hi
i've got a basic user register form, action="POST". in my php code (on
the same page, i store the $_POST stuff to a $_SESSION if the user
screws a field up so they don't have to reenter all their info. But
i'm thinking, why should i use $_POST at all if i can just us the
$_SESSION array? or maybe even vice versa? or am i doing this all the
wrong way?
cheers
dave
Jul 17 '05
15  3719 
<ma**********@h otmail.com> wrote: things making a bit of sense now.
simon, what exactly is a *very* bad idea? using merge? or using POST in
general? bit lost on that one sorry.
cheers
dave
Sorry -g-
Writing the unckecked POST data directly into the session.
If you *need* to do so, take a special variable, for example:
$_SESSION['post_data'] = $_POST;
--
Simon Stienen <http://dangerouscat.ne t> <http://slashlife.de>
»What you do in this world is a matter of no consequence,
The question is, what can you make people believe that you have done.«
-- Sherlock Holmes in "A Study in Scarlet" by Sir Arthur Conan Doyle
hang on i just realised i don't need to use sessions at all! i just set
the values of each field to $_POST[name, user, etc], instead of storing
it in a session and setting them to $_SESSION[name etc]. Or was this
never suggested for a good reason I'm blatantly missing?
I noticed that Message-ID:
<10************ **********@h37g 2000oda.googleg roups.com> from ma**********@ho tmail.com contained the following: hang on i just realised i don't need to use sessions at all! i just set
the values of each field to $_POST[name, user, etc], instead of storing
it in a session and setting them to $_SESSION[name etc]. Or was this
never suggested for a good reason I'm blatantly missing?
One assumed you had a reason... :-}
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/
Simon Stienen wrote: Markus Ernst <derernst@NO#SP #AMgmx.ch> wrote: // This puts the post data at the end of the $_SESSION array:
$_SESSION = $_SESSION + $_POST;
// As an alternative, this will overwrite already existing entries
with the same keys in the session data:
$_SESSION = array_merge($_S ESSION, $_POST);
But usually you will not want this, as you want to process the
posted data rather than store it into the session.
This is a *VERY* bad idea. Imaging you use user based rights
management... Everyone could simply send a form with one of the
fields: <input name="admin" value="1"> // flag based user management
<input name="userid" value="1"> // user management by user id
// (auto_increment assumed, therefore 1, not 0)
<input name="user" value="admin"> // user management by user name
Right - I did not mean to recommend that procedure (as I mentioned). If for
any reason somebody would do it like that anyway, precautions could help,
such as using uncommon names for the rights management relevant session
variables, such as $_SESSION['cold_beer'] or $_SESSION['ht8Uz6']. So hacking
it via postdata would require exact knowledge of the application.
--
Markus
it's all starting to fall into place now! i'm curious though as what
can be hacked these days. How exactly does a hacker forge a header to
fake POST data? How do they send SESSION values to my server? It's all
slightly disconcerting.
cheers
dave
<ma**********@h otmail.com> wrote: How exactly does a hacker forge a header to fake POST data? How do they
send SESSION values to my server?
Read RFC 2616 for that. :)
Forged data is nothing else but a normal request with self chosen data for
GET-, POST- and Cookie-variables.
Btw.: "Faking" POST data is not complicated: Just write your own form, fill
it and send it.
--
Simon Stienen <http://dangerouscat.ne t> <http://slashlife.de>
»What you do in this world is a matter of no consequence,
The question is, what can you make people believe that you have done.«
-- Sherlock Holmes in "A Study in Scarlet" by Sir Arthur Conan Doyle This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Pedro Fonseca |
last post by:
Greetings everyone!
I'm porting everything to PHP5. I have session variables in all of my
web application. Until PHP5 I was using session variables like:
if ($_SESSION == 'Bar') {
$value = 5;
}
$_SESSION is of course set on some other script. But this now
|
by: Quinonez |
last post by:
if i set a $_SESSION=$_POST in every page of a multiple page form how
then would i call it on a later page of the same session? and also how
is distigushed between pages ? should it be set up differently on each
page, ive read of
$_SESSION=$_POST
but i cant seem to figure out how to call it back at the end of the form
|
by: Quinonez |
last post by:
i set up a multipage form about a month ago using Sessions everything
worked well and i moved forward with working on other pages i just
checked the form to make sure it is all working properly and its giving
me an error:
Warning: Invalid argument supplied for foreach() in
/home/mastersc/public_html/testthis.php on line 24
this is the code:
|
by: Tom |
last post by:
I put together a code that checks for 2 post variables then stores them
in a multi-dim $_SESSION array, something like this:
If ( isset($_POST && isset($_POST) )
{
$_SESSION = $_POST;
$_SESSION = $_POST;
}
The problem was that $_SESSION was being overwritten with
|
by: Sandman |
last post by:
Is there any particular reason I should still use $_POST?
Also, I'm reading mixed things about sessions. php.net says you can
propagate session IDs either via cookies or session IDs:
http://www.php.net/manual/en/ref.session.php#session.idpassing
OK cool.
However, PHP in a nutshell makes no mention of this. Paul just says
hey, use session_start() and you're on your way:
| | |
by: Jankie |
last post by:
I was reading one of the past thread supported by Pbmods.And as always contributing with excellence,he recommended this code for session management
foreach($_POST as $key => $val)
$_SESSION = $val;
This translates all POST variables into the Session one.
|
by: kimi |
last post by:
Hi ppl,
I am new to PHP. I would need some information on the following:
1. a) I wanted to know from where the data is extracted and stroed in
the global assocoative
arrays ( specifically what will be the contents of $_Session ?)
b) Is there any way by which i can get to know all the keys of the
arrays ( specifically what
are the Keys of $_Session ?)
|
by: SpiritBreaker |
last post by:
I am having problems getting the $_SESSION to set, the $_SESSION will work fine when its first gets the value, however, when I go to another page, the $_SESSION then loses its value. So if any one can take a look at my code and see if there is any problems, that would be good.
Thanks
Here is my code
<?php if (!isset($_SESSION))
session_start();
|
by: jodleren |
last post by:
Hi!
// get user to edit
if( ($_POST=="btn_selusr")||($_POST!="") )
{
echo "x:".$_SESSION;
$username=stripslashes($_POST);
echo "y:".$_SESSION;
}
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| | |
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
