0

i am new to php, but im trying. i need you guys help. i have the following url in the browser address bar www.dome.com\mypage.php?stu=12234342 i am trying to pass the url from the main page to the select case page call select.php if i should echo the url i get www.dome.com\select.php. so i have decided to echo $_SERVER['HTTP_REFERER'] instead, this gives me the correct url. how can i echo the variable from www.dome.com\mypage.php?stu=12234342 (12234342) unto select.php. select.php contains code that needs the $var stu=12234342 in order to display the correct message.

$request_url=$_SERVER['HTTP_REFERER'] ; // takes the url from the browers echo $request_url;

$cOption = $_GET['id'];

switch($cOption) {
    case 1:
    echo ' some text';
        break;
    case 2:
    echo ' this page.php';
        break;

    case 3:
    echo 'got it'; 
        break;
    default:
        echo 'Whoops, didn\'t understand that option: <i>'.$cOption.'</i>';
}

?>

Improve this question
1
  • You should also research XSS, as you have a vulnerability there.
    – alex
    Commented Jul 12, 2011 at 1:41

3 Answers 3

Reset to default
2

You may use parse_url() and parse_string() to grab the variable from a url:

<?php 

//assuming www.dome.com/mypage.php?stu=12234342;
  $url=$_SERVER['HTTP_REFERER'];

//parse the url to get the query_string-part
  $parsed_url=parse_url($url);

//create variables from the query_string
  parse_str($parsed_url['query'], $unsafe_vars);

//use the variables
  echo $unsafe_vars['stu'];//outputs 12234342
?>

But note: you can't rely on the availability of HTTP_REFERER.

Improve this answer
2
  • is this approach unsafe if yes, why?
    – user836910
    Commented Jul 12, 2011 at 2:10
  • variables coming from outside of PHP are always unsafe, for example the echoing of the variable will open doors for XSS
    – Dr.Molle
    Commented Jul 12, 2011 at 7:14
1

try

echo $_GET['stu'];

on select.php

Improve this answer
2
  • tried it and it came back as undefined, so i echo the url and got select.php. if i load the page separately nothing shows, its has if it's not seeing the url in the broswer
    – user836910
    Commented Jul 12, 2011 at 1:51
  • what is the version of your PHP installation? If its archaic :) then probably you have $HTTP_GET_VARS instead of $_GET.
    – Gelmir
    Commented Jul 12, 2011 at 2:43
1

That's why you need to call the select.php file like this: www.dome.com/select.php?stu=12234342

and then you can add:

echo $_GET['stu'];

By the way, you need to research about XSS, because that's a huge vulnerability.

Improve this answer
2
  • XSS is indeed dangerous, but what has it to do with QUERY_STRING?! Isn't it related to Cookies mostly?
    – Gelmir
    Commented Jul 12, 2011 at 2:42
  • Not only for cookies, it's also related to RFI, and many more vulns that may affect for a simple misuse of the $_GET and $_POST vars, rule 1) Never trust user input. :)
    – Alfrekjv
    Commented Aug 6, 2011 at 16:28

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.