0

Everything i read tells me this should work

page 1 is 

<?php
$state = $_GET['state'];
$brand = $_GET['brand'];

include ("my_path/state_brand_page_01.php");

?>

page 2 is

<?
//get all dealers for this brand and state
session_start();
include ('../../lib/db.php');

//=======================Start Local Insert

  //This stops SQL Injection in POST vars
  foreach ($_POST as $key => $value) {
    $_POST[$key] = mysql_real_escape_string($value);
  }

  //This stops SQL Injection in GET vars
  foreach ($_GET as $key => $value) {
    $_GET[$key] = mysql_real_escape_string($value);
  }

//get dealer

echo $state;
echo $_GET['state']; // NOTHING SHOWING

$dquery = mysql_query("SELECT * FROM dealer WHERE state='$_GET[state]' AND brand='$_GET[brand]' ORDER BY company DESC") or die(mysql_error());


?>

I am getting nothing here, no echo of the var, no return from the database. The page works fine on its own, just not when included

Thanks

Improve this question
5
  • if i do this include ("my_path/state_brand_page_01.php?state=$state&brand=$brand"); it works, but i didn't think i had to do that. Commented Feb 17, 2012 at 3:36
  • try print_r($_GET); In page two and tell me what happens Commented Feb 17, 2012 at 3:37
  • That's a noble attempt to stop SQL injections, but you're going to slip up one day by forgetting to escape a variable and, quite possibly, seriously injure yourself, your businesss, or your career. Using PDO is a lot safer. Commented Feb 17, 2012 at 3:49
  • an empty array, the url looks like.. http:.....texas/cadillac/?brand=cadillac&state=texas Commented Feb 17, 2012 at 4:03
  • thanks tadman.. I do not have a full understanding of security yet. I will look at the doc you provided. Can you tell me how you would be able to circumvent this method? Commented Feb 17, 2012 at 4:04

3 Answers 3

Reset to default
2

Maybe your path is interpreted as a URL (like www.foo.com/state_brand_page_01.php) and as such include() fetches it using the HTTP methods? That would cause the $_GET to get lost.

Refer to https://www.php.net/manual/en/function.include.php

Below Example #2.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

You got it... I was using the full url. when i use a path in the include i.e. (../../lib/state_brand_01.php) it works!
2

try to put it into session

$_SESSION['state'] = $_GET['state'];

$_SESSION['brand'] = $_GET['brand'];

Improve this answer

Comments

0

Both $state and $_GET['state'] should be available if the querystring included state=whatever.

When I've seen a problem with that is if you include by URL instead of file path ie:

include('http://www.test.com/file.php');

It won't know about your values because it's parsed before it's included. (Also considered bad practice for secuity reasons.)

Improve this answer

1 Comment

I actually laughed out loud when you showed how his include path was the URL

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.