Page 1 of 1
can I pass an object through the URL?
Posted: Tue Aug 07, 2007 12:47 am
by Your_child
Can I pass an object through the URL?
Inside page 1 my code looks like this:
$userObj = new User($ID);
header("Location: ".myURLAndDir()."invited.php"."?type=massmail"."&thisUser=".$userObj);
Now on page 2, I attempt to get the object $userObj by doing this:
$user = $_GET['thisUser'];
But when I try to use the User class functions by doing this:
$user->printList();
I get an error. I know $_SESSION variables would be a better choice but because the website is already set up this way, I'm going to avoid using session variables. Am I missing something? can i even pass an object through the url?
Posted: Tue Aug 07, 2007 1:26 am
by AKA Panama Jack
In a word...
No
Objects only exist for as long as the PHP script executes.
Posted: Tue Aug 07, 2007 1:30 am
by Christopher
But you could save the object in the session and pass the ID.
Code: Select all
$id = (int)$_GET['id'];
session_start();
$user = isset($_SESSION[$id]) ? $_SESSION[$id] : new User($id);
Posted: Tue Aug 07, 2007 5:27 am
by AKA Panama Jack
That will not work either. The same thing applies. The object is destroyed when the PHP script that created the object finishes execution. Even though you have stored the object id in a session variable the object isn't there when the next PHP script tries to access it.
Posted: Tue Aug 07, 2007 6:18 am
by VladSun
Posted: Tue Aug 07, 2007 6:30 am
by stereofrog
No, please don't recommend this. You should never try to unserialize data that the user can modify. This would be a major security hole.
Posted: Tue Aug 07, 2007 6:31 am
by VladSun
stereofrog wrote:No, please don't recommend this. You should never try to unserialize data that the user can modify. This would be a major security hole.
One can always use HMAC to prevent this ... And also I didn't say to pass it through the URL - $_SESSION can be used instead.
Posted: Tue Aug 07, 2007 6:57 am
by stereofrog
There is no need to serialize() if you store objects in sessions.
Posted: Tue Aug 07, 2007 7:08 am
by VladSun
stereofrog wrote:There is no need to serialize() if you store objects in sessions.
Yes, you are right.
But another thing comes up - users rarely use "logout". So $_SESSION is then considered a "resource leak". I am not sure what is worse then - to have an object or it serialized data in $_SESSION? Just curious

Posted: Tue Aug 07, 2007 7:20 am
by stereofrog
The session routine uses "serialize" internally, object are stored in sessions in a serialized form. There's no way to store an object "immediately", without serialization, whether built-in or custom.
Posted: Tue Aug 07, 2007 8:17 am
by VladSun
Yeah, you are right again

))
I feel like I am not thinking at all

Posted: Tue Aug 07, 2007 8:39 am
by stereofrog
can happen to all of us
