Posted by Michael Fesser on 06/02/07 17:25

..oO(joboils@hotmail.com)

>I am trying various versions of this piece of code -
>
>print("<input type=\"hidden\" name=\"table\" value='$TableName'>");
>
>(the $TableName is a variable, depending on which file it is in) and
>want to use it following a link -
>
><a href=\"envelope_print.php?id=$Row[id]\">$Row[id]</a>
>
>so that the receiving file can use it like -
>
>$TableName=$_REQUEST['table'];
>$Query="SELECT * from $TableName where id='$id' ";
>
>but none of them work.

You would have to append the table name to the link, then you can access
it with $_GET['table'] in the receiving script. A hidden input element
would require a form with a submit button, not a link.

I also hope that the above code is just an example and will _never_ be
used on a real site in that way. Using a variable from the outside
without any kind of validation in a query is a huge security hole (SQL
injection is the keyword).

>I expect I'm doing something really stupid but I can't think what.
>I have session_start(); at the beginning of each file and
>register_globals() is On.

Should be off.

Micha

[Back to original message]