Passing GET parameters??

[ertaboy356b]

So I am writing a small mobile site.. I had everything dynamically.. sample:

mysite.com?page=videos
mysite.com?page=home
mysite.com?page=images

everything is stored in index.html.. This site has a search function where you can search images and videos and download it from the internet.

I have this form:

<form name="1" method="get" action="index.html?page=images">
<input type="text" name="s" />
<input type="submit" value="Submit" />
</form>

so when you do a search, the page=images disappears and is replaced by ?s=searchword.. how do i pass the get parameters so it would appear as ?page=images&s=searchword????

 

[UndeadDragon]

I would use PHP and do something like this:

$page = $_GET['page'];
$searchword = $_GET['searchword'];

$link = "page=" $page + "&s=" + $searchword;

 

[Magentix]

I would use PHP and do something like this:

$page = $_GET['page'];
$searchword = $_GET['searchword'];

$link = "page=" $page + "&s=" + $searchword;

That would lead to an XSS vulnerability.

You're better off sanitizing the page variable and passing it along with a hidden field:

<?php
$page = filter_input(INPUT_GET, 'page', FILTER_SANITIZE_SPECIAL_CHARS);
?>
<form name="1" method="get" action="index.html">
<input type="hidden" name="page" value="<?php echo $page; ?>" />
<input type="text" name="s" />
<input type="submit" value="Submit" />
</form>

 

[celerisk]

> $link = "page=$page&s=$searchword";

There's an official function for this: http_build_query.
With the added benefit that it actually url-encodes the values.

$data = array('cat' => 'meow', 'dog' => 'woof', 'chicken' => 'egg');
echo http_build_query($data);


> sanitizing the page variable

Clearly. Never trust a random stranger. And, well, on the Internet, no one knows you're a dog.

 

[ertaboy356b]

hidden field works.. thanks everyone..