how to put php scripts in html scripts in a php script

Question

I know my question is kind of confusing but what I meant is that I want to display an HTML form in a PHP 'echo'. So my entire HTML code is inside my php open and closing tags and then inside my HTML script I wanted to have a php code but I get an error saying:

Parse error: syntax error, unexpected 'echo' (T_ECHO), expecting ',' or ';'

and my code goes something like this:

<?php
   echo '<form method="post" id="customForm" action="add_assessment.php">
    <table>
     // this line is where I get the error
    <input type="hidden" name="res_id" value='echo($_GET['res_id']);' />
?>

Answer 1

You can use . to concatenate strings in PHP. So you could write it like so:

<?php
   echo '<form method="post" id="customForm" action="add_assessment.php">
    <table>
     // this line is where I get the error
   <input type="hidden" name="res_id" value="'.$_GET['res_id'].'" />';
?>

Answer 2

. can be used to concatenate strings. You can also use , which sends them as separate echos.

<?php
   echo '<form method="post" id="customForm" action="add_assessment.php">
    <table>
    <input type="hidden" name="res_id" value="' . intval($_GET['res_id']) . '" />';
?>

Don't forget XSS protections. The intval() is turning the user input from $_GET into an integer, ensuring that it isn't malicious. It seems this is an important ID for your system. You should ensure that changing it won't break your code, if it will, consider using Sessions instead.

XSS or Cross Site Scripting, is when an attack injects javascript onto your page in an attempt to make it work differently or redirect the user. In this case, an attacker could send this form to a different location. If this form contains Credit Card info, other personal info, or internal data from your application; an attacker could gain access to that info simply by linking a user to the form with the bad data in it.

If setup right, the user might not ever even know they had their information stolen!