[RESOLVED] setting and accessing $_POST variables

edwardp

I am looking at the possible security problems that have left open in my site. I am changing any $GET to $POST but i have hit a problem.

previously i had this code:

echo "<td align=middle width=33%><a href=\"javascript:loadwindow('sepack.php?parts=".$SEPACKSTRINGPARTS."&desc=".$SEPACKSTRINGDESC."',490,380)\">".$this->selectedOptions['optional'][$x]."</a></td>";

But would like to pass the two $SEPACKSTRING and $SEPACKDESC into the $_POST array to be accessed by sepack.php instead of sending a query string

therfore i have tried:

$_POST['parts'] = $SEPACKSTRINGPARTS;
$_POST['desc'] = $SEPACKSTRINGDESC;

echo "<td align=middle width=33%><a href=\"javascript:loadwindow('sepack.php',490,380)\">".$this->selectedOptions['optional'][$x]."</a></td>";

when i view sepack.php, i cannot retrieve the $_POST array data

do i need to send the data via a form to work??

any help i s much appreciated

edwardp

Is it possible to use session_register() within a class? if so where do i place the session_start()? at the top of the page that instantiates the class?

Also is this a secure solution to the above problem?

Weedpacket

You'd need to submit the data to sepack.php (as a form submission) or it won't receive it.

But as far as I can see you already have the data; so it's redundant (and risky) to be sending this to the client and gettting it back again anyway. So sessions would be a better solution all round. Where to put session_start()? Whatever your structure is, it would need to be both before you start sending any output to the client (it uses HTTP headers to send the session ID to the client), and before you have any need for the session data itself.

Where to use session_register()? Best answer is don't. Just use the $_SESSION array.

edwardp

so i can just use:


$_SESSION['varname'] = $varname;

Weedpacket

After session_start() is called, yup. (Just thought I'd mention; if you store any objects in the session, then their classes need to be declared before you retrieve them later so that PHP knows what sort of object they are.)

edwardp

NICE ONE!! works perfectly

😃

thanx v much