473,321 Members | 1,778 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,321 software developers and data experts.

$_SESSION $_POST

hi

i've got a basic user register form, action="POST". in my php code (on
the same page, i store the $_POST stuff to a $_SESSION if the user
screws a field up so they don't have to reenter all their info. But
i'm thinking, why should i use $_POST at all if i can just us the
$_SESSION array? or maybe even vice versa? or am i doing this all the
wrong way?

cheers
dave
Jul 17 '05 #1
15 3672
*** mammothman42 escribió/wrote (17 Sep 2004 20:04:16 -0700):
i've got a basic user register form, action="POST". in my php code (on
the same page, i store the $_POST stuff to a $_SESSION if the user
screws a field up so they don't have to reenter all their info. But
i'm thinking, why should i use $_POST at all if i can just us the
$_SESSION array?


If you can store the $_POST stuff into a $_SESSION without using $_POST...
--
-+ Álvaro G. Vicario - Burgos, Spain
+- http://www.demogracia.com (la web de humor barnizada para la intemperie)
++ Las dudas informáticas recibidas por correo irán directas a la papelera
-+ I'm not a free help desk, please don't e-mail me your questions
--
Jul 17 '05 #2
mammothman42 wrote:
hi

i've got a basic user register form, action="POST". in my php code (on
the same page, i store the $_POST stuff to a $_SESSION if the user
screws a field up so they don't have to reenter all their info. But
i'm thinking, why should i use $_POST at all if i can just us the
$_SESSION array? or maybe even vice versa? or am i doing this all the
wrong way?

cheers
dave


This is actually a very good question. I would like to see more answers
from the group regarding this. I would personally want to see speed
benchmark comparisons on what is faster: lots of session data and less
arrays, or very little session data with lots of arrays.

Jul 17 '05 #3
Alvaro G. Vicario wrote:
*** mammothman42 escribió/wrote (17 Sep 2004 20:04:16 -0700):
i've got a basic user register form, action="POST". in my php code
(on the same page, i store the $_POST stuff to a $_SESSION if the
user screws a field up so they don't have to reenter all their info.
But i'm thinking, why should i use $_POST at all if i can just us the
$_SESSION array?


If you can store the $_POST stuff into a $_SESSION without using
$_POST...


<form method="SESSION"> ... ;-)

--
Markus
Jul 17 '05 #4
Markus Ernst <derernst@NO#SP#AMgmx.ch> wrote:
Alvaro G. Vicario wrote:
*** mammothman42 escribi񮶲ote (17 Sep 2004 20:04:16 -0700):
i've got a basic user register form, action="POST". in my php code
(on the same page, i store the $_POST stuff to a $_SESSION if the
user screws a field up so they don't have to reenter all their info.
But i'm thinking, why should i use $_POST at all if i can just us the
$_SESSION array?


If you can store the $_POST stuff into a $_SESSION without using
$_POST...


<form method="SESSION"> ... ;-)


<irony>
Yeah, and the most common way to hack a page is by using
<form method="SERVER">
.... Everybody should know that.
</irony>
--
Simon Stienen <http://dangerouscat.net> <http://slashlife.de>
»What you do in this world is a matter of no consequence,
The question is, what can you make people believe that you have done.«
-- Sherlock Holmes in "A Study in Scarlet" by Sir Arthur Conan Doyle
Jul 17 '05 #5
ahhh! fully confused! so should i be using SESSION variables or POST?
That is, how is this kinda thing usually done? i'm sure it's a fairly
common problem. should i submit the form as SESSION, or is this a
security flaw? it seems stupid using post, and then having to copy, one
by one, the variables to SESSION. doesn't seem "right".

cheers
dave

Jul 17 '05 #6
<ma**********@hotmail.com> wrote:
ahhh! fully confused! so should i be using SESSION variables or POST?
That is, how is this kinda thing usually done? i'm sure it's a fairly
common problem. should i submit the form as SESSION, or is this a
security flaw? it seems stupid using post, and then having to copy, one
by one, the variables to SESSION. doesn't seem "right".

cheers
dave


To get data from the user, you have 2.5 options:
1) GET: The variables are stored in the query string of the URL (the part
after the '?'). Usable with: Hyperlinks, Forms.
2) POST: The variables are sent in the body of the HTTP request. This is
the _only_ common way to transmit files. (You could use PUT for this, too,
but AFAIK it's not widely supported.) Usable with: Forms.
3) COOKIE: This is the "half option" in the 2.5, since you are likely to
set all the data you recieve from a cookie yourself in a PHP script. You
could use JavaScript to modify a cookie, too, but since this depends on the
client it's no real option. Usable with: Server side mechanisms only. (With
except of the mentioned method.)

The "BIG 7" aren't complete yet. Additionaly to the above, there are:
a) $_ENV: The complete environment which has been passed to PHP. These are
most likely not the same variables you get by typing 'env' on the console,
but specific information about the server and the current request. In most
cases, you won't need this, because all of the important information gets
parsed by PHP and is stuffed into $_SERVER.

b) $_SERVER: Contains a lot of useful data about the server software and
the request itself. If you are searching for information on the current
request, var_dump($_SERVER) is almost certainly the best beginning.

c) $_FILES: If the raw POST input contained uploaded files, PHP will stuff
them into temporary files and stores all the known data about the file
(original filename, name of the temporary file, filesize and if submitted
the used mime-type [warning: this has not to be the real mime-type!]) in
this superglobal.

d) $_SESSION: All the data in this array is the result of exactly ONE
variable supplied by the visitor (with either of the above methods): It's
session id. According to this ID, PHP searches it's session data for a
match. If there is a file with session data for this session, $_SESSION
will be filled with the data in that file.
--
Simon Stienen <http://dangerouscat.net> <http://slashlife.de>
»What you do in this world is a matter of no consequence,
The question is, what can you make people believe that you have done.«
-- Sherlock Holmes in "A Study in Scarlet" by Sir Arthur Conan Doyle
Jul 17 '05 #7
ma**********@hotmail.com wrote:
ahhh! fully confused! so should i be using SESSION variables or POST?
Sorry for confusing you with a joke. For using forms it is essential to know
the ways data get transmitted from the form to the server. See the very
useful overwiew Simon Stienen gave you in his answer.
That is, how is this kinda thing usually done? i'm sure it's a fairly
common problem.
Not a problem, just common.
should i submit the form as SESSION, or is this a
security flaw?
No it was a joke. You have to use POST or GET.
it seems stupid using post, and then having to copy,
one by one, the variables to SESSION. doesn't seem "right".


If you want a shortcut to get all your postdata into the $_SESSION array:

// This puts the post data at the end of the $_SESSION array:
$_SESSION = $_SESSION + $_POST;

// As an alternative, this will overwrite already existing entries with the
same keys in the session data:
$_SESSION = array_merge($_SESSION, $_POST);

But usually you will not want this, as you want to process the posted data
rather than store it into the session.

HTH
Markus
Jul 17 '05 #8
Markus Ernst <derernst@NO#SP#AMgmx.ch> wrote:
// This puts the post data at the end of the $_SESSION array:
$_SESSION = $_SESSION + $_POST;

// As an alternative, this will overwrite already existing entries with the
same keys in the session data:
$_SESSION = array_merge($_SESSION, $_POST);

But usually you will not want this, as you want to process the posted data
rather than store it into the session.

HTH
Markus


This is a *VERY* bad idea. Imaging you use user based rights management...
Everyone could simply send a form with one of the fields:
<input name="admin" value="1"> // flag based user management
<input name="userid" value="1"> // user management by user id
// (auto_increment assumed, therefore 1, not 0)
<input name="user" value="admin"> // user management by user name
--
Simon Stienen <http://dangerouscat.net> <http://slashlife.de>
»What you do in this world is a matter of no consequence,
The question is, what can you make people believe that you have done.«
-- Sherlock Holmes in "A Study in Scarlet" by Sir Arthur Conan Doyle
Jul 17 '05 #9
things making a bit of sense now.

simon, what exactly is a *very* bad idea? using merge? or using POST in
general? bit lost on that one sorry.

cheers
dave

Jul 17 '05 #10
<ma**********@hotmail.com> wrote:
things making a bit of sense now.

simon, what exactly is a *very* bad idea? using merge? or using POST in
general? bit lost on that one sorry.

cheers
dave


Sorry -g-
Writing the unckecked POST data directly into the session.
If you *need* to do so, take a special variable, for example:
$_SESSION['post_data'] = $_POST;
--
Simon Stienen <http://dangerouscat.net> <http://slashlife.de>
»What you do in this world is a matter of no consequence,
The question is, what can you make people believe that you have done.«
-- Sherlock Holmes in "A Study in Scarlet" by Sir Arthur Conan Doyle
Jul 17 '05 #11
hang on i just realised i don't need to use sessions at all! i just set
the values of each field to $_POST[name, user, etc], instead of storing
it in a session and setting them to $_SESSION[name etc]. Or was this
never suggested for a good reason I'm blatantly missing?

Jul 17 '05 #12
I noticed that Message-ID:
<10**********************@h37g2000oda.googlegroups .com> from
ma**********@hotmail.com contained the following:
hang on i just realised i don't need to use sessions at all! i just set
the values of each field to $_POST[name, user, etc], instead of storing
it in a session and setting them to $_SESSION[name etc]. Or was this
never suggested for a good reason I'm blatantly missing?


One assumed you had a reason... :-}

--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/
Jul 17 '05 #13
Simon Stienen wrote:
Markus Ernst <derernst@NO#SP#AMgmx.ch> wrote:
// This puts the post data at the end of the $_SESSION array:
$_SESSION = $_SESSION + $_POST;

// As an alternative, this will overwrite already existing entries
with the same keys in the session data:
$_SESSION = array_merge($_SESSION, $_POST);

But usually you will not want this, as you want to process the
posted data rather than store it into the session.
This is a *VERY* bad idea. Imaging you use user based rights
management... Everyone could simply send a form with one of the
fields: <input name="admin" value="1"> // flag based user management
<input name="userid" value="1"> // user management by user id
// (auto_increment assumed, therefore 1, not 0)
<input name="user" value="admin"> // user management by user name


Right - I did not mean to recommend that procedure (as I mentioned). If for
any reason somebody would do it like that anyway, precautions could help,
such as using uncommon names for the rights management relevant session
variables, such as $_SESSION['cold_beer'] or $_SESSION['ht8Uz6']. So hacking
it via postdata would require exact knowledge of the application.

--
Markus
Jul 17 '05 #14
it's all starting to fall into place now! i'm curious though as what
can be hacked these days. How exactly does a hacker forge a header to
fake POST data? How do they send SESSION values to my server? It's all
slightly disconcerting.

cheers
dave

Jul 17 '05 #15
<ma**********@hotmail.com> wrote:
How exactly does a hacker forge a header to fake POST data? How do they
send SESSION values to my server?


Read RFC 2616 for that. :)
Forged data is nothing else but a normal request with self chosen data for
GET-, POST- and Cookie-variables.

Btw.: "Faking" POST data is not complicated: Just write your own form, fill
it and send it.
--
Simon Stienen <http://dangerouscat.net> <http://slashlife.de>
»What you do in this world is a matter of no consequence,
The question is, what can you make people believe that you have done.«
-- Sherlock Holmes in "A Study in Scarlet" by Sir Arthur Conan Doyle
Jul 17 '05 #16

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
by: Pedro Fonseca | last post by:
Greetings everyone! I'm porting everything to PHP5. I have session variables in all of my web application. Until PHP5 I was using session variables like: if ($_SESSION == 'Bar') { $value = 5;...
9
by: Quinonez | last post by:
if i set a $_SESSION=$_POST in every page of a multiple page form how then would i call it on a later page of the same session? and also how is distigushed between pages ? should it be set up...
2
by: Quinonez | last post by:
i set up a multipage form about a month ago using Sessions everything worked well and i moved forward with working on other pages i just checked the form to make sure it is all working properly and...
2
by: Tom | last post by:
I put together a code that checks for 2 post variables then stores them in a multi-dim $_SESSION array, something like this: If ( isset($_POST && isset($_POST) ) { $_SESSION = $_POST;...
14
by: Sandman | last post by:
Is there any particular reason I should still use $_POST? Also, I'm reading mixed things about sessions. php.net says you can propagate session IDs either via cookies or session IDs:...
1
by: Jankie | last post by:
I was reading one of the past thread supported by Pbmods.And as always contributing with excellence,he recommended this code for session management foreach($_POST as $key => $val) $_SESSION...
2
by: kimi | last post by:
Hi ppl, I am new to PHP. I would need some information on the following: 1. a) I wanted to know from where the data is extracted and stroed in the global assocoative arrays ( specifically...
8
by: SpiritBreaker | last post by:
I am having problems getting the $_SESSION to set, the $_SESSION will work fine when its first gets the value, however, when I go to another page, the $_SESSION then loses its value. So if any one...
4
by: jodleren | last post by:
Hi! // get user to edit if( ($_POST=="btn_selusr")||($_POST!="") ) { echo "x:".$_SESSION; $username=stripslashes($_POST); echo "y:".$_SESSION; }
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.