By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
431,745 Members | 1,873 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 431,745 IT Pros & Developers. It's quick & easy.

$_SESSION $_POST

P: n/a
hi

i've got a basic user register form, action="POST". in my php code (on
the same page, i store the $_POST stuff to a $_SESSION if the user
screws a field up so they don't have to reenter all their info. But
i'm thinking, why should i use $_POST at all if i can just us the
$_SESSION array? or maybe even vice versa? or am i doing this all the
wrong way?

cheers
dave
Jul 17 '05 #1
Share this Question
Share on Google+
15 Replies


P: n/a
*** mammothman42 escribió/wrote (17 Sep 2004 20:04:16 -0700):
i've got a basic user register form, action="POST". in my php code (on
the same page, i store the $_POST stuff to a $_SESSION if the user
screws a field up so they don't have to reenter all their info. But
i'm thinking, why should i use $_POST at all if i can just us the
$_SESSION array?


If you can store the $_POST stuff into a $_SESSION without using $_POST...
--
-+ Álvaro G. Vicario - Burgos, Spain
+- http://www.demogracia.com (la web de humor barnizada para la intemperie)
++ Las dudas informáticas recibidas por correo irán directas a la papelera
-+ I'm not a free help desk, please don't e-mail me your questions
--
Jul 17 '05 #2

P: n/a
mammothman42 wrote:
hi

i've got a basic user register form, action="POST". in my php code (on
the same page, i store the $_POST stuff to a $_SESSION if the user
screws a field up so they don't have to reenter all their info. But
i'm thinking, why should i use $_POST at all if i can just us the
$_SESSION array? or maybe even vice versa? or am i doing this all the
wrong way?

cheers
dave


This is actually a very good question. I would like to see more answers
from the group regarding this. I would personally want to see speed
benchmark comparisons on what is faster: lots of session data and less
arrays, or very little session data with lots of arrays.

Jul 17 '05 #3

P: n/a
Alvaro G. Vicario wrote:
*** mammothman42 escribió/wrote (17 Sep 2004 20:04:16 -0700):
i've got a basic user register form, action="POST". in my php code
(on the same page, i store the $_POST stuff to a $_SESSION if the
user screws a field up so they don't have to reenter all their info.
But i'm thinking, why should i use $_POST at all if i can just us the
$_SESSION array?


If you can store the $_POST stuff into a $_SESSION without using
$_POST...


<form method="SESSION"> ... ;-)

--
Markus
Jul 17 '05 #4

P: n/a
Markus Ernst <derernst@NO#SP#AMgmx.ch> wrote:
Alvaro G. Vicario wrote:
*** mammothman42 escribi񮶲ote (17 Sep 2004 20:04:16 -0700):
i've got a basic user register form, action="POST". in my php code
(on the same page, i store the $_POST stuff to a $_SESSION if the
user screws a field up so they don't have to reenter all their info.
But i'm thinking, why should i use $_POST at all if i can just us the
$_SESSION array?


If you can store the $_POST stuff into a $_SESSION without using
$_POST...


<form method="SESSION"> ... ;-)


<irony>
Yeah, and the most common way to hack a page is by using
<form method="SERVER">
.... Everybody should know that.
</irony>
--
Simon Stienen <http://dangerouscat.net> <http://slashlife.de>
»What you do in this world is a matter of no consequence,
The question is, what can you make people believe that you have done.«
-- Sherlock Holmes in "A Study in Scarlet" by Sir Arthur Conan Doyle
Jul 17 '05 #5

P: n/a
ahhh! fully confused! so should i be using SESSION variables or POST?
That is, how is this kinda thing usually done? i'm sure it's a fairly
common problem. should i submit the form as SESSION, or is this a
security flaw? it seems stupid using post, and then having to copy, one
by one, the variables to SESSION. doesn't seem "right".

cheers
dave

Jul 17 '05 #6

P: n/a
<ma**********@hotmail.com> wrote:
ahhh! fully confused! so should i be using SESSION variables or POST?
That is, how is this kinda thing usually done? i'm sure it's a fairly
common problem. should i submit the form as SESSION, or is this a
security flaw? it seems stupid using post, and then having to copy, one
by one, the variables to SESSION. doesn't seem "right".

cheers
dave


To get data from the user, you have 2.5 options:
1) GET: The variables are stored in the query string of the URL (the part
after the '?'). Usable with: Hyperlinks, Forms.
2) POST: The variables are sent in the body of the HTTP request. This is
the _only_ common way to transmit files. (You could use PUT for this, too,
but AFAIK it's not widely supported.) Usable with: Forms.
3) COOKIE: This is the "half option" in the 2.5, since you are likely to
set all the data you recieve from a cookie yourself in a PHP script. You
could use JavaScript to modify a cookie, too, but since this depends on the
client it's no real option. Usable with: Server side mechanisms only. (With
except of the mentioned method.)

The "BIG 7" aren't complete yet. Additionaly to the above, there are:
a) $_ENV: The complete environment which has been passed to PHP. These are
most likely not the same variables you get by typing 'env' on the console,
but specific information about the server and the current request. In most
cases, you won't need this, because all of the important information gets
parsed by PHP and is stuffed into $_SERVER.

b) $_SERVER: Contains a lot of useful data about the server software and
the request itself. If you are searching for information on the current
request, var_dump($_SERVER) is almost certainly the best beginning.

c) $_FILES: If the raw POST input contained uploaded files, PHP will stuff
them into temporary files and stores all the known data about the file
(original filename, name of the temporary file, filesize and if submitted
the used mime-type [warning: this has not to be the real mime-type!]) in
this superglobal.

d) $_SESSION: All the data in this array is the result of exactly ONE
variable supplied by the visitor (with either of the above methods): It's
session id. According to this ID, PHP searches it's session data for a
match. If there is a file with session data for this session, $_SESSION
will be filled with the data in that file.
--
Simon Stienen <http://dangerouscat.net> <http://slashlife.de>
»What you do in this world is a matter of no consequence,
The question is, what can you make people believe that you have done.«
-- Sherlock Holmes in "A Study in Scarlet" by Sir Arthur Conan Doyle
Jul 17 '05 #7

P: n/a
ma**********@hotmail.com wrote:
ahhh! fully confused! so should i be using SESSION variables or POST?
Sorry for confusing you with a joke. For using forms it is essential to know
the ways data get transmitted from the form to the server. See the very
useful overwiew Simon Stienen gave you in his answer.
That is, how is this kinda thing usually done? i'm sure it's a fairly
common problem.
Not a problem, just common.
should i submit the form as SESSION, or is this a
security flaw?
No it was a joke. You have to use POST or GET.
it seems stupid using post, and then having to copy,
one by one, the variables to SESSION. doesn't seem "right".


If you want a shortcut to get all your postdata into the $_SESSION array:

// This puts the post data at the end of the $_SESSION array:
$_SESSION = $_SESSION + $_POST;

// As an alternative, this will overwrite already existing entries with the
same keys in the session data:
$_SESSION = array_merge($_SESSION, $_POST);

But usually you will not want this, as you want to process the posted data
rather than store it into the session.

HTH
Markus
Jul 17 '05 #8

P: n/a
Markus Ernst <derernst@NO#SP#AMgmx.ch> wrote:
// This puts the post data at the end of the $_SESSION array:
$_SESSION = $_SESSION + $_POST;

// As an alternative, this will overwrite already existing entries with the
same keys in the session data:
$_SESSION = array_merge($_SESSION, $_POST);

But usually you will not want this, as you want to process the posted data
rather than store it into the session.

HTH
Markus


This is a *VERY* bad idea. Imaging you use user based rights management...
Everyone could simply send a form with one of the fields:
<input name="admin" value="1"> // flag based user management
<input name="userid" value="1"> // user management by user id
// (auto_increment assumed, therefore 1, not 0)
<input name="user" value="admin"> // user management by user name
--
Simon Stienen <http://dangerouscat.net> <http://slashlife.de>
»What you do in this world is a matter of no consequence,
The question is, what can you make people believe that you have done.«
-- Sherlock Holmes in "A Study in Scarlet" by Sir Arthur Conan Doyle
Jul 17 '05 #9

P: n/a
things making a bit of sense now.

simon, what exactly is a *very* bad idea? using merge? or using POST in
general? bit lost on that one sorry.

cheers
dave

Jul 17 '05 #10

P: n/a
<ma**********@hotmail.com> wrote:
things making a bit of sense now.

simon, what exactly is a *very* bad idea? using merge? or using POST in
general? bit lost on that one sorry.

cheers
dave


Sorry -g-
Writing the unckecked POST data directly into the session.
If you *need* to do so, take a special variable, for example:
$_SESSION['post_data'] = $_POST;
--
Simon Stienen <http://dangerouscat.net> <http://slashlife.de>
»What you do in this world is a matter of no consequence,
The question is, what can you make people believe that you have done.«
-- Sherlock Holmes in "A Study in Scarlet" by Sir Arthur Conan Doyle
Jul 17 '05 #11

P: n/a
hang on i just realised i don't need to use sessions at all! i just set
the values of each field to $_POST[name, user, etc], instead of storing
it in a session and setting them to $_SESSION[name etc]. Or was this
never suggested for a good reason I'm blatantly missing?

Jul 17 '05 #12

P: n/a
I noticed that Message-ID:
<10**********************@h37g2000oda.googlegroups .com> from
ma**********@hotmail.com contained the following:
hang on i just realised i don't need to use sessions at all! i just set
the values of each field to $_POST[name, user, etc], instead of storing
it in a session and setting them to $_SESSION[name etc]. Or was this
never suggested for a good reason I'm blatantly missing?


One assumed you had a reason... :-}

--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/
Jul 17 '05 #13

P: n/a
Simon Stienen wrote:
Markus Ernst <derernst@NO#SP#AMgmx.ch> wrote:
// This puts the post data at the end of the $_SESSION array:
$_SESSION = $_SESSION + $_POST;

// As an alternative, this will overwrite already existing entries
with the same keys in the session data:
$_SESSION = array_merge($_SESSION, $_POST);

But usually you will not want this, as you want to process the
posted data rather than store it into the session.
This is a *VERY* bad idea. Imaging you use user based rights
management... Everyone could simply send a form with one of the
fields: <input name="admin" value="1"> // flag based user management
<input name="userid" value="1"> // user management by user id
// (auto_increment assumed, therefore 1, not 0)
<input name="user" value="admin"> // user management by user name


Right - I did not mean to recommend that procedure (as I mentioned). If for
any reason somebody would do it like that anyway, precautions could help,
such as using uncommon names for the rights management relevant session
variables, such as $_SESSION['cold_beer'] or $_SESSION['ht8Uz6']. So hacking
it via postdata would require exact knowledge of the application.

--
Markus
Jul 17 '05 #14

P: n/a
it's all starting to fall into place now! i'm curious though as what
can be hacked these days. How exactly does a hacker forge a header to
fake POST data? How do they send SESSION values to my server? It's all
slightly disconcerting.

cheers
dave

Jul 17 '05 #15

P: n/a
<ma**********@hotmail.com> wrote:
How exactly does a hacker forge a header to fake POST data? How do they
send SESSION values to my server?


Read RFC 2616 for that. :)
Forged data is nothing else but a normal request with self chosen data for
GET-, POST- and Cookie-variables.

Btw.: "Faking" POST data is not complicated: Just write your own form, fill
it and send it.
--
Simon Stienen <http://dangerouscat.net> <http://slashlife.de>
»What you do in this world is a matter of no consequence,
The question is, what can you make people believe that you have done.«
-- Sherlock Holmes in "A Study in Scarlet" by Sir Arthur Conan Doyle
Jul 17 '05 #16

This discussion thread is closed

Replies have been disabled for this discussion.