PHP Request Form - I am not sure how to use it

Question

I am hoping that there is someone that can help me with this question. I am a ASP programmer and not sure how this works in PHP

echo '</textarea>
      <input type="hidden" name="g_word" id="g_word" value="$_POST[g_word]" />
      <input type="hidden" name="article_no" id="article_no" value="$_POST[article_no]" />
      </form>';

How do I use the $_POST[article_no] in the example above? In asp I would have used it like this "+Request.Form("article_no")+". How would I do it in PHP?

Thanks

Answer 1

Variables aren't interpreted inside of single quotes. However, they are inside double quoted strings, or heredoc. Personally, I'd switch out of PHP mode entirely, like so:

 <?php
 //...
 ?>
 </textarea><input type="hidden"
 name="g_word" id="g_word"
 value="<?php echo htmlentities($_POST['g_word']); ?>" /> <input
 type="hidden" name="article_no"
 id="article_no"
 value="<?php echo htmlentities($_POST['article_no']); ?>" /></form>
 <?php
 //...

This is even more readable if you do some formatting and use short tags -- although, it requires a non-default configuration option, and there are other disadvantages, primarily if you have XML docs parsed by the PHP interpereter, or your app is going to be installed on servers you don't control.

That'd look like this:

 <form>
   <textarea>
     <?
     //...
     ?>
   </textarea>
   <input type="hidden" name="g_word" id="g_word" value="<?= htmlentities($_POST['g_word']); ?>" /> 
   <input type="hidden" name="article_no" id="article_no value="<?= htmlentities($_POST['article_no']); ?>"/>
 </form>
 <?
 //...

Answer 2

I think I've understood your question; feel free to let me know if not.

In PHP (and many other languages), the number of quotes around a string determines how the string is parsed. If single quotes are used, then nothing in the string is parsed (except for another single quote — it will need to be escaped with a backslash if you intend it to be a part of the string rather than the closequote). If double-quotes are used, more things are parsed, but you accordingly have to do more escaping.

There are a variety of ways of dealing with inserting variables in strings.

Using double quotes:

echo "</textarea><input type=\"hidden\"
name=\"g_word\" id=\"g_word\"
value=\"$_POST['g_word']\" /> <input
type=\"hidden\" name=\"article_no\"
id=\"article_no\"
value=\"$_POST['article_no']\" /></form>';

Using single quotes:

echo '</textarea><input type="hidden"
name="g_word" id="g_word"
value="' . $_POST['g_word'] . '" /> <input
type="hidden" name="article_no"
id="article_no"
value="' . $_POST['article_no'] . " /></form>';

Or, in my opinion the most elegant way, using (s)printf to return a formatted string:

printf('</textarea><input type="hidden"
name="g_word" id="g_word"
value="%s" /> <input
type="hidden" name="article_no"
id="article_no"
value="%d" /></form>', $_POST['g_word'], $_POST['article_no']);

Answer 3

echo '</textarea><input type="hidden"
name="g_word" id="g_word"
value="'.$_POST['g_word'].'" /> <input
type="hidden" name="article_no"
id="article_no"
value="'.$_POST['article_no'].'" /></form>';

You have to put article_no between '-s.

Answer 4

if you use the solution posted above, please add some basic protection against xss injection - for example htmlentities($_POST['article_no'])

Answer 5

echo '</textarea><input type="hidden"
 name="g_word" id="g_word"
 value="'.$_POST[g_word].'" /> <input
 type="hidden" name="article_no"
 id="article_no"
 value="'.$_POST[article_no].'" /></form>';

Close the single quote, and use a dot to concatonate

$value = "cool";
echo 'My String is ' . $value . '!!!!!';

In this case, the dot is the same as the plus concatenation operator.