Hello.
I'm engaged in developing a fairly meaty web application (FreeMIS).
Everything is routed through index.php, with $_GET variables controlling
which pages are shown and which actions taken. Early on (when I knew very
little about PHP) I realised that I had to come up with a way of passing on
all the navigation variables in forms, so the application would know where
to go. I chose not to use cookies or session variables, for security
reasons. I made up 2 functions; one to to pass on all the existing $_GET
variables via additions to the "action" url of the form, and one to pass on
all the existing $_POST variables via hidden input elements. Each function
takes as parameter an array of variables that should NOT be passed on.
This approach works, but it's ugly as hell. The complication is that
sometimes the target form should pass on the variables that it received,
and sometimes it should forget them.
For example, suppose a screen contains a form to process an object, and also
a form to navigate to other objects for processing. The former form should
pass on the variable identifying itself, whereas the latter one shouldn't,
as it is going to assign a new value to the variable.
This seems like a generic application design problem, but I can't find a
neat solution anywhere. Apologies if I'm missing something obvious!
Can anyone help?
--
Robert Jones
Full Version: robust variable passing
Oli Filth wrote:
| QUOTE |
Why do you consider session variables *less* secure than $_GET and $_POST strings? |
No idea :) ! Something I read when I was starting out with PHP and web
application development. Doesn't make any sense really does it? So maybe
I should use session variables. My original question still stands, about
how people deal with variables being passed around, some of which should
persist and some of which shouldn't in different contexts.
--
Robert Jones
Robert Jones said the following on 20/06/2005 21:00:
| QUOTE |
| Hello. I'm engaged in developing a fairly meaty web application (FreeMIS). Everything is routed through index.php, with $_GET variables controlling which pages are shown and which actions taken. Early on (when I knew very little about PHP) I realised that I had to come up with a way of passing on all the navigation variables in forms, so the application would know where to go. I chose not to use cookies or session variables, for security reasons. I made up 2 functions; one to to pass on all the existing $_GET variables via additions to the "action" url of the form, and one to pass on all the existing $_POST variables via hidden input elements. |
Hi.
Why do you consider session variables *less* secure than $_GET and
$_POST strings?
--
Oli
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.