在PHP页面中传递变量

Question

I have read a value from a form as input form the user. the form is POST.

<form action="form_handler.php" method="POST">

Then, in the form_handler.php page I saved this value in a variable. $productID=$_POST['product']; Then, I want to pass this variable via link to another page as:

 echo "<a href='products.php?prodID=".$productID."' title='Products 
 Page' class='whatEver'>click here for product details</a>";

When I click the link, I see the value in the link. But, inside the page products.php I want to make MySQL query for the product details as:

$sql = "SELECT * FROM products WHERE prodID = '$productID'"; 

I get 0 results. I also tried to echo the $productID value and it seems empty and not the value that I saw in the URL.

What is my mistake please? How can I make the database query to fetch the product details based on the productID variable I passed in the link?

NOTE: I am trying to make a demo for MySQL injection vulnerability. Please, ignore security issues here.

Answer 1

When you sent variables in a link followed by ?var=value

You need to get it with something like

$variable = $_GET['var'];

In your case your products.php should have $prodid = $_GET['prodID'];

Answer 2

echo "<a href='products.php?prodID=".$productID."' title='Products 
Page' class='whatEver'>click here for product details</a>";

Looks to me like you are passing it into products.php as prodID . Could you try using:

$sql = "SELECT * FROM products WHERE prodID = '$prodID'";

Instead?

Answer 3

Just like before when you used $productID=$_POST['product']; , you need to do the same thing to use a variable in products.php, except instead of a post variable, it's a get variable (because it's in the url). Use $productID=$_GET["productID"]

Answer 4

You can not get like that the productID .. You have to put `$productID = $_GET['prodID']; ' the you can use that variable with sql query .