Jump to content

$_SESSION and only transferring one value instead of a complete form.


Recommended Posts

when working with $_SESSION and creating a super global then in the script where I use include and call the variable the entire form is showing up.

 

I have to work with $_SESSION, because $_POST or $_GET wont work in this situation.

 

Is there a way to transfer a form value to another script, and then a single value and not the complete form with everything in it.

Link to post
Share on other sites

I read somewhere that when you do not want to use include you should turn on register_globals.

I added this code at the end of the php.ini file:

     register_globals=1

Do I have to restart WAMP or not?

 

 

 

appears to be depricated

Edited by WesleyA
Link to post
Share on other sites

Im looking for a way to send a variable with $_SESSION to another page. $_POST its scope is not sufficient.

 

I have it now with a link and it is sent to 1 other php file.

 

script

    <?php    session_start();    $count = "3";    $_SESSION['count']=$count;    echo "the following number was in the variable : " . $count;    echo "<br>";    echo "click the next link";    echo "<br>";    echo "<a href= 'targetpag.php?PHPSESSID=' . strip_tags(session_id()). > To target page </a>";    ?>

this is the target script where the variable is sent to.

    <?php        session_start();     $count=$_SESSION['count'];    echo 'this is the number : ' . $count;    ?>

The <a href> solution is not good for my script and limits the use of inpt type hidden.

 

Is there a way to sent values of $_SESSION without a html submit button (including type hidden) to multiple pages or if not how is it done with other html elements/attrubutes?

Link to post
Share on other sites

The session in PHP is not related in any way to links or forms or buttons or anything else, and you should not put the session ID in the URL. In fact, you should disable that option in php.ini for the sake of security, sessions should only use cookies.Any value you set in the session will be available on every other page until either the session expires, or you change the values. This has nothing to do with the HTML code on any page. You can even just manually type various URLs into the address bar which use the session and you'll see the code making the changes or printing the values or whatever you wrote it to do.

Link to post
Share on other sites

Disable sessions?

 

OMG. If it would be safer I would do that.

 

Actually at the moment - for me as a beginner - it is getting really unclear what is safer, sessions or cookies. All together it is hazy stuff and all kinds of tuts, books and forums have different explanations about what is the best and safest way.

 

Can you give examples about what is possible with session 'hijacking'? As hijacking is often mentioned as a way of sending bad code to someone's website.

 

Back to script writing:

 

Dont you think that the purpose of a script and its varaibles is also determining what should be used either sessions or cookies? For the present part of the script I need the input value which determines how many links someone can fill in, but for the validation form I need the same choice. I dont know, there is a risk maybe when someone fills in like 10.000 links an hour or so, but I can of course make a limit when adding them to the database.

 

Not all script parts are immediately really dangerous. I guess, but i'm not sure, it's all new stuff to me. It is actually really interesting to figure out what is possible. I also shallowly investigated Kali and Backtrack in the past as a means of penetrating but most stuff is illegal and yeah of course you can do that cracks but if they want to get into something they will do it anyway, same with defending your own house if they want to break in to your house then they get in, even if you ly armed on a matrass behind the front door.

 

The use of $_POST and $_GET is quite clear and easy, you also collect details from the user but only one value every time, but is $_SESSION the only good alternative? Isnt it possible for the coding department to make some kind of instruction that works like $_POST but is able to handle values over several pages?

Link to post
Share on other sites

Oh yeah what I also would like to know is this:

 

Is it possible to change PHPSESSID?

 

So then you would use some kind of function to change PHPSESSID in an own variable making it harder for miscreants to use bad code?

 

What does it cause to stop them? Is it more effective and in what way?

Link to post
Share on other sites

:)

 

sorry I was a bit off track.

 

I figured out what my problem is.

 

I cant find a good solution for creating an input field and putting the variable in a $_SESSION

 

any suggestions. ?

 

(sorry I hope my question is not too no-brainy but I'm like almost a noob and I'm very unfamiliar with forms, html and working with globals) :Unsure:

Edited by WesleyA
Link to post
Share on other sites

You can only post data from previuos to next A to B, but you can use hidden inputs to hold data from form A in form B, so when you submit form B that data is then also posted onto form C.Instead of hidden input you can assign values to individually named sessions, which are available to read at anytime, unless cleared using unset() or browser closed, or even use local web storage either of these will enable you to transfer values from form A read in form B and send onto form C and anywhere else.

Link to post
Share on other sites

Actually at the moment - for me as a beginner - it is getting really unclear what is safer, sessions or cookies. All together it is hazy stuff and all kinds of tuts, books and forums have different explanations about what is the best and safest way.

That's kind of vague, the session uses cookies to store the session ID. I wasn't suggesting disabling session, just a specific option for sessions. This page lists the various session options, you should go down it to see what you have available to use to change how sessions work:http://php.net/manual/en/session.configuration.phpSpecifically, options like use_cookies, use_only_cookies, and cookie_httponly should be enabled, and use_trans_sid should be disabled. If use_trans_sid is enabled then someone can go to your site and start a session, check their cookie to see what the session ID is, and send a link to someone else with their session ID in the URL, e.g. domain.com/page.php?PHPSESSID=<my session ID>, and when the other person clicks that link and starts using the same session, then if they log in then the original person can refresh the page and since they're both using the same session ID then the first person will now be logged in as the second person. That's one way sessions get hijacked. Disabling the use_trans_sid option makes that not possible because it doesn't allow session IDs in the URL. That's what you showed in post 4, putting the session ID in a URL. That's a security problem, and you can disable that option to not even allow that. That's what I was talking about disabling, not disabling sessions completely.If you want to know the difference between saving data in cookies versus the session, when you save it in cookies you are saving that data on the user's computer. Anyone with access to their computer can go through their cookies and find anything that is saved there. When you save things in the session it saved it on the server, and the only thing the user gets is a cookie with the session ID. So, any sensitive data should go in the session. If you're going to use cookies for saving any kind of data then you should read up about the various options that you can set for cookies and how to use them to make the cookies behave like you want them to.

The use of $_POST and $_GET is quite clear and easy, you also collect details from the user but only one value every time, but is $_SESSION the only good alternative? Isnt it possible for the coding department to make some kind of instruction that works like $_POST but is able to handle values over several pages?

Every one of those serves a specific purpose. When variables are sent in the querystring in the URL, PHP makes those available inside $_GET. When the browser sends a post request that includes data in the request body, PHP makes that available in $_POST. It doesn't make sense, and would be an error, if $_POST contained anything that was not sent in the body of a post request for the current request. If the data in $_POST persisted across several pages then PHP would basically be claiming that the browser is making post requests with that data in the body, and that wouldn't be true. Each of them serves a specific purpose. You're the programmer, you know what your application is supposed to do. If there is data that gets submitted in $_GET or $_POST, and you want that data available on other pages, then it's your responsibility to make that happen, not PHP's. You can put that data in other links so that it will be available in $_GET, you can use a form with hidden inputs to make it available in $_POST, or you can just store it in the session. You're the programmer, you are the "coding department". PHP is only a tool, it doesn't have any intelligence. You're the one with intelligence, it's up to you to figure out how to use the tools you have to do what you want to do.

Is it possible to change PHPSESSID?

You can use the session_name function to get or set the session name (defaults to PHPSESSID), and you can use the session_id function to get or set the current session ID. You can use session_regenerate_id to just make a new session ID. If you change the session name you have to do that before using session_start.

I cant find a good solution for creating an input field and putting the variable in a $_SESSION

What exactly is the problem you're having with that? When the form gets submitted you can save whatever you want to save in the session, what problems are you having doing that?
  • Like 1
Link to post
Share on other sites

OK I get stuck where the input form must get the value and send it to another page.

 

it is either the PHPSESSID ( I changed the name with session_name) that has to set in the action tag probably I'm not sure if it's that what is missing.

 

I post the code of the 2 scripts here:

    <html>    <center>    <br><br>    <?php        session_name('BlaBlaSession');    session_start();    $_SESSION['something'] = '';    $_POST['something'] = '' ;    $_SESSION['something'] = $_POST['something'];     ?>    <br><br>        Input Form<br><br>    <form action="NextPage.php" method="post">    <input type=" text" name ="something" value = "<?php echo $_SESSION['something']; ?>" >    <input type="submit" value="Submit it!!">    </form>    </center></html> 

NextPage.php

    <html>    <center>    <br<br<br>    <?php        session_name('BlablaSession');        session_start();        var_dump($_SESSION['something']);        if (isset($_SESSION['something']))        {           var_dump($_SESSION['something']);    $value='';    $value=$_SESSION['something'];    echo 'this is the input of the other page : ' . $value;    }    ?>    </center></html> 
Link to post
Share on other sites

The only way to get the first page to work is to remove clearing $_POST part, remove session preset value on input, place start_session() at top and action="#" wbich will cause it to post to itself.After the form is submitted (to itself) check if $_POST named value isset, if it is! set session with $_POST value and redirect to NextPage.php using header()Exampleheader('Location: http://www.example.com/NextPage.php');Again all this code needs to be placed before <html> which i think we have covered before in previous topic.

Link to post
Share on other sites

I never worked with header. I assume it is necessary because I could not replace # in action. What condition combined with header is common in this script where I'm working on?

    <?php session_start();      session_name('BlaBlaSession');    if (isset($_GET['something'])){    $_SESSION['something'] = $_GET['something'];    var_dump($_GET['something']);    var_dump($_SESSION['something']);     }     if (!empty($_SESSION['something'])){ header('NextPage.php');   }    ?>    <html>    <center> <br><br>    Input Form<br><br>    <form action="#" method="get">    <input type=" text" name ="something" value = "<?php echo $_SESSION['something']; ?>" >     <input type="submit" value="Submit it!!"> </form></center></html>
Link to post
Share on other sites

Look at example that is not how header() is set in your code, and if you set input to session value on load of page and that session does not exist error, you will get.

 

Edit: hang on! where's the body tag? try to use up-to-date elements <center> died with the dinosaurs, try to use a doctype preferably htm5 doctype,

 

 

I assume it is necessary because I could not replace # in action.

 

well... you could instead of using header() use php to replace '#' in action after definitely retrieving value from get or post depending on what you use at the time, but then you would need to submit again to take you onto nextpage.php

Edited by dsonesuk
Link to post
Share on other sites

ok I have it solves, thanks for the tips.

 

But, you said I should not clear $_POST, the way I did it it was necessary.

    <?php session_start();      session_name('BlaBlaSession');     $_SESSION['something'] = '';      if (isset($_GET['something'])){     $_SESSION['something'] = $_GET['something'];      var_dump($_GET['something']);      var_dump($_SESSION['something']); }    if (!empty($_SESSION['something']))    { header('Location: NextPage.php');   }     ?>    <html><center> <br><br>Input Form<br><br><form action="#" method="get"><input type=" text" name     ="something" value = "<?php echo $_SESSI     ON['something']; ?>" > <input type="submit" value     ="S     ubmit it!!"> </form></center></html>

second script:

    <?php session_start();     var_dump($_SESSION['something']);    if (isset($_SESSION['something']))    {    var_dump($_SESSION['something']);    $value='';    $value=$_SESSION['something'];    echo '<center>';    echo '<br><br><br>';    echo 'this is the input of the other page : ' . $value;    echo '</center>';    unset ($_SESSION['something']);    unset ($_GET['something']);    }    ?>

Im not sure why you adviced it. Is it wrong to script this way, like can it be done any shorter? Im not only looking for a way to write script, but I want good and short scripts and not much unnecessary stuff.

Link to post
Share on other sites

Because if you submit to the same form page $_POST['something'] will be set with value from input, but on return to page it is set as empty with$_POST['something'] = '' ;Overwriting value from input on form submission, and the session will always end up with value '' a empty string.

Link to post
Share on other sites

Just create a variable with empty value before if condition checking if $_POST is set, if true apply $_POST value to created variable then use validation and sanitize coding such as filter_var to check if post value is the correct data you are expecting, if it returns false make it go no futther but return to form with message stating entered value was not acceptable.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...