can I pass an object through the URL?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Your_child
Forum Newbie
Posts: 1
Joined: Tue Aug 07, 2007 12:36 am

can I pass an object through the URL?

Post by Your_child »

Can I pass an object through the URL?


Inside page 1 my code looks like this:

$userObj = new User($ID);
header("Location: ".myURLAndDir()."invited.php"."?type=massmail"."&thisUser=".$userObj);



Now on page 2, I attempt to get the object $userObj by doing this:

$user = $_GET['thisUser'];


But when I try to use the User class functions by doing this:

$user->printList();

I get an error. I know $_SESSION variables would be a better choice but because the website is already set up this way, I'm going to avoid using session variables. Am I missing something? can i even pass an object through the url?
User avatar
AKA Panama Jack
Forum Regular
Posts: 878
Joined: Mon Nov 14, 2005 4:21 pm

Post by AKA Panama Jack »

In a word...

No

Objects only exist for as long as the PHP script executes.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

But you could save the object in the session and pass the ID.

Code: Select all

$id = (int)$_GET['id'];
session_start();
$user = isset($_SESSION[$id]) ? $_SESSION[$id] : new User($id);
(#10850)
User avatar
AKA Panama Jack
Forum Regular
Posts: 878
Joined: Mon Nov 14, 2005 4:21 pm

Post by AKA Panama Jack »

That will not work either. The same thing applies. The object is destroyed when the PHP script that created the object finishes execution. Even though you have stored the object id in a session variable the object isn't there when the next PHP script tries to access it.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

Take a look at serialize() and unserialize
You'd better use it with base64_encode()/base64_decode().
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
stereofrog
Forum Contributor
Posts: 386
Joined: Mon Dec 04, 2006 6:10 am

Post by stereofrog »

No, please don't recommend this. You should never try to unserialize data that the user can modify. This would be a major security hole.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

stereofrog wrote:No, please don't recommend this. You should never try to unserialize data that the user can modify. This would be a major security hole.
One can always use HMAC to prevent this ... And also I didn't say to pass it through the URL - $_SESSION can be used instead.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
stereofrog
Forum Contributor
Posts: 386
Joined: Mon Dec 04, 2006 6:10 am

Post by stereofrog »

There is no need to serialize() if you store objects in sessions.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

stereofrog wrote:There is no need to serialize() if you store objects in sessions.
Yes, you are right.

But another thing comes up - users rarely use "logout". So $_SESSION is then considered a "resource leak". I am not sure what is worse then - to have an object or it serialized data in $_SESSION? Just curious :)
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
stereofrog
Forum Contributor
Posts: 386
Joined: Mon Dec 04, 2006 6:10 am

Post by stereofrog »

The session routine uses "serialize" internally, object are stored in sessions in a serialized form. There's no way to store an object "immediately", without serialization, whether built-in or custom.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

Yeah, you are right again :)))

I feel like I am not thinking at all ;)
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
stereofrog
Forum Contributor
Posts: 386
Joined: Mon Dec 04, 2006 6:10 am

Post by stereofrog »

can happen to all of us ;)
Post Reply