Does type="hidden" work only with $_POST and if so is there an equivelent that will work with $_GET? The way I have my website set up, I dont use any actualy links between pages, I just include() everything on my main page so my links look like: index.php?pagecall=news.php.

I just put in a basic html form and when I submit I have the action index.php and went to set pagecall="search.php" as a hidden element in the form but it wont work. Im assuming thats because its not going to show up in the URL so $_GET will miss it. Short of me adding code to the index.php page to handle that, is there something else I can do?

I also tried just doing index.php?pagecall=search.php as the action but that wont work either.

Thanks.

Input elements with type="hidden" definitely work with $_GET. You might have a typo or something. If it isn't showing up in your address bar, then it would be a problem in the HTML, otherwise the issue is most likely in the PHP.

On an semi-related side note, I hope that you filter your $_GET['pagecall'] through some sort of if else or switch statement. If you are just doing a raw header() or include() statement on that value, it is somewhat of a security hole.

Well at the moment I dont have any pages that are secured, like I dont actually make the user login for anything. But even if I did how would that make it unsecure. Couldnt I just check if a session is set before I let them view the page?

If you take an value directly from a POST or GET variable and insert it in an include, read or header function etc. it would be possible to specify what ever file you like and get it included or maybe evan be able to see the whole file contents ( or other stuff you don't want people do be doing). If the page that is viewed happens to contain your database and admin username and password, you're in deep trouble. The same goes for using the value directly in an database quary, as you are then vaunerable to SQL injection attacks.

Truly

I use GET and POST depending on what I want and frequently use hiddent fields with no issues.

well, something in your first post was fishy

may it be that you are putting?:
<input type="hidden" pagecall="search.php"/>

if yes, change it to
<input type="hidden" name="pagecall" value="search.php"/>

sometimes we just oversee these stuff

Schimassek...

Well first off its working fine now so thanks guys .

But youve got me thinking Frost so I might as well get this out of the way now . A couple questions on this subject of security. So basically they could open any file on the server (assuming they no the link). Now in this particular case its only a webhost so I dont have root access so I dont think they can do anything particularly bad seeing as my DB and everything are held seperately, but I get your point.

What would be a better way? Make an array of all the pages I have and check the variable "pagecall" against the array every time to make sure its something I want?

Also, seeing as I am EXTREMELY new to the whole web site thing, how do you guys normally deal with menus and pages. Like the reason I am doing it this way where every page is loaded in index.php is so that it is easier for me to update and so that everything stays as uniform as possible. But in the future would it make more sense to just have straight URL link from my menu to seperate pages (dont know if that made any sense).

Basically, whats the norm?

Use $_REQUEST !!