Carrying variables across session

music_man

I am wondering if this is a good (secure) way of carrying data across from a form using sessions.

Here are the pages:

order.php

<?php

/* This starts the order again with a fresh session */

session_start();

$_SESSION = array();

if (isset($_COOKIE[session_name()])) {
   setcookie(session_name(), '', time()-42000, '/');
}

session_destroy();

$pgn="order"; include("header.php"); ?>

<div id="content">

  <p class="header">Order</p>
  <form method="post" action="inc/order.php" id="orderform">
    <div class="form" id="orderformformat">
  <p class="explanation">Please fill in your personal details</p>
      <label for="first_name">First name:</label>
      <input type="text" id="first_name" name="first_name"/>
      <br />
      <label for="last_name">Last name:</label>
      <input type="text" id="last_name" name="last_name" />
      <br />
      <label for="street_number">Street number:</label>
      <input type="text" id="street_number" name="street_number" />
      <br />
      <label for="street_name">Street name:</label>
      <input type="text" id="street_name" name="street_name" />
      <br />
      <label for="city">City:</label>
      <input type="text" id="city" name="city" />
      <br />
      <label for="home_phone">Home phone:</label>
      <input type="text" id="home_phone" name="home_phone" />
      <br />
      <label for="cellphone">Cellphone:</label>
      <input type="text" id="cellphone" name="cellphone" />
      <br />
      <br />
      <p class="explanation">Now could you please fill in your items?</p>
<span>
<textarea rows="12" cols="60" style="overflow:auto; border: 1px solid #000; background-image: url(images/template/item_list.gif); background-position: top left; background-repeat:no-repeat; padding-left: 22px; font-family: font-family: Tahoma, Arial, Helvetica, sans-serif; font-size: 14px; line-height: 18px;
scrollbar-arrow-color:#000;
scrollbar-base-color:#fff;
scrollbar-darkshadow-color:#fff;
scrollbar-face-color:#fff;
scrollbar-highlight-color:#fff;
scrollbar-shadow-color:#fff}

" name="items" id="items"></textarea>
</span>
<span><br />
<input type="button" value="Calculate cost" onclick="javascript: alert('Have not done this yet, just putting it there for looks at the moment');" />
</span>
<script type="text/javascript" src="js/textareaexpand.js"></script>
<p class="explanation">When would you like us to pick it up?</p>
      <label for="day">Date:</label>
      <input type="text" size="2" name="day" value="Day" onClick="this.value='';" name="day" />
      <select name="month" name="month" >
        <option>January</option>
		<option>February</option>
		<option>March</option>
		<option>April</option>
		<option>May</option>
		<option>June</option>
		<option>July</option>
		<option>August</option>
		<option>September</option>
		<option>October</option>
		<option>November</option>
		<option>December</option>
      </select>
      <select name="year" name="year" >
        <option>2006</option>
		<option>2007</option>
      </select>
      <br />
      <label for="time">Time:</label>
      <input type="text" name="time" id="time" size="2" value="11.00" onClick="this.value='';" name="time"/>
      <select name="timeset">
        <option>am</option>
        <option>pm</option>
      </select>
      <input type="submit" value="Submit order" />
    </div>
  </form>
</div>
<?php include("footer.php"); ?>

I was thinking that instead of using session_destroy(); I could set inc/order.php so that it changed all the session data to 0.

inc/order.php

<?php 

/* Start a new session for confirmation and error purposes */

session_start();

session_register ("first_name");
session_register ("last_name"); 
session_register ("street_number");
session_register ("street_name");
session_register ("city");
session_register ("home_phone");
session_register ("cellphone");
session_register ("day");
session_register ("month");
session_register ("year");
session_register ("time");
session_register ("timeset");
session_register ("items");
session_register ("order_status");
session_register ("message");

/* Checking for any bugs */

error_reporting(E_ALL);

/* Sanitise all the inputs */

$first_name = stripslashes(trim($_POST["first_name"]));
$last_name = stripslashes(trim($_POST["last_name"]));
$street_number = stripslashes(trim($_POST["street_number"]));
$street_name = stripslashes(trim($_POST["street_name"]));
$city = stripslashes(trim($_POST["city"]));
$home_phone = stripslashes(trim($_POST["home_phone"]));
$cellphone = stripslashes(trim($_POST["cellphone"]));
$day = stripslashes(trim($_POST["day"]));
$month = stripslashes(trim($_POST["month"]));
$year = stripslashes(trim($_POST["year"]));
$time = stripslashes(trim($_POST["time"]));
$timeset = stripslashes(trim($_POST["timeset"]));
$items = stripslashes(trim($_POST["items"]));

/* Format the items into a nice list */

$items = str_replace(",", "\n", $items); 

/* Add variables to the session */

$_SESSION['first_name'] = $first_name;
$_SESSION['last_name'] = $last_name;
$_SESSION['street_number'] = $street_number;
$_SESSION['street_name'] = $street_number;
$_SESSION['city'] = $city;
$_SESSION['home_phone'] = $home_phone;
$_SESSION['cellphone'] = $cellphone;
$_SESSION['day'] = $day;
$_SESSION['month'] = $month;
$_SESSION['year'] = $year;
$_SESSION['time'] = $time;
$_SESSION['timeset'] = $timeset;
$_SESSION['items'] = $items;
$_SESSION['order_status'] = $order_status;
$_SESSION['message'] = $message;

/* Check if inputs are valid */

$error="no";

if($first_name=='') {

$message = "<li>First name</li>";
$error = "yes";

}

if($last_name=='') {

$message .= "<li>Last name</li>";
$error = "yes";

}

if($street_number=='') {

$message .= "<li>"."Street number</li>";
$error = "yes";

}

if($street_name=='') {

$message .= "<li>Street name</li>";
$error = "yes";

}

if($city=='') {

$message .= "<li>City</li>";
$error = "yes";

}

if(($home_phone=='')&&($cellphone=='')) {

$message .= "<li>There must be at least one phone contact</li>";
$error = "yes";

}

if($items=='') {

$message .= "<li>Items</li>";
$error = "yes";

}



if($error=="yes") {

/* Put the order status to 0. For the error page. */

$order_status = "0";

header("Location: http://website/error.php");

} elseif($error=="no") {

/* Order goes from 0 -> 1 in status */

$order_status = "1";

/* Connect to database */

include("conn.php");

/* Insert all information */

mysql_query("INSERT INTO orders (

first_name, 
last_name,
street_number,
street_name,
city,
home_phone,
cellphone,
day,
month,
year,
time,
timeset,
items,
order_status

)

VALUES(

'$first_name', 
'$last_name',
'$street_number',
'$street_name',
'$city',
'$home_phone',
'$cellphone',
'$day',
'$month',
'$year',
'$time',
'$timeset',
'$items',
'$order_status'

) ")

or die(mysql_error()); 

mysql_close();

header("Location: http://website/confirm.php");

}

?>

confirm.php

<?php 

session_start();

if($_SESSION['order_status'] !== "1") {

die("please place an order first");

}

error_reporting(E_ALL);

$pgn="confirm"; include("header.php"); ?>

<div id="content">

  <p class="header">Is this all correct?</p>
  <p class="explanation">Your personal details</p>
  <form method="post" action="inc/order.php" id="orderform">
    <div class="form" id="orderformformat">
      <label for="first_name">First name:</label>
      <span class="confirm"><?php echo $_SESSION['first_name'];?></span>
      <br />
      <label for="last_name">Last name:</label>
      <span class="confirm"><?php echo $_SESSION['last_name']; ?></span>
      <br />
      <label for="street_number">Street number:</label>
      <span class="confirm"><?php echo $_SESSION['street_number']; ?></span>
      <br />
      <label for="street_name">Street name:</label>
      <span class="confirm"><?php echo $_SESSION['street_name']; ?></span>
      <br />
      <label for="city">City:</label>
      <span class="confirm"><?php echo $_SESSION['city']; ?></span>
      <br />
      <label for="home_phone">Home phone:</label>
      <span class="confirm"><?php echo $_SESSION['home_phone']; ?></span>
      <br />
      <label for="cellphone">Cellphone:</label>
      <span class="confirm"><?php echo $_SESSION['cellphone']; ?></span>
      <br />
      <br />
        <p class="explanation">Your items</p>
<?php echo nl2br($_SESSION['items']); ?>
        <p class="explanation">Pick up details</p>
      <label for="day">Date:</label>
      <span class="confirm"><?php echo $_SESSION['day']; ?>/<?php echo $_SESSION['month']; ?>/<?php echo $_SESSION['year']; ?></span>
      <br />
      <label for="time">Time:</label>
      <span class="confirm"><?php echo $_SESSION['time']; ?>&nbsp;<?php echo $_SESSION['timeset']; ?></span>
    </div>
     <p class="header"><a href="javascript: history.back(-1);"><< No way! Take me back</a> | <a href="submit">Yeah that look's all good >></a></p>
  </form>
</div>
<?php include("footer.php"); ?>

bogu

music_man wrote:
I am wondering if this is a good (secure) way of carrying data across from a form using sessions.

Yes, why not? :p