I have a search form on a webpage which i will create a dynamic page from the content in putted. I have got it to work but there is another one of these forms and there is also selectable data. I want it to only show the hidden fields lines when sku, sku2, txtKeyword2 is set. Please find below what i have tried so far.
<form name="frmSearch" method="get" action="<?=$_SERVER['SCRIPT_NAME']?>">
<table width="100%">
<tr>
<th><h3>Search </h3>
<div class="alert-box">Insert Text for alert box</div>
<input name="txtKeyword" type="text" id="txtKeyword" value="<?=$_GET["txtKeyword"];?>" size="40">
<?php if(isset($_GET['sku'])) echo '<input type="hidden" name="sku" value="'.$_GET['sku'].'">'?>
<?php if(isset($_GET['sku2'])) echo '<input type="hidden" name="sku2" value="'.$_GET['sku2'].'">'?>
<?php if(isset($_GET['txtKeyword2'])) echo '<input type="hidden" name="txtKeyword2" value="'.$_GET['txtKeyword2'].'">'?>
<input class="alert button" type="submit" value="Search"></th>
</tr>
</table>
</form>
All i want is for it not to show the input lines if they are not set. I think i am doing right but i am not sure as i am learning php.
I have also tried the following code which did work but it outputted the following url.
index.php?txtKeyword=giro%25skyline&sku=%09%09<input+type%3D
I know this shouldn't happen but it makes my page work but when i goto enter data in to the other search form it adds part of the input line in to the url. Here is the code that i tried:
<form name="frmSearch" method="get" action="<?=$_SERVER['SCRIPT_NAME']?>">
<table width="100%">
<tr>
<th><h3>Search </h3>
<div class="alert-box">Insert text for the alert box</div>
<input name="txtKeyword" type="text" id="txtKeyword" value="<?=$_GET["txtKeyword"];?>" size="40">
<input type="hidden" name="sku" value="<?php if(isset($_GET['sku'])) echo ''.$_GET['sku'].'">'?>
<input type="hidden" name="txtKeyword2" value="<?php if(isset($_GET['txtKeyword2'])) echo ''.$_GET['txtKeyword2'].'">'?>
<input type="hidden" name="sku2" value="<?php if(isset($_GET['sku2'])) echo ''.$_GET['sku2'].'">'?>
<input class="alert button" type="submit" value="Search"></th>
</tr>
</table>
</form>
I would really like to know what is going on how i can fix it.
Thanks Ryan
<?php echo isset($_GET['sku']) ? '<input type="hidden" name="sku" value="'.$_GET['sku'].'">' : ''; ?>
However, just FYI, that is not secure at all.
For a start there is 2 likely vulnerabilities within that code:
XSS: if $_GET['sku'] is something like: "><script>alert('XSS');</script>then you will get an alert box on your page, which in theory could be used for phishing, cookie stealing, creating a worm (like the SamiWorm). A good way to fix/prevent this is using htmlentities which encodes all html characters into their associated entities.
SQL Injection: if $_GET['sku'] is something like ' UNION ALL SELECT id,username,password FROM users LIMIT 0,1-- then you could potentially have your database stolen (especially if someone decided to use a tool like SQLMap, which is an automatic SQL Injection tool). A good way of fixing this is by using mysql_real_escape_string() on the argument which escapes any disallowed characters.
So a better way would be something like this:
<?php echo isset($_GET['sku']) ? '<input type="hidden" name="sku" value="'.htmlentities(mysql_real_escape_string($_GET['sku'])).'">' : ''; ?>
Here is why your code didn't work:
You were trying to make PHP evaluate your closing html tag : "> inside your php echo will not work, as it will not know how to parse it.
It is easier to use ternary operators over short-ifs as, imho, they are easier to read/write for everyone else.
Here is my complete version:
<form name="frmSearch" method="get" action="<?php echo $_SERVER['SCRIPT_NAME']; ?>">
<table width="100%">
<tr>
<th><h3>Search </h3>
<div class="alert-box">Insert text for the alert box</div>
<input name="txtKeyword" type="text" id="txtKeyword" value="<?php echo isset($_GET["txtKeyword"]) ? htmlentities(mysql_real_escape_string($_GET["txtKeyword"]))) : ''; ?>" size="40">
<input type="hidden" name="sku" value="<?php echo isset($_GET['sku']) ? htmlentities(mysql_real_escape_string($_GET['sku'])) : ''; ?> ">
<input type="hidden" name="txtKeyword2" value="<?php echo isset($_GET['txtKeyword2'])) ? htmlentities(mysql_real_escape_string($_GET['txtKeyword2'])); ?>">
<input type="hidden" name="sku2" value="<?php echo isset($_GET['sku2']) ? htmlentities(mysql_real_escape_string($_GET['sku2'])); ?> ">
<input class="alert button" type="submit" value="Search"></th>
</tr>
</table>
</form>