can I pass an object through the URL?
Moderator: General Moderators
-
Your_child
- Forum Newbie
- Posts: 1
- Joined: Tue Aug 07, 2007 12:36 am
can I pass an object through the URL?
Can I pass an object through the URL?
Inside page 1 my code looks like this:
$userObj = new User($ID);
header("Location: ".myURLAndDir()."invited.php"."?type=massmail"."&thisUser=".$userObj);
Now on page 2, I attempt to get the object $userObj by doing this:
$user = $_GET['thisUser'];
But when I try to use the User class functions by doing this:
$user->printList();
I get an error. I know $_SESSION variables would be a better choice but because the website is already set up this way, I'm going to avoid using session variables. Am I missing something? can i even pass an object through the url?
Inside page 1 my code looks like this:
$userObj = new User($ID);
header("Location: ".myURLAndDir()."invited.php"."?type=massmail"."&thisUser=".$userObj);
Now on page 2, I attempt to get the object $userObj by doing this:
$user = $_GET['thisUser'];
But when I try to use the User class functions by doing this:
$user->printList();
I get an error. I know $_SESSION variables would be a better choice but because the website is already set up this way, I'm going to avoid using session variables. Am I missing something? can i even pass an object through the url?
- AKA Panama Jack
- Forum Regular
- Posts: 878
- Joined: Mon Nov 14, 2005 4:21 pm
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
But you could save the object in the session and pass the ID.
Code: Select all
$id = (int)$_GET['id'];
session_start();
$user = isset($_SESSION[$id]) ? $_SESSION[$id] : new User($id);(#10850)
- AKA Panama Jack
- Forum Regular
- Posts: 878
- Joined: Mon Nov 14, 2005 4:21 pm
Take a look at serialize() and unserialize
You'd better use it with base64_encode()/base64_decode().
You'd better use it with base64_encode()/base64_decode().
There are 10 types of people in this world, those who understand binary and those who don't
- stereofrog
- Forum Contributor
- Posts: 386
- Joined: Mon Dec 04, 2006 6:10 am
One can always use HMAC to prevent this ... And also I didn't say to pass it through the URL - $_SESSION can be used instead.stereofrog wrote:No, please don't recommend this. You should never try to unserialize data that the user can modify. This would be a major security hole.
There are 10 types of people in this world, those who understand binary and those who don't
- stereofrog
- Forum Contributor
- Posts: 386
- Joined: Mon Dec 04, 2006 6:10 am
Yes, you are right.stereofrog wrote:There is no need to serialize() if you store objects in sessions.
But another thing comes up - users rarely use "logout". So $_SESSION is then considered a "resource leak". I am not sure what is worse then - to have an object or it serialized data in $_SESSION? Just curious
There are 10 types of people in this world, those who understand binary and those who don't
- stereofrog
- Forum Contributor
- Posts: 386
- Joined: Mon Dec 04, 2006 6:10 am
- stereofrog
- Forum Contributor
- Posts: 386
- Joined: Mon Dec 04, 2006 6:10 am