passing array to top page in frameset not working?

Geoff Cox wrote:

Hello,

The following

<frame src="topbar-frameset.php?newVar=<?php echo $groups; ?>">

passes the value of the variable $groups from a php file to the top
page in a frameset but how do I change it if $groups is an array?

Why would you wanna do a thing like that ?
It's pretty bad design if you dont know the type of your variable.

But here goes

if(is_array($groups)){ ?>

// do some stuff with yourarray

<?php } else { ?>

<frame src="topbar-frameset.php?newVar=<?php echo $groups; ?>">

<?php } ?>

Geoff Cox wrote:

Hello,

The following

<frame src="topbar-frameset.php?newVar=<?php echo $groups; ?>">

passes the value of the variable $groups from a php file to the top
page in a frameset but how do I change it if $groups is an array?

Cheers,

Geoff

You need to put the elements of the array in the frameset, i.e.

foreach ($groups as $key=>$value) {
echo "<input type='hidden' name='group[$key]' value='$value'>";

But I would recommend you check into using the $_SESSION variable.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

On Fri, 15 Aug 2008 07:36:29 -0400, Jerry Stuckle
<js*******@attglobal.netwrote:

>Geoff Cox wrote:

>Hello,

The following

<frame src="topbar-frameset.php?newVar=<?php echo $groups; ?>">

passes the value of the variable $groups from a php file to the top
page in a frameset but how do I change it if $groups is an array?

Cheers,

Geoff

You need to put the elements of the array in the frameset, i.e.

foreach ($groups as $key=>$value) {
echo "<input type='hidden' name='group[$key]' value='$value'>";

But I would recommend you check into using the $_SESSION variable.

Jerry,

I have just got serialize and unserialize working - that approach seem
OK to you?

Does $_SESSION require users to allow cookies?

Cheers

Geoff

On Fri, 15 Aug 2008 13:25:16 +0200, Floortje <fl******@dontlike.mail>
wrote:

>Geoff Cox wrote:

>Hello,

The following

<frame src="topbar-frameset.php?newVar=<?php echo $groups; ?>">

passes the value of the variable $groups from a php file to the top
page in a frameset but how do I change it if $groups is an array?

Why would you wanna do a thing like that ?
It's pretty bad design if you dont know the type of your variable.

I did know that I wanted to use an array but was just moving 1 step at
a time!

>But here goes

if(is_array($groups)){ ?>

// do some stuff with yourarray

<?php } else { ?>

<frame src="topbar-frameset.php?newVar=<?php echo $groups; ?>">

<?php } ?>

thanks for the info.

Cheers

Geoff

Geoff Cox wrote:

On Fri, 15 Aug 2008 07:36:29 -0400, Jerry Stuckle
<js*******@attglobal.netwrote:

>Geoff Cox wrote:

>>Hello,

The following

<frame src="topbar-frameset.php?newVar=<?php echo $groups; ?>">

passes the value of the variable $groups from a php file to the top
page in a frameset but how do I change it if $groups is an array?

Cheers,

Geoff

You need to put the elements of the array in the frameset, i.e.

foreach ($groups as $key=>$value) {
echo "<input type='hidden' name='group[$key]' value='$value'>";

But I would recommend you check into using the $_SESSION variable.

Jerry,

I have just got serialize and unserialize working - that approach seem
OK to you?

Does $_SESSION require users to allow cookies?

Cheers

Geoff

You can serialize it - I just don't like to do it with printable data.
It exposes internal program information to the user and is a potential
entry for hackers.

As for sessions requiring cookies - it depends on the settings in your
php.ini file. PHP typically uses cookies, but if they are disabled PHP
can be told to pass the session id in the url.

However - anyone running with cookies disabled is going to have major
problems anyway. A huge number of sites require them for different
reasons.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

..oO(Geoff Cox)

>Does $_SESSION require users to allow cookies?

It's the recommended way for storing the session ID. You can also append
it to all URLs (PHP can do this automatically), but it's less secure.

Also note that sessions may cause delays on a frame site. See the manual
for more details about this issue.

http://www.php.net/session_write_close

Micha

On Fri, 15 Aug 2008 08:31:18 -0400, Jerry Stuckle
<js*******@attglobal.netwrote:

>I have just got serialize and unserialize working - that approach seem
OK to you?

Does $_SESSION require users to allow cookies?

Cheers

Geoff

You can serialize it - I just don't like to do it with printable data.
It exposes internal program information to the user and is a potential
entry for hackers.

As for sessions requiring cookies - it depends on the settings in your
php.ini file. PHP typically uses cookies, but if they are disabled PHP
can be told to pass the session id in the url.

However - anyone running with cookies disabled is going to have major
problems anyway. A huge number of sites require them for different
reasons.

Jerry,

Re the entry for hackers problem - users will have paid to subscribe
and will then have been given a user name and password. The serialize
function is used after they have entered the password protected folder
(htaccess etc) so shouldn't be a problem?

Cheers

Geoff

Geoff Cox wrote:

On Fri, 15 Aug 2008 08:31:18 -0400, Jerry Stuckle
<js*******@attglobal.netwrote:

>>I have just got serialize and unserialize working - that approach seem
OK to you?

Does $_SESSION require users to allow cookies?

Cheers

Geoff

You can serialize it - I just don't like to do it with printable data.
It exposes internal program information to the user and is a potential
entry for hackers.

As for sessions requiring cookies - it depends on the settings in your
php.ini file. PHP typically uses cookies, but if they are disabled PHP
can be told to pass the session id in the url.

However - anyone running with cookies disabled is going to have major
problems anyway. A huge number of sites require them for different
reasons.

Jerry,

Re the entry for hackers problem - users will have paid to subscribe
and will then have been given a user name and password. The serialize
function is used after they have entered the password protected folder
(htaccess etc) so shouldn't be a problem?

Cheers

Geoff

True - under normal circumstances. But that doesn't stop a hacker from
creating his own copy of a page with bad information and posting it to
your site. It can wreck havoc on your site.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Geoff Cox wrote:

<frame src="topbar-frameset.php?newVar=<?php echo $groups; ?>">

passes the value of the variable $groups from a php file to the top
page in a frameset but how do I change it if $groups is an array?

THe prefered way is to use Sessions. But if you will, you can use PHPs
buildin function http_build_query =http://de.php.net/http_build_query

So long, Ulf

On Fri, 15 Aug 2008 18:34:49 +0200, Ulf Kadner <dr******@gmx.net>
wrote:

>Geoff Cox wrote:

><frame src="topbar-frameset.php?newVar=<?php echo $groups; ?>">

passes the value of the variable $groups from a php file to the top
page in a frameset but how do I change it if $groups is an array?

THe prefered way is to use Sessions. But if you will, you can use PHPs
buildin function http_build_query =http://de.php.net/http_build_query

So long, Ulf

Thanks Ulf but looks as if http_build_query is for php 5 and my
hosting people use version 4.

Cheers

Geoff

On Fri, 15 Aug 2008 11:49:08 -0400, Jerry Stuckle
<js*******@attglobal.netwrote:

>Re the entry for hackers problem - users will have paid to subscribe
and will then have been given a user name and password. The serialize
function is used after they have entered the password protected folder
(htaccess etc) so shouldn't be a problem?

Cheers

Geoff

True - under normal circumstances. But that doesn't stop a hacker from
creating his own copy of a page with bad information and posting it to
your site. It can wreck havoc on your site.

How does a hacker post to my site? ftp access requires user name and
password. What am I missing?!

Cheers

Geoff

On Fri, 15 Aug 2008 17:13:09 +0200, Michael Fesser <ne*****@gmx.de>
wrote:

>.oO(Geoff Cox)

>>Does $_SESSION require users to allow cookies?

It's the recommended way for storing the session ID. You can also append
it to all URLs (PHP can do this automatically), but it's less secure.

Also note that sessions may cause delays on a frame site. See the manual
for more details about this issue.

http://www.php.net/session_write_close

Micha

that does seem to be a problem for me as I use lots of frames - the
left for the search term selection and the right for the results from
mysql....

I suppose I could use AJAX and not frames ...

Cheers

Geoff

..oO(Geoff Cox)

>Thanks Ulf but looks as if http_build_query is for php 5 and my
hosting people use version 4.

Any chance to change that? Personally I wouldn't pay a host that uses
outdated and unsupported(!) software. PHP 5 is available since years,
there's absolutely no excuse for not supporting it.

Micha

On Sat, 16 Aug 2008 01:40:32 +0200, Michael Fesser <ne*****@gmx.de>
wrote:

>.oO(Geoff Cox)

>>Thanks Ulf but looks as if http_build_query is for php 5 and my
hosting people use version 4.

Any chance to change that? Personally I wouldn't pay a host that uses
outdated and unsupported(!) software. PHP 5 is available since years,
there's absolutely no excuse for not supporting it.

Micha

I agree it's a poor state of affairs but if I move to a newer server
with php5 they remove my ability to have SSH connection! The hosting
company is Webfusion by the way.

Cheers

Geoff

Geoff Cox wrote:

On Fri, 15 Aug 2008 11:49:08 -0400, Jerry Stuckle
<js*******@attglobal.netwrote:

>>Re the entry for hackers problem - users will have paid to subscribe
and will then have been given a user name and password. The serialize
function is used after they have entered the password protected folder
(htaccess etc) so shouldn't be a problem?

Cheers

Geoff

True - under normal circumstances. But that doesn't stop a hacker from
creating his own copy of a page with bad information and posting it to
your site. It can wreck havoc on your site.

How does a hacker post to my site? ftp access requires user name and
password. What am I missing?!

Cheers

Geoff

They don't need ftp access. They can create their own page and use it
to post garbage to your site, for instance. That's why you NEVER trust
ANYTHING coming from the user - including an array you serialize and
place in a hidden field.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Geoff Cox wrote:

On Sat, 16 Aug 2008 01:40:32 +0200, Michael Fesser <ne*****@gmx.de>
wrote:

>.oO(Geoff Cox)

>>Thanks Ulf but looks as if http_build_query is for php 5 and my
hosting people use version 4.

Any chance to change that? Personally I wouldn't pay a host that uses
outdated and unsupported(!) software. PHP 5 is available since years,
there's absolutely no excuse for not supporting it.

Micha

I agree it's a poor state of affairs but if I move to a newer server
with php5 they remove my ability to have SSH connection! The hosting
company is Webfusion by the way.

Cheers

Geoff

Sounds like time to get another hosting company. There are plenty of
them out there.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

On Sat, 16 Aug 2008 07:45:10 -0400, Jerry Stuckle
<js*******@attglobal.netwrote:

>How does a hacker post to my site? ftp access requires user name and
password. What am I missing?!
p
Cheers

Geoff

They don't need ftp access. They can create their own page and use it
to post garbage to your site, for instance. That's why you NEVER trust
ANYTHING coming from the user - including an array you serialize and
place in a hidden field.

Jerry,

What happens is as follows - is the array still a potential problem?

1. the user is asked to logon (based on htaccess) and only subscribed
users will get access.

2. The $_SERVER['REMOTE_USER'] value is used for a search of mysql
database and the data from this search is serialized.

This should be OK? (assuming the subscriber is not a hacker too!)

Is the sessions approach safer though?

Cheers

GeoffT

Geoff Cox wrote:

On Sat, 16 Aug 2008 07:45:10 -0400, Jerry Stuckle
<js*******@attglobal.netwrote:

>>How does a hacker post to my site? ftp access requires user name and
password. What am I missing?!
p
Cheers

Geoff

They don't need ftp access. They can create their own page and use it
to post garbage to your site, for instance. That's why you NEVER trust
ANYTHING coming from the user - including an array you serialize and
place in a hidden field.

Jerry,

What happens is as follows - is the array still a potential problem?

1. the user is asked to logon (based on htaccess) and only subscribed
users will get access.

2. The $_SERVER['REMOTE_USER'] value is used for a search of mysql
database and the data from this search is serialized.

This should be OK? (assuming the subscriber is not a hacker too!)

Is the sessions approach safer though?

Cheers

GeoffT

No. You are under the assumption that the user must go through the
previous steps to post information to your page. This is incorrect. I
can create a page on my computer right here on my local webserver, and
have it post bad information to your page. In fact, I don't even need a
web browser or server - I can do it all in a few lines of PHP code.

And in that page I can put anything I want.

It's why you ALWAYS VALIDATE ALL INFORMATION FROM THE USER.

And BTW - who is to say the subscriber is not a hacker?

Sending any serialized data to the user can be a security problem
because it's so hard to validate. Store it in the $_SESSION. That's
what it's there for, and it's safe.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

On Sun, 17 Aug 2008 11:06:55 -0400, Jerry Stuckle
<js*******@attglobal.netwrote:

>Geoff Cox wrote:

>On Sat, 16 Aug 2008 07:45:10 -0400, Jerry Stuckle
<js*******@attglobal.netwrote:

>>>How does a hacker post to my site? ftp access requires user name and
password. What am I missing?!
p
Cheers

Geoff

They don't need ftp access. They can create their own page and use it
to post garbage to your site, for instance. That's why you NEVER trust
ANYTHING coming from the user - including an array you serialize and
place in a hidden field.

Jerry,

What happens is as follows - is the array still a potential problem?

1. the user is asked to logon (based on htaccess) and only subscribed
users will get access.

2. The $_SERVER['REMOTE_USER'] value is used for a search of mysql
database and the data from this search is serialized.

This should be OK? (assuming the subscriber is not a hacker too!)

Is the sessions approach safer though?

Cheers

GeoffT

No. You are under the assumption that the user must go through the
previous steps to post information to your page. This is incorrect. I
can create a page on my computer right here on my local webserver, and
have it post bad information to your page. In fact, I don't even need a
web browser or server - I can do it all in a few lines of PHP code.

And in that page I can put anything I want.

It's why you ALWAYS VALIDATE ALL INFORMATION FROM THE USER.

And BTW - who is to say the subscriber is not a hacker?

Sending any serialized data to the user can be a security problem
because it's so hard to validate. Store it in the $_SESSION. That's
what it's there for, and it's safe.

OK! 'will go for the $_SESSION way.

Thanks

Geoff

On Sun, 17 Aug 2008 11:06:55 -0400, Jerry Stuckle
<js*******@attglobal.netwrote:

>No. You are under the assumption that the user must go through the
previous steps to post information to your page. This is incorrect. I
can create a page on my computer right here on my local webserver, and
have it post bad information to your page. In fact, I don't even need a
web browser or server - I can do it all in a few lines of PHP code.

And in that page I can put anything I want.

It's why you ALWAYS VALIDATE ALL INFORMATION FROM THE USER.

And BTW - who is to say the subscriber is not a hacker?

Sending any serialized data to the user can be a security problem
because it's so hard to validate. Store it in the $_SESSION. That's
what it's there for, and it's safe.

Jerry,

I'm having problems using $_SESSION ... is it possible to get the
$_SESSION value passed from a php file to the top page of a frameset
via the frameset file?

If yes, I guess, how?!

Cheers

Geoff

Geoff Cox wrote:

On Sun, 17 Aug 2008 11:06:55 -0400, Jerry Stuckle
<js*******@attglobal.netwrote:

>No. You are under the assumption that the user must go through the
previous steps to post information to your page. This is incorrect. I
can create a page on my computer right here on my local webserver, and
have it post bad information to your page. In fact, I don't even need a
web browser or server - I can do it all in a few lines of PHP code.

And in that page I can put anything I want.

It's why you ALWAYS VALIDATE ALL INFORMATION FROM THE USER.

And BTW - who is to say the subscriber is not a hacker?

Sending any serialized data to the user can be a security problem
because it's so hard to validate. Store it in the $_SESSION. That's
what it's there for, and it's safe.

Jerry,

I'm having problems using $_SESSION ... is it possible to get the
$_SESSION value passed from a php file to the top page of a frameset
via the frameset file?

If yes, I guess, how?!

Cheers

Geoff

Yes, PHP doesn't know anything about framesets - as far as it's
concerned, it's just another page.

You do need a session_start() call at the start of every page (before
ANY output) which uses session variables. But from there on you should
be able to access any of the session values.

The only problem you may have is that access to a particular session's
data is single threaded to protect the data. Only one page can have it
open at a time and others will have to wait. That doesn't affect normal
operations, but in a frameset where you're loading the contents of
multiple frames concurrently, some will have to wait for others to
finish. The problem should not be noticeable unless you're doing
something which takes a long time to process. If this happens, the
solution is to call close_session() as soon as you're through with the
session variables in your files. But as I said - you really don't need
to do this unless you're having problems.

BTW - this is not just PHP - AFAIK every server-side language handles
sessions similarly. But it's just another reason why frames are evil :-).

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

On Mon, 18 Aug 2008 10:55:10 +0200, Jensen Somers
<je****@see.sig.invalidwrote:

>Geoff Cox wrote:

>On Sun, 17 Aug 2008 11:06:55 -0400, Jerry Stuckle
<js*******@attglobal.netwrote:

>>No. You are under the assumption that the user must go through the
previous steps to post information to your page. This is incorrect. I
can create a page on my computer right here on my local webserver, and
have it post bad information to your page. In fact, I don't even need a
web browser or server - I can do it all in a few lines of PHP code.

And in that page I can put anything I want.

It's why you ALWAYS VALIDATE ALL INFORMATION FROM THE USER.

And BTW - who is to say the subscriber is not a hacker?

Sending any serialized data to the user can be a security problem
because it's so hard to validate. Store it in the $_SESSION. That's
what it's there for, and it's safe.

Jerry,

I'm having problems using $_SESSION ... is it possible to get the
$_SESSION value passed from a php file to the top page of a frameset
via the frameset file?

If yes, I guess, how?!

Cheers

Geoff

Sessions should be globally for the user during his session (/visit) on
your website. Technically, your frames are just different pages so you
are able to set a session variable on one page and access it on another
page. The only thing you will need to do is to refresh the frameset page
when data has been inserted into the session.

Thanks Jensen - I will try the refresh ...

Cheers

Geoff

On Mon, 18 Aug 2008 06:49:11 -0400, Jerry Stuckle
<js*******@attglobal.netwrote:

>I'm having problems using $_SESSION ... is it possible to get the
$_SESSION value passed from a php file to the top page of a frameset
via the frameset file?

If yes, I guess, how?!

Cheers

Geoff

Yes, PHP doesn't know anything about framesets - as far as it's
concerned, it's just another page.

You do need a session_start() call at the start of every page (before
ANY output) which uses session variables. But from there on you should
be able to access any of the session values.

The only problem you may have is that access to a particular session's
data is single threaded to protect the data. Only one page can have it
open at a time and others will have to wait. That doesn't affect normal
operations, but in a frameset where you're loading the contents of
multiple frames concurrently, some will have to wait for others to
finish. The problem should not be noticeable unless you're doing
something which takes a long time to process. If this happens, the
solution is to call close_session() as soon as you're through with the
session variables in your files. But as I said - you really don't need
to do this unless you're having problems.

BTW - this is not just PHP - AFAIK every server-side language handles
sessions similarly. But it's just another reason why frames are evil :-).

Jerry,

I know frames are not ideal but I have lots of pages using them so
that a search started in the left hand page has its results visible in
the right hand page.

I suppose I could remove the frames and use AJAX? PHP is good in that
a user might disable Javascript but not many seem to do that. Any
other suggestions?

Cheers

Geoff

Geoff Cox wrote:

On Mon, 18 Aug 2008 06:49:11 -0400, Jerry Stuckle
<js*******@attglobal.netwrote:

>>I'm having problems using $_SESSION ... is it possible to get the
$_SESSION value passed from a php file to the top page of a frameset
via the frameset file?

If yes, I guess, how?!

Cheers

Geoff

Yes, PHP doesn't know anything about framesets - as far as it's
concerned, it's just another page.

You do need a session_start() call at the start of every page (before
ANY output) which uses session variables. But from there on you should
be able to access any of the session values.

The only problem you may have is that access to a particular session's
data is single threaded to protect the data. Only one page can have it
open at a time and others will have to wait. That doesn't affect normal
operations, but in a frameset where you're loading the contents of
multiple frames concurrently, some will have to wait for others to
finish. The problem should not be noticeable unless you're doing
something which takes a long time to process. If this happens, the
solution is to call close_session() as soon as you're through with the
session variables in your files. But as I said - you really don't need
to do this unless you're having problems.

BTW - this is not just PHP - AFAIK every server-side language handles
sessions similarly. But it's just another reason why frames are evil :-).

Jerry,

I know frames are not ideal but I have lots of pages using them so
that a search started in the left hand page has its results visible in
the right hand page.

I suppose I could remove the frames and use AJAX? PHP is good in that
a user might disable Javascript but not many seem to do that. Any
other suggestions?

Cheers

Geoff

CSS will allow you to have left and right sides to your page. You could
use AJAX, but most of the time my left frames don't have much on them
anyway - so I just refresh the entire page. A few hundred bytes is
nothing. Even a small image is bigger than that.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

On Mon, 18 Aug 2008 10:11:57 -0400, Jerry Stuckle
<js*******@attglobal.netwrote:

>CSS will allow you to have left and right sides to your page. You could
use AJAX, but most of the time my left frames don't have much on them
anyway - so I just refresh the entire page. A few hundred bytes is
nothing. Even a small image is bigger than that.

Jerry - 'have now got the $_SESSION code working!

Thanks for all your help.

Cheers,

Geoff