SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Member
    Join Date
    Jun 2007
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question Using $_POST instead of $_SESSION

    Hi

    I am new here but I need help and I have searched the forum first. I found
    countless threads on the subject of sessions but can't find the answer to
    what I need.

    I started using sessions on my site some time ago and it all works great
    provided the user has cookies enabled.

    Now I'm trying to make it work even if they don't have cookies enabled.
    I started to investigate doing the TRANS_ID stuff but before that...

    What I realised is that if I set $_POST variables, these are accessible
    whether they have cookies enabled or not.

    Do the $_POST variables work just like $_SESSION, i.e. are they unique for
    the user.

    E.g. I have a registration form, collect all the fields, data in the post fields
    and I submit the form to a php script.

    If that script detects a problem, eg invalid username, it can set a $_POST
    variable to that effect and then redirect to the signup form.

    The signup form can then read that same $_POST variable and know what
    to do.

    So what am I missing?

    If I use $_SESSION I'm at the mercy of whether the user has cookies
    enabled, if I use $_POST I'm not...

    Is it security? convenience?

    Sorry if I'm being dense.

    Thanks in advance
    Troy

  2. #2
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    $_POST does not work like you think it does. $_POST is only available when a user submits a form. Once you redirect or the user clicks away to something else, all those $_POST variables "go away".

    And yes, there are security concerns with $_POST since they are entirely user-supplied, whereas $_SESSION exists solely on the server and is untouchable by the user. For what you are trying to do, you need to use sessions; keep investigating TRANS_ID, but beware of the increased threat of session hijacking when doing so.
    PHP questions? RTFM
    MySQL questions? RTFM

  3. #3
    SitePoint Member
    Join Date
    Jun 2007
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    OK, thanks kromey, understood.

    I will persevere with trying to get the session ID in the URL. I am aware of
    the issue you talk about but I have two applications of session.

    One is where a currently unregistered user is signing up for an account and
    I want to track where they came from etc to put in the DB. Someone could
    not do much if they hijacked this session.

    The other use is for a user to log on and I can more easily insist they have to
    enable cookies there.

    I think I know where my problem must be - I parse a html file with my form
    in so that I can replace certain strings with from the DB.

    i.e. I read a html file line by line, searching and replacing as I need and then
    echo the string - I take it php won't add the session ID [edit: automatically]
    to my url in this case? I have to add it manually?[/edit]

    Thanks for your swift help, really appreciated.

    Troy


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •