using $POST is much more secure than using $GET.

The reason is becuase when you are passing variables from a form to a another page, if your form's method is GET the the form's values will show up in the URL
like this:
get_form_values.php?field=value&field2=value2 .....

on the other hand, using post as your method of passing variables from a form to another page, the user will not see the values being passed.

Yeah, I know the difference between POST and GET.

I was more woried about data that I get from. e.g. files and DBs. I load som info, then pass it to other pages by using functions and parameters.

Is all information that is retrieved, passed between functions etc. on the server side, save from users? Since users can look at the php source code and find out where I'm calling my e.g. include files and java scripts.

You said that users will be able to look at your source code,

how come ?

The web server will parse the php code and create html (or xml) so they will not be able to see the actual source code at all

If you are really worried and want to take a more secure method then you could use one of the encrption functions.

I am using base_64_encode and base_64_decode.

By adding a "salt" (secret word) to the data that is going to be encrypted you increase the security of the data.

HTH

GM

spstieng, regarding the source code: occasionally a host for some reason or other will have a borked server that will fail to parse php, and will show users the source code. You should look for a reliable server who never lets this happen. If this is what you mean with users seeing the source code, what you can do is make sure you have a reliable host, and put your really sensitive info, like db name, dbusername, dbpassword in an include file outside the webdirectory.

You can pass variables from function to function, and to include files, without worrying too much that the user will see them, as long as your scripts are rather secure. You do this simply by setting and manipulating the variables ($a=2; $a=$a+9 and including other files, or using them in functions where these variables are used as the parameters of the function, or are declared as global within the function. You should look at the php manual or a php book and check out the chapters on "scope" and "globals," and also "external variables." External variables are those that come into php via e.g. parameters passed through the url (which are the "GET" method), the POST method, through cookies ... check out the sources. You DO have to be sure that all unexpected input from these sources don't do weird stuff or allow somebody to hack your site.

To pass information between pages, you should never use GET for sensitive information, for the reasons sijis mentions. Might sound weird, but I regularly get referrers on my site from people using scripts that are so bad and insecure they leave both username and password in the url with GET. Using "sessions" would probably be the most common way, with the most documentation available.

You can use sessions instead of GET and POST methods. Sessions are even more secure.

The problem with using SESSION and POST is that you can not have bookmarkable URL.

Maybe you shouldn't be passing the information between the pages. Sometimes people write two PHP pages when one can do it quite easily.

If you do have to pass information then I'd consider using session variables, if you don't want to write them to a database. The ease at which PHP connects to MySQL I always use it rather than writing to a flat file but your host may not provide MySQL databases.

If it's a password you're passing, pass the MD5 hash of it or only store the hash of it.

I think different. Sometimes 2 pages can grow quite big themselves. For example, the project I am working on has a search page. This search page has to go through many abstraction layers before it can do its primary search fucntion. So the page it self is quite large. I cannot imagine combine 2 pages into 1. Also I would hate to debug anything page that is more than 300 lines. It is simply too messy. As for the most secure way of passing variable, I think ssl connection would avoid outside tempering, and hashed URL var would reduce URL hacking. Suppose you have this url: mycomp.com/load_data.php?id=6&sort=asc&history=3
URL hasing would bring this down to something like this
mycomp.com/load_data.php?var=FGYUILPTGAW:KXL&<
Of course this is not a 1-way encryption. That means, some one with your source code can decrypt your url in no time. So what you do is provide an abstraction lay that classify users into defferent classes or group like the linux system where id=6 is only vailable to certain group and history=3 would be available to another group of groups. Any within this group can access it while others fail. This method works well. It only fail if you poorly define your permission list. My project uses this sheme.

I was basing my statement on my own experience that when you start programming with PHP you tend to split the code amongst several pages rather than a single page. Sometimes splitting it across pages makes the code more unreadable and more spaghetti like. I assumed that based upon the question that this was somebody that was more at the start of the PHP learning curve and/or programming curve.

Removed Dupe

I could be totally off here, but have you considered SSL?

Security is always an issue.
But I think the safest way of protecting your data, and now I'm not including firewalls etc, is by:
1. Use SSL
2. htaccess (or what it was called) on/in folders
3. Store info outside WWW root
4. Use *.php on .class and .inc files.

I think this is the safest way to protect data.

As for using several files for code; I believe it is good programming practice to do that.
One stores classes in separate files
One stores different functions in different include files
Separate logic from presentation
Easy to located specific funtions within the programs (if you have a structure/logic for file(names).

And etc :-)