$_SESSION $_POST

*** mammothman42 escribió/wrote (17 Sep 2004 20:04:16 -0700):

i've got a basic user register form, action="POST". in my php code (on
the same page, i store the $_POST stuff to a $_SESSION if the user
screws a field up so they don't have to reenter all their info. But
i'm thinking, why should i use $_POST at all if i can just us the
$_SESSION array?

If you can store the $_POST stuff into a $_SESSION without using $_POST...
--
-+ Álvaro G. Vicario - Burgos, Spain
+- http://www.demogracia.com (la web de humor barnizada para la intemperie)
++ Las dudas informáticas recibidas por correo irán directas a la papelera
-+ I'm not a free help desk, please don't e-mail me your questions
--

mammothman42 wrote:

hi

i've got a basic user register form, action="POST". in my php code (on
the same page, i store the $_POST stuff to a $_SESSION if the user
screws a field up so they don't have to reenter all their info. But
i'm thinking, why should i use $_POST at all if i can just us the
$_SESSION array? or maybe even vice versa? or am i doing this all the
wrong way?

cheers
dave

This is actually a very good question. I would like to see more answers
from the group regarding this. I would personally want to see speed
benchmark comparisons on what is faster: lots of session data and less
arrays, or very little session data with lots of arrays.

Alvaro G. Vicario wrote:

*** mammothman42 escribió/wrote (17 Sep 2004 20:04:16 -0700):

i've got a basic user register form, action="POST". in my php code
(on the same page, i store the $_POST stuff to a $_SESSION if the
user screws a field up so they don't have to reenter all their info.
But i'm thinking, why should i use $_POST at all if i can just us the
$_SESSION array?

If you can store the $_POST stuff into a $_SESSION without using
$_POST...

<form method="SESSION "> ... ;-)

--
Markus

Markus Ernst <derernst@NO#SP #AMgmx.ch> wrote:

Alvaro G. Vicario wrote:

*** mammothman42 escribi񮶲ot e (17 Sep 2004 20:04:16 -0700):

i've got a basic user register form, action="POST". in my php code
(on the same page, i store the $_POST stuff to a $_SESSION if the
user screws a field up so they don't have to reenter all their info.
But i'm thinking, why should i use $_POST at all if i can just us the
$_SESSION array?

If you can store the $_POST stuff into a $_SESSION without using
$_POST...

<form method="SESSION "> ... ;-)

<irony>
Yeah, and the most common way to hack a page is by using
<form method="SERVER" >
.... Everybody should know that.
</irony>
--
Simon Stienen <http://dangerouscat.ne t> <http://slashlife.de>
»What you do in this world is a matter of no consequence,
The question is, what can you make people believe that you have done.«
-- Sherlock Holmes in "A Study in Scarlet" by Sir Arthur Conan Doyle

ahhh! fully confused! so should i be using SESSION variables or POST?
That is, how is this kinda thing usually done? i'm sure it's a fairly
common problem. should i submit the form as SESSION, or is this a
security flaw? it seems stupid using post, and then having to copy, one
by one, the variables to SESSION. doesn't seem "right".

cheers
dave

<ma**********@h otmail.com> wrote:

ahhh! fully confused! so should i be using SESSION variables or POST?
That is, how is this kinda thing usually done? i'm sure it's a fairly
common problem. should i submit the form as SESSION, or is this a
security flaw? it seems stupid using post, and then having to copy, one
by one, the variables to SESSION. doesn't seem "right".

cheers
dave

To get data from the user, you have 2.5 options:
1) GET: The variables are stored in the query string of the URL (the part
after the '?'). Usable with: Hyperlinks, Forms.
2) POST: The variables are sent in the body of the HTTP request. This is
the _only_ common way to transmit files. (You could use PUT for this, too,
but AFAIK it's not widely supported.) Usable with: Forms.
3) COOKIE: This is the "half option" in the 2.5, since you are likely to
set all the data you recieve from a cookie yourself in a PHP script. You
could use JavaScript to modify a cookie, too, but since this depends on the
client it's no real option. Usable with: Server side mechanisms only. (With
except of the mentioned method.)

The "BIG 7" aren't complete yet. Additionaly to the above, there are:
a) $_ENV: The complete environment which has been passed to PHP. These are
most likely not the same variables you get by typing 'env' on the console,
but specific information about the server and the current request. In most
cases, you won't need this, because all of the important information gets
parsed by PHP and is stuffed into $_SERVER.

b) $_SERVER: Contains a lot of useful data about the server software and
the request itself. If you are searching for information on the current
request, var_dump($_SERV ER) is almost certainly the best beginning.

c) $_FILES: If the raw POST input contained uploaded files, PHP will stuff
them into temporary files and stores all the known data about the file
(original filename, name of the temporary file, filesize and if submitted
the used mime-type [warning: this has not to be the real mime-type!]) in
this superglobal.

d) $_SESSION: All the data in this array is the result of exactly ONE
variable supplied by the visitor (with either of the above methods): It's
session id. According to this ID, PHP searches it's session data for a
match. If there is a file with session data for this session, $_SESSION
will be filled with the data in that file.
--
Simon Stienen <http://dangerouscat.ne t> <http://slashlife.de>
»What you do in this world is a matter of no consequence,
The question is, what can you make people believe that you have done.«
-- Sherlock Holmes in "A Study in Scarlet" by Sir Arthur Conan Doyle

ma**********@ho tmail.com wrote:

ahhh! fully confused! so should i be using SESSION variables or POST?
Sorry for confusing you with a joke. For using forms it is essential to know
the ways data get transmitted from the form to the server. See the very
useful overwiew Simon Stienen gave you in his answer.
That is, how is this kinda thing usually done? i'm sure it's a fairly
common problem.
Not a problem, just common.
should i submit the form as SESSION, or is this a
security flaw?
No it was a joke. You have to use POST or GET.
it seems stupid using post, and then having to copy,
one by one, the variables to SESSION. doesn't seem "right".

If you want a shortcut to get all your postdata into the $_SESSION array:

// This puts the post data at the end of the $_SESSION array:
$_SESSION = $_SESSION + $_POST;

// As an alternative, this will overwrite already existing entries with the
same keys in the session data:
$_SESSION = array_merge($_S ESSION, $_POST);

But usually you will not want this, as you want to process the posted data
rather than store it into the session.

HTH
Markus

Markus Ernst <derernst@NO#SP #AMgmx.ch> wrote:

// This puts the post data at the end of the $_SESSION array:
$_SESSION = $_SESSION + $_POST;

// As an alternative, this will overwrite already existing entries with the
same keys in the session data:
$_SESSION = array_merge($_S ESSION, $_POST);

But usually you will not want this, as you want to process the posted data
rather than store it into the session.

HTH
Markus

This is a *VERY* bad idea. Imaging you use user based rights management...
Everyone could simply send a form with one of the fields:
<input name="admin" value="1"> // flag based user management
<input name="userid" value="1"> // user management by user id
// (auto_increment assumed, therefore 1, not 0)
<input name="user" value="admin"> // user management by user name
--
Simon Stienen <http://dangerouscat.ne t> <http://slashlife.de>
»What you do in this world is a matter of no consequence,
The question is, what can you make people believe that you have done.«
-- Sherlock Holmes in "A Study in Scarlet" by Sir Arthur Conan Doyle

things making a bit of sense now.

simon, what exactly is a *very* bad idea? using merge? or using POST in
general? bit lost on that one sorry.

cheers
dave