newbie help with passing sensitive information along forms

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
ruud
Forum Newbie
Posts: 16
Joined: Mon Oct 27, 2003 9:57 am

newbie help with passing sensitive information along forms

Post by ruud »

Hi there

I was wondering whether anyone can help a php newbie.

I have a number of forms that the user has to fill out for a project i've done. The user has to fill out personal details, address details and various other bits so i've split the forms over a number of pages.

Each time the user submits a form that info is inserted into a particular table in my db. The user is then sent to the next form with the url appended with variables that i need to collate infomation on that user over the pages. However I know that security wise this is not particularly good as people could just mess around with the url string.

Can anyone tell me a better way of collecting variables that i need over a number of pages, rather than appending the url everytime. I have started looking into session vars. Would this be a better way?

Thanks in advance. :)
TheBentinel.com
Forum Contributor
Posts: 282
Joined: Wed Mar 10, 2004 1:52 pm
Location: Columbus, Ohio

Re: newbie help with passing sensitive information along for

Post by TheBentinel.com »

ruud wrote:Can anyone tell me a better way of collecting variables that i need over a number of pages, rather than appending the url everytime. I have started looking into session vars. Would this be a better way?

Thanks in advance. :)
The session docs are here: http://us2.php.net/manual/en/ref.session.php

Without sessions, you could send the data you want to preserve in hidden fields in the html:

Code: Select all

<form>
<input type=hidden name="hiddenValue1" value="YouCanStill see it by viewing the source">
But that's not 100% protection, since they can save the HTML to their drive, change it, and resubmit it. For total protection from that, you need to save state on the server (perhaps through sessions) and pass something back and forth to connect a given user to a given state. Sessions use cookies, I think. Or you could pass an id value in a hidden field that would be less attractive to tamper with.
ruud
Forum Newbie
Posts: 16
Joined: Mon Oct 27, 2003 9:57 am

Post by ruud »

thanks alot for replying

when you talk about cookies - would i write what data i needed to a cookie and then pull that data out on next page etc.

many thanks :)
User avatar
tim
DevNet Resident
Posts: 1165
Joined: Thu Feb 12, 2004 7:19 pm
Location: ohio

Post by tim »

that would be a decent way:

set a cookie that will expire in like 5 mins (enough to confirm the info before it sends to the DB) and combine the cookie info with the isset() function.

something like:

Code: Select all

if (isset($_COOKIE["cookiename"])) {
echo "<input type=text value=$variable_from_cookie> // and so forth
}
maybe this is what TheBentinel was suggesting, but if not, it is another possible way. another good deal out of this way is you can prolong the time() in the actual setcookie and have the users username stored, so on your main page you might have like:

Code: Select all

if (isset($_COOKIE["username"])) {
echo "hi $username, welcome to the page";
} else {
echo "you need to log-in or create a account";
}
just some ideas to ponder on.
ruud
Forum Newbie
Posts: 16
Joined: Mon Oct 27, 2003 9:57 am

Post by ruud »

many thanks tim for your help. a good basis for me to work on :)
Post Reply