Jammerious wrote:If you can spare a minute or so, could you explain what do you mean with form tokens, and how to practically apply them?
A form token (or whatever people want to call it) is where you attach a unique, one-time identifier to the form. You also put it into a place that only your code can access. This way you can check for the identifier from the form and if it matches what you have "on file" then you can be very sure that the form submission came from your site/code and not somebody else's.
Code: Select all
<?php // page that generates the form
session_start();
// ...
$token = sha1(uniqid(microtime(), true)); // unique token for the form
$_SESSION["user record lookup form token"] = $token; // store for access later
echo "<form action='/path/to/page.php' method='post'>\n";
echo "<input type='hidden' name='token' value='{$token}' />\n";
echo "<p>Get records for user #<input type='text' name='userid' size='10' /> <input type='submit' value='Go' /></p>\n";
echo "</form>\n";
Code: Select all
<?php // page that receives the form ("/path/to/page.php");
session_start();
if (!isset($_POST["token"], $_POST["userid"], $_SESSION["user record lookup form token"])) {
// form was not submitted or we do not have the form token
} else if ($_POST["token"] != $_SESSION["user record lookup form token"]) {
// token does not match what we have
} else {
unset($_SESSION["user record lookup form token"]); // remove the token so it can't be used again
// do our work
}
OILF ("out in left field", because most of this thread is off-topic already ):
Jammerious wrote:I believe you are not reffering to have a list of expected form fields against which you can validate?
If I understand you, that's what I'm talking about regarding submit buttons. Instead of checking that the submit button is present in $_POST and (if so) assuming everything is okay, I check that all the expected fields are present (and validate). You can see this in the example code I posted: the submit button isn't named and I use
isset to check that each field individually (all two of them, plus the session token) exists.
The alternative is to name the submit button and have
if (!isset($_POST["name of submit button"])). However even if *I* did that *I* would check that each required field is present
anyways so really there wouldn't be much point to the whole thing.
edit:
Back on-topic, because I'm not too sure the original question ever got answered:
You can't define variables on one PHP page and have them appear on another PHP page without doing some work.
Best way for you, here, is to put those values into the session. One method would be like this:
Code: Select all
session_start();
// ...
if (empty($_POST['username'])) {
// form these in the negative: "do not have X" or "problem with X" rather than "do have X" and "X is okay"
$_SESSION["problem with registration"] = true;
$_SESSION["registration form missing the username"] = true;
}
Code: Select all
session_start();
// ...
// use !empty($_SESSION["..."]) to check if a flag is set, then unset() if it is. example:
if (!empty($_SESSION["registration form missing the username"])) {
echo "No Username Entered";
unset($_SESSION["registration form missing the username"]); // we don't want to reuse this next time the form is submitted
}