239.10847.17.camel;pclnxrhunter.digitalglobe.com... Does this not work... a href=contactus.php?email=directorsubject=job enquiry On Thu, 2002-11-14 at 14:11, CJ wrote: I have a contact us php script on my site that allows users to email direct from the webiste. I want to be able to pass the to address and subject line to the script so I can call teh web page from elsewhere on the site and have it automatically choose the correct email address and subject line. EG instad of using a href=mailto:joe;bloggs.mail.com which requires them to have an email client set up on the machine I want to link to a href=contactus.php?email=director subject=job enquiry The script already handles the email=director by setting a default entry in a drop down form but I can't get it to separate the first and second variables in the URL. Also is this a big security risk as I will be echoing the 2nd variable as the contents of a form field. Would it be possible for someone to type in the URL with HTML/php in it that would make a mess of everything? How can I protect against this? Would it be sufficient to just pase the 2nd variable for non alphabetic characters and remove them? -- .: B i g D o g :. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] passing multiple variables in a url
And... --- CJ [EMAIL PROTECTED] wrote: ...[snip]... Also is this a big security risk as I will be echoing the 2nd variable as the contents of a form field. Would it be possible for someone to type in the URL with HTML/php in it that would make a mess of everything? Well, it is possible. How can I protect against this? Validate *everything* that comes in. Would it be sufficient to just pase the 2nd variable for non alphabetic characters and remove them? A better approach would be: 1. Use method=post instead of the default method=get 2. You can try limiting the subject that a person can choose For #2, you could create a drop-down like this: select name=subject option value=1Enquiry/option option value=2Comments/option !-- other options here -- /select Notice that your values are numeric so you can just is_numeric() to validate them. There's a catch though--inside your script you have to turn those numbers back into its corresponding description (e.g. comments, etc.) Of course, you just decide to NOT use the above way. You can have the descriptions being pass directly. (i.e. optionEnquiry/option, etc.) This time, perhaps, you can use regex or something to validate them. HTH, - E -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] passing multiple variables in a url
And if you want your pages to be valid xhtml, make sure that you have quotes: a href=... Also, be sure to use amp; instead of just . - E Adam Williams [EMAIL PROTECTED] wrote: Change the space in job enquiry to a + Adam On 14 Nov 2002, BigDog wrote: Does this not work... a href=contactus.php?email=directorsubject=job enquiry ...[snip]... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] passing multiple variables in a url
BigDog wrote: Does this not work... a href=contactus.php?email=directorsubject=job enquiry No but this will: a href=contactus.php?email=directorsubject=job enquiry For more adversity between browsers, use this: a href=contactus.php?email=directorsubject=job%20enquiry -- Submit your PHP or Perl Script to the newest Script Repository on the web. http://www.nukedweb.com/ The Webmaster's Board - http://www.nukedweb.com/board/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] passing multiple variables in a url
on 15/11/02 12:11 AM, CJ ([EMAIL PROTECTED]) wrote: I have a contact us php script on my site that allows users to email direct from the webiste. I want to be able to pass the to address and subject line to the script so I can call teh web page from elsewhere on the site and have it automatically choose the correct email address and subject line. EG instad of using a href=mailto:joe;bloggs.mail.com which requires them to have an email client set up on the machine I want to link to a href=contactus.php?email=director subject=job enquiry The script already handles the email=director by setting a default entry in a drop down form but I can't get it to separate the first and second variables in the URL. a href=contactus.php?email=directorsubject=job_enquiry Also is this a big security risk as I will be echoing the 2nd variable as the contents of a form field. Would it be possible for someone to type in the URL with HTML/php in it that would make a mess of everything? How can I protect against this? Would it be sufficient to just pase the 2nd variable for non alphabetic characters and remove them? As I think I read replied by someone else, I'd have numeric IDs for both the staff AND the subject. staff 1 = [EMAIL PROTECTED] 2 = [EMAIL PROTECTED] 3 = [EMAIL PROTECTED] 4 = [EMAIL PROTECTED] subjects 1 = general enquiry 2 = technical support 3 = gambling addiction 4 = debate about red cars being faster Then your link url is a lot cleaner a href=contactus.php?e=2s=4 contactus.php simply has to check an array, or sql table, or what ever, to find out what a subject id of 1 really is. To ensure extra security over text stuff, you can check to make sure sure $e and $s are both numeric (check out is_numberic(), is_int(), etc etc). You could also set defaults, so that if the $s or $e is excluded, or invalid, you can set a default. So these three links won't break the the page: a href=contactus.php a href=contactus.php?s=3 a href=contactus.php?e=2 Good luck Justin French http://Indent.com.au Web Developent Graphic Design -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php