Set Session Variables within a Hyperlink

I am afraid I don’t know enough PHP to do this on my own :frowning:

I have two pages: one is a careers page, and the next is a form for uploading resumes. I would like to have it so that the upload form remembers what job the user clicked from in the careers page, so that it can be included in the heading, and also included in the subject line of the email that will be sent after submitting the form. Seems like this would be a pretty common use of session variables, but I have been unable to find any help.

Here’s what I have done so far:
Put this snippet into the top of both pages:


<?php 
session_start();
session_register("job");
$HTTP_SESSION_VARS ["job"] = $job;
?> 

Each job has a link, which I have coded thusly:


<a href="https://www.mydomain.com/rsm_upload.php?job=Civil Engineer">

Of course, each link is different…

In the “rsm_upload.php” page, I have this in the body:


<h1>Apply for <?php echo $_SESSION['job']; ?> Position</h1>

This seems fairly simple. Shouldn’t this work? Why not? What am I missing?

OK!

So exactly what should I be including in this code to minimize these risks? Don’t quite understand what (or how) to escape or filter…

Gosh! For some reason, security issues seemed so non-sequitur to me. After all, these are just a bunch of links, not a login, or even an application that will write to the database.

Exactly how could some nefarious person hack into my site–or worse yet: my email server or database–with this application?

The only thing I can imagine is, as you say, someone types “?id=345&title=Hacker” into the address bar … they would just go to the forms page and only see blank spaces where the variables should have been. I don’t see how they can inject anything evil.

I am more concerned about the form itself, as a couple hidden fields contain the destination email address, which can be spoofed. And, of course, the attachment could contain malicious macros that will cause problems when opened… but really, I fail to see any real threat.

Session aren’t really needed here from what I see above.


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <title>Demo</title>
    </head>
    <body>
        <ul>
          <li>
            <a href="job.php?title=Mars Engineer">Mars Engineer</a>
          </li>
          <li>
            <a href="job.php?title=Mars Bar Engineer">Mars Bar Engineer</a>
          </li>
        </ul>
    </body>
</html>


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <title>Demo</title>
    </head>
    <body>
      <h1>Apply for the <?php echo $_GET['title']; ?> job here</h1>
      <p>Stuff...</p>
    </body>
</html>

Please bear in mind that this is riddled with issues, always filter user input and properly escape it if you plan on using it.

Remember, users, they’re everywhere and want to break your application! :shifty:

I’d suggest to start working with job id’s in the URL’s, rather than names. Job names are not unique, where job id’s are. So for example:

Job Type: Engineer
Job ID: 12851
Company: EngiCorp

Could have an URL like job.php?id=12851
You can use that same id on the resume upload script, like rsm_upload.php?id=12851.

This would work best if you use a MySQL database behind it that can keep track of the id’s, but it will also work without it offcourse, as long as you know what id goes with what job yourself.

By using anything as a result of a users request as a GET a user could maliciously enter statements that could compromise the security of the page - you should check that the input is similar to what you are expecting. This is also being sent through a URL meaning that the GET fields need to be encoded for URLs.

As for using both:

On page with all jobs:

 <a href="rsm.php?id=123&title=Developer">Apply for developer position</a>

Then on rsm.php


$jobID = $_GET['id'];
$jobTitle = $_GET['title'];

You can then use these variables on your page. However, a cunning person can come along and change the ID say to 345 instead of 123 breaking the application (the two don’t go together). Worse, if and when tied tok a database these fields can be manipulated to delete everything from the database etc.

Check out XSS and [URL=“http://en.wikipedia.org/wiki/SQL_injection”]SQL Injection. Maybe then, you’ll not be so nonchalant about security. :wink:

correct there is no need of session.

This could be just done by sending a parameter in the hyperlink and getting this by php global Variable $_GET on the other page

:slight_smile:

Wow!

I really must be a noob! What is this “filtering” and “escaping” you speak of?

We are working on implementing a MySQL database for this application, but that may be months away. In the meantime, how do I hook up the ID with the Job Type?