hide posted vars (forum question, also)

Anon

This is likely a repeat of an old post (I'm sure I read it before), however, since we can no longer use the search engine here ...

I thought I read somewhere how in PHP you could prevent POSTED vars displaying in the URL. Your patience and direction are appreciated!

Forum Comment/question:
I into PHP for less than 90days. It wasn't until this site/forum was unavailable or was degraded in capabilities that I realized how indispensible I have found it to be to my progress!

Does anyone know if there's a way to obtain an archive of the forums? Without the search engine online, I am floundering. I am crawling now compared to when the knowledgebase here was searchable. Thanks.

Anon

POST variables already don't display in the URL. It's GET variables that do that.

Anon

Kirk: Thanks for the comment - perhaps in my green state, I'm being unclear. Here's exactly what I am trying to do.

I have a form by which I am "handing off" users to another site via SSL. The account info is contained in the form built dynamically from session vars on my host (accounts are synch'ed between hosts). So, I send the users via a hyperlink to a script that looks like this:

php composed link:
https://programmaticlink.com?uid=johndoe&password=mydogsname

target form script:

<?php
print "<script>var timeID = setTimeout(\"document.forms[0].submit()\", 1)</script>";
print "<form action=\"https://foobar.com?\" method=\"POST\" id=\"redir\">";
print "<input type=\"HIDDEN\" name=\"UserName\" value=\"$uid\">";
print "<input type=\"HIDDEN\" name=\"Password\" value=\"$password\">";
print "</form>";
?>

Works great - the only neatness I'm looking for is to eliminate the unsightly displaying of the uid and password values in the transitional page that displays while the user waits. I am not worried about the sniffing of the password, just the person looking over the shoulder of the user. I don't know if this makes any sense - I am new to coding and even newer to looking for help. THanks.

kparker

When you say:

php composed link:
https://programmaticlink.com?uid=johndoe&password=mydogsname

whose php script is doing this composing, yours (which you could change) or somebody else's (which you may not be able to get changed.) Furthermore, who's at the receiving end at 'programmaticlink.com'? Is that your site, or a third party's? Because if the receiving site can't take the data via POST, then you're out of luck.

Anon

Thanks again, Kirk, for the response.

The PHP script composing the URL is mine. The receiving end is a third-party site. The POST data is actually working. My script calls another local script containing the form mentioned earlier. The script embedded form posts itself to the third-party site successfully. It is the transitional page (blank) containing the form that is my concern.

I am trying to control it so that it does not display the POST url it received from the first script in the address or location field of the browser interface. I suspect that this may not be something I can control from PHP, but instead have to attack from client javascript - not really sure.

Does this make sense? Thank you for sticking with me on my problem description.

"Help ME, help you ..." : )