$_SESSION $_POST

hi

i've got a basic user register form, action="POST". in my php code (on
the same page, i store the $_POST stuff to a $_SESSION if the user
screws a field up so they don't have to reenter all their info. But
i'm thinking, why should i use $_POST at all if i can just us the
$_SESSION array? or maybe even vice versa? or am i doing this all the
wrong way?

cheers
dave

*** mammothman42 escribió/wrote (17 Sep 2004 20:04:16 -0700):[color=blue]
> i've got a basic user register form, action="POST". in my php code (on
> the same page, i store the $_POST stuff to a $_SESSION if the user
> screws a field up so they don't have to reenter all their info. But
> i'm thinking, why should i use $_POST at all if i can just us the
> $_SESSION array?[/color]

If you can store the $_POST stuff into a $_SESSION without using $_POST...


--
-+ Álvaro G. Vicario - Burgos, Spain
+- http://www.demogracia.com (la web de humor barnizada para la intemperie)
++ Las dudas informáticas recibidas por correo irán directas a la papelera
-+ I'm not a free help desk, please don't e-mail me your questions
--

mammothman42 wrote:
[color=blue]
> hi
>
> i've got a basic user register form, action="POST". in my php code (on
> the same page, i store the $_POST stuff to a $_SESSION if the user
> screws a field up so they don't have to reenter all their info. But
> i'm thinking, why should i use $_POST at all if i can just us the
> $_SESSION array? or maybe even vice versa? or am i doing this all the
> wrong way?
>
> cheers
> dave[/color]

This is actually a very good question. I would like to see more answers
from the group regarding this. I would personally want to see speed
benchmark comparisons on what is faster: lots of session data and less
arrays, or very little session data with lots of arrays.

Alvaro G. Vicario wrote:[color=blue]
> *** mammothman42 escribió/wrote (17 Sep 2004 20:04:16 -0700):[color=green]
>> i've got a basic user register form, action="POST". in my php code
>> (on the same page, i store the $_POST stuff to a $_SESSION if the
>> user screws a field up so they don't have to reenter all their info.
>> But i'm thinking, why should i use $_POST at all if i can just us the
>> $_SESSION array?[/color]
>
> If you can store the $_POST stuff into a $_SESSION without using
> $_POST...[/color]

<form method="SESSION"> ... ;-)

--
Markus

Markus Ernst <derernst@NO#SP#AMgmx.ch> wrote:[color=blue]
> Alvaro G. Vicario wrote:[color=green]
>> *** mammothman42 escribi񮶲ote (17 Sep 2004 20:04:16 -0700):[color=darkred]
>>> i've got a basic user register form, action="POST". in my php code
>>> (on the same page, i store the $_POST stuff to a $_SESSION if the
>>> user screws a field up so they don't have to reenter all their info.
>>> But i'm thinking, why should i use $_POST at all if i can just us the
>>> $_SESSION array?[/color]
>>
>> If you can store the $_POST stuff into a $_SESSION without using
>> $_POST...[/color]
>
> <form method="SESSION"> ... ;-)[/color]

<irony>
Yeah, and the most common way to hack a page is by using
<form method="SERVER">
.... Everybody should know that.
</irony>
--
Simon Stienen <http://dangerouscat.net> <http://slashlife.de>
»What you do in this world is a matter of no consequence,
The question is, what can you make people believe that you have done.«
-- Sherlock Holmes in "A Study in Scarlet" by Sir Arthur Conan Doyle

ahhh! fully confused! so should i be using SESSION variables or POST?
That is, how is this kinda thing usually done? i'm sure it's a fairly
common problem. should i submit the form as SESSION, or is this a
security flaw? it seems stupid using post, and then having to copy, one
by one, the variables to SESSION. doesn't seem "right".

cheers
dave

<mammothman42@hotmail.com> wrote:[color=blue]
> ahhh! fully confused! so should i be using SESSION variables or POST?
> That is, how is this kinda thing usually done? i'm sure it's a fairly
> common problem. should i submit the form as SESSION, or is this a
> security flaw? it seems stupid using post, and then having to copy, one
> by one, the variables to SESSION. doesn't seem "right".
>
> cheers
> dave[/color]

To get data from the user, you have 2.5 options:
1) GET: The variables are stored in the query string of the URL (the part
after the '?'). Usable with: Hyperlinks, Forms.
2) POST: The variables are sent in the body of the HTTP request. This is
the _only_ common way to transmit files. (You could use PUT for this, too,
but AFAIK it's not widely supported.) Usable with: Forms.
3) COOKIE: This is the "half option" in the 2.5, since you are likely to
set all the data you recieve from a cookie yourself in a PHP script. You
could use JavaScript to modify a cookie, too, but since this depends on the
client it's no real option. Usable with: Server side mechanisms only. (With
except of the mentioned method.)

The "BIG 7" aren't complete yet. Additionaly to the above, there are:
a) $_ENV: The complete environment which has been passed to PHP. These are
most likely not the same variables you get by typing 'env' on the console,
but specific information about the server and the current request. In most
cases, you won't need this, because all of the important information gets
parsed by PHP and is stuffed into $_SERVER.

b) $_SERVER: Contains a lot of useful data about the server software and
the request itself. If you are searching for information on the current
request, var_dump($_SERVER) is almost certainly the best beginning.

c) $_FILES: If the raw POST input contained uploaded files, PHP will stuff
them into temporary files and stores all the known data about the file
(original filename, name of the temporary file, filesize and if submitted
the used mime-type [warning: this has not to be the real mime-type!]) in
this superglobal.

d) $_SESSION: All the data in this array is the result of exactly ONE
variable supplied by the visitor (with either of the above methods): It's
session id. According to this ID, PHP searches it's session data for a
match. If there is a file with session data for this session, $_SESSION
will be filled with the data in that file.
--
Simon Stienen <http://dangerouscat.net> <http://slashlife.de>
»What you do in this world is a matter of no consequence,
The question is, what can you make people believe that you have done.«
-- Sherlock Holmes in "A Study in Scarlet" by Sir Arthur Conan Doyle

mammothman42@hotmail.com wrote:[color=blue]
> ahhh! fully confused! so should i be using SESSION variables or POST?[/color]

Sorry for confusing you with a joke. For using forms it is essential to know
the ways data get transmitted from the form to the server. See the very
useful overwiew Simon Stienen gave you in his answer.
[color=blue]
> That is, how is this kinda thing usually done? i'm sure it's a fairly
> common problem.[/color]

Not a problem, just common.
[color=blue]
> should i submit the form as SESSION, or is this a
> security flaw?[/color]

No it was a joke. You have to use POST or GET.
[color=blue]
> it seems stupid using post, and then having to copy,
> one by one, the variables to SESSION. doesn't seem "right".[/color]

If you want a shortcut to get all your postdata into the $_SESSION array:

// This puts the post data at the end of the $_SESSION array:
$_SESSION = $_SESSION + $_POST;

// As an alternative, this will overwrite already existing entries with the
same keys in the session data:
$_SESSION = array_merge($_SESSION, $_POST);

But usually you will not want this, as you want to process the posted data
rather than store it into the session.

HTH
Markus

Markus Ernst <derernst@NO#SP#AMgmx.ch> wrote:[color=blue]
> // This puts the post data at the end of the $_SESSION array:
> $_SESSION = $_SESSION + $_POST;
>
> // As an alternative, this will overwrite already existing entries with the
> same keys in the session data:
> $_SESSION = array_merge($_SESSION, $_POST);
>
> But usually you will not want this, as you want to process the posted data
> rather than store it into the session.
>
> HTH
> Markus[/color]

This is a *VERY* bad idea. Imaging you use user based rights management...
Everyone could simply send a form with one of the fields:
<input name="admin" value="1"> // flag based user management
<input name="userid" value="1"> // user management by user id
// (auto_increment assumed, therefore 1, not 0)
<input name="user" value="admin"> // user management by user name
--
Simon Stienen <http://dangerouscat.net> <http://slashlife.de>
»What you do in this world is a matter of no consequence,
The question is, what can you make people believe that you have done.«
-- Sherlock Holmes in "A Study in Scarlet" by Sir Arthur Conan Doyle

things making a bit of sense now.

simon, what exactly is a *very* bad idea? using merge? or using POST in
general? bit lost on that one sorry.

cheers
dave

<mammothman42@hotmail.com> wrote:[color=blue]
> things making a bit of sense now.
>
> simon, what exactly is a *very* bad idea? using merge? or using POST in
> general? bit lost on that one sorry.
>
> cheers
> dave[/color]

Sorry -g-
Writing the unckecked POST data directly into the session.
If you *need* to do so, take a special variable, for example:
$_SESSION['post_data'] = $_POST;
--
Simon Stienen <http://dangerouscat.net> <http://slashlife.de>
»What you do in this world is a matter of no consequence,
The question is, what can you make people believe that you have done.«
-- Sherlock Holmes in "A Study in Scarlet" by Sir Arthur Conan Doyle

hang on i just realised i don't need to use sessions at all! i just set
the values of each field to $_POST[name, user, etc], instead of storing
it in a session and setting them to $_SESSION[name etc]. Or was this
never suggested for a good reason I'm blatantly missing?

I noticed that Message-ID:
<1096433092.420652.208470@h37g2000oda.googlegroups .com> from
mammothman42@hotmail.com contained the following:
[color=blue]
>hang on i just realised i don't need to use sessions at all! i just set
>the values of each field to $_POST[name, user, etc], instead of storing
>it in a session and setting them to $_SESSION[name etc]. Or was this
>never suggested for a good reason I'm blatantly missing?[/color]

One assumed you had a reason... :-}

--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/

Simon Stienen wrote:[color=blue]
> Markus Ernst <derernst@NO#SP#AMgmx.ch> wrote:[color=green]
>> // This puts the post data at the end of the $_SESSION array:
>> $_SESSION = $_SESSION + $_POST;
>>
>> // As an alternative, this will overwrite already existing entries
>> with the same keys in the session data:
>> $_SESSION = array_merge($_SESSION, $_POST);
>>
>> But usually you will not want this, as you want to process the
>> posted data rather than store it into the session.[/color][/color]
[color=blue]
> This is a *VERY* bad idea. Imaging you use user based rights
> management... Everyone could simply send a form with one of the
> fields: <input name="admin" value="1"> // flag based user management
> <input name="userid" value="1"> // user management by user id
> // (auto_increment assumed, therefore 1, not 0)
> <input name="user" value="admin"> // user management by user name[/color]

Right - I did not mean to recommend that procedure (as I mentioned). If for
any reason somebody would do it like that anyway, precautions could help,
such as using uncommon names for the rights management relevant session
variables, such as $_SESSION['cold_beer'] or $_SESSION['ht8Uz6']. So hacking
it via postdata would require exact knowledge of the application.

--
Markus

it's all starting to fall into place now! i'm curious though as what
can be hacked these days. How exactly does a hacker forge a header to
fake POST data? How do they send SESSION values to my server? It's all
slightly disconcerting.

cheers
dave

<mammothman42@hotmail.com> wrote:[color=blue]
> How exactly does a hacker forge a header to fake POST data? How do they
> send SESSION values to my server?[/color]

Read RFC 2616 for that. :)
Forged data is nothing else but a normal request with self chosen data for
GET-, POST- and Cookie-variables.

Btw.: "Faking" POST data is not complicated: Just write your own form, fill
it and send it.
--
Simon Stienen <http://dangerouscat.net> <http://slashlife.de>
»What you do in this world is a matter of no consequence,
The question is, what can you make people believe that you have done.«
-- Sherlock Holmes in "A Study in Scarlet" by Sir Arthur Conan Doyle