Page 1 of 1

newbie help with passing sensitive information along forms

Posted: Sun Mar 14, 2004 5:10 am
by ruud
Hi there

I was wondering whether anyone can help a php newbie.

I have a number of forms that the user has to fill out for a project i've done. The user has to fill out personal details, address details and various other bits so i've split the forms over a number of pages.

Each time the user submits a form that info is inserted into a particular table in my db. The user is then sent to the next form with the url appended with variables that i need to collate infomation on that user over the pages. However I know that security wise this is not particularly good as people could just mess around with the url string.

Can anyone tell me a better way of collecting variables that i need over a number of pages, rather than appending the url everytime. I have started looking into session vars. Would this be a better way?

Thanks in advance. :)

Re: newbie help with passing sensitive information along for

Posted: Sun Mar 14, 2004 8:16 am
by TheBentinel.com
ruud wrote:Can anyone tell me a better way of collecting variables that i need over a number of pages, rather than appending the url everytime. I have started looking into session vars. Would this be a better way?

Thanks in advance. :)
The session docs are here: http://us2.php.net/manual/en/ref.session.php

Without sessions, you could send the data you want to preserve in hidden fields in the html:

Code: Select all

<form>
<input type=hidden name="hiddenValue1" value="YouCanStill see it by viewing the source">
But that's not 100% protection, since they can save the HTML to their drive, change it, and resubmit it. For total protection from that, you need to save state on the server (perhaps through sessions) and pass something back and forth to connect a given user to a given state. Sessions use cookies, I think. Or you could pass an id value in a hidden field that would be less attractive to tamper with.

Posted: Sun Mar 14, 2004 9:13 am
by ruud
thanks alot for replying

when you talk about cookies - would i write what data i needed to a cookie and then pull that data out on next page etc.

many thanks :)

Posted: Sun Mar 14, 2004 10:42 am
by tim
that would be a decent way:

set a cookie that will expire in like 5 mins (enough to confirm the info before it sends to the DB) and combine the cookie info with the isset() function.

something like:

Code: Select all

if (isset($_COOKIE["cookiename"])) {
echo "<input type=text value=$variable_from_cookie> // and so forth
}
maybe this is what TheBentinel was suggesting, but if not, it is another possible way. another good deal out of this way is you can prolong the time() in the actual setcookie and have the users username stored, so on your main page you might have like:

Code: Select all

if (isset($_COOKIE["username"])) {
echo "hi $username, welcome to the page";
} else {
echo "you need to log-in or create a account";
}
just some ideas to ponder on.

Posted: Mon Mar 15, 2004 3:28 am
by ruud
many thanks tim for your help. a good basis for me to work on :)