Passing variables

jaddy

Hi,

Assume that we have 3 .php pages:
page1.php
page2.php
page3.php

What is the best way to pass the variable $var from page1.php to page3.php passing page2.php as follows:

page1.php --> page2.php --> page3.php

I know that we can achieve this using one of the following ways:

1- Passing $var using the header() function, but I dont want anyone to see this variable in my address bar (the URL).
2- Using sessions, complicated and usually used for security reasons.

Is there is any other way?

thx

AcidRain

I use sessions, and i'm happy 🙂
Sample:

page1.php

<?php
$_SESSION['bla'] = "test";
echo "<a href=\"page2.php\">page2</a>";
?>

page2.php

<?php
echo $_SESSION['bla'];
?>

And I got: test 🙂

DigitalExpl0it

<?
//page1.php, this is a simple way to pass varibles over the url string, but warning dont use usernames or passwords, id are better if you need to do this

$user = "mom";
$pass = "xxxxxx";

echo "<a href='page2.php?user=$user&pass=$pass'>Click Here for page 2</a>";
?>

<?
//page2.php, these are just examples, you can use any kind of varibles or what ever....

$newuser = $user;
$password= $pass;

echo "hello $user, your password is $pass<br>";
echo "<a href='page3.php?user2=$newuser&pass2=$password'>Click Here for page 3";
?>

<?
//page3.php

echo "Hello $user2, you made it this far and your password is still $pass2";

Weedpacket

Sessions are by far the simplest method of maintaining state across multiple pages - that's what they were invented for (security is just an added bonus).

On each page on which you want to use sessioned data, have the statement

session_start();

Generally, best done as very first thing on the page (after the <?php of course, which really is the first thing on the page!)

Then you can work with all your session data the same way as you do the contents of any other array, as $SESSION['myvar1'], $SESSION['myvar2'], etc.

The user won't ever see the variable or its contents if you don't explicitly tell it to them, because it never actually leaves the server.

Mega

i dont get how u can store nething important in sessions.

u cant store passwords/user(names|ids) becoz they disappear after the session ends.

you cant store moderator or admin status incase their powers r revoked during their session.

you can store like whether a menu has been clicked and thats about it, or a page they've been to.

what is actually the point of sessions. the data doesnt leave the server, but u cant store ne decent data in them neway.

ive yet to c a method of using sessions that couldn't be done equally securely an alternate way.

can any one prove me wrong?

Weedpacket

Originally posted by Mega

ive yet to c a method of using sessions that couldn't be done equally securely an alternate way.

can any one prove me wrong?

no i can not cos u can do most anything in an alternate way equally securely.

We're talking about session data; anything more persistent than that would be stored in a database. Frequently-used database items (like username) can be drawn into session variables to ease database load. Moderator or admin status can be sessioned, since checks can be made whenever necessary that they still have the required status.

The short answer is; if you're ideologically opposed to sessions, don't use them. Doesn't make any difference to me.

austingecko

Let's say there is a page for user registration. The user enters his/her first name via a form with POST.

Then with a script, the entry is validated:

if ($first_name == "")
		{
      $failure .= "Please fill in your first name to complete your registration.";
		}
       if ($failure == True)
            {
            $_SESSION['first_name'] = $first_name;
            header("Location:". $_SERVER['PHP_SELF'] . "?failure=$failure");
            exit;
            }

Let's just assume the script brings up echo $failure;
and later
<input name=\"first_name\" value=\"<? echo $_SESSION['first_name'] ?>\" type=\"text\">

Are using sessions alright, in this case, to pass variables inputed by the user for purposes of form validation?

Weedpacket

That is one of the things I use sessions for - some might not. I personally don't like contaminating my database with incomplete or otherwise invalid form data, so I keep them in session variables until I and the user are both satisfied. Then they can go in the database.

If it's just a one-page form, I could use the form fields themselves, of course, and just refill them from $_POST, but anything that takes more than one form or involves more complicated preprocessing (which would otherwise need to be done on every attempted or partial submission) gets sessioned.

BTW: there is an error in your code.

header("Location:". $_SERVER['PHP_SELF'] . "?failure=$failure");

should be

header("Location:". $_SERVER['PHP_SELF'] . "?failure=".urlencode($failure));

But why not store the error message in $SESSION['failure']? 🙂 Keeps the URL clean. Just remember to do $SESSION['failure']='' once you've told the user about it, or it will continue to haunt you.

austingecko

Weedpacket: Great! Thanks.
ok. I read through this page in the PHP manual on sessions but I must be cloaked in failure because I get can't $failure printed on the refresh. $failure is something like: if ($first_name == "") { $failure .= "Please fill in your first name to complete your registration.<br>"; }.

I tried:

if ($failure == True)
      {
      $_SESSION['failure'] = $failure;
//and I tried this:      session_register("failure");
      $Submit = "";
      header("Location:". $_SERVER['PHP_SELF'] . $_SESSION['failure']);
//and with this:  header("Location:". $_SERVER['PHP_SELF']);
      exit;
      }

Where the page reloads I <?php echo $_SESSION['failure']; ?> and nothing appears when there is a $failure. I must be missing something obvious here.. 😕

Weedpacket

To make a long story short, pick one method and stick with it. If you store the failure message in the session data, then that is where you should look for it when you refresh the page. If you're passing it in the URL, then that is where you look for it when you refresh.

I'm also a wee bit confused as to what you're doing: as far as I can make out, if you find you have an error, you refresh the same page, passing the error message to it. Why? It seems a bit of a waste of time because you'll just end up back where you started.

May I suggest an approach like this:

session_start();

Set $failure_message='';

If we're here as the result of a form submission ($_POST['submit']!='',
if your submit button was named 'submit') then:

{

Check form fields for validity.

If any fields are invalid, set $failure_message accordingly (it's
nice to make all your checks, and present all the problems to the
user at once; instead of going "Fix this. Now fix this. Now fix
this..." on separate submissions you go "These need to be fixed..."

After checking for validity, look at the value of $failure_message.
If it's still '' after all that checking ,

{

    either store their details in your database now (if that's what
    you do), or store them in $_SESSION variables.

    Then, header("Location:...") to the form acceptance page. (If
    you sessioned the form data then session_start() will later
    retrieve it and you can do with it what you want then.)

}

else

{   // $failure_message was [i]not[/i] '', so there was an error.

}

}

Display the form. If $failure_message!='', now is a good time to display
it somewhere approprioate. Don't forget to use the contents of $_POST
and repopulate the form fields with the data the user has already
entered.

Note that if you store your form data wherever you're going to store it
(I assume a database), then you have no need to carry either it or any
failure message to any other page.