Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Using Session Vars over Hidden Form Vars 1

Status
Not open for further replies.
3rdTimeLucky

3rdTimeLucky

Programmer
Jul 19, 2005
5
GB
Hi there.

I've got this problem sorted, but I just need a little advice regarding the performance of my solution.

I have a 3 page registration form for new customers:

Page 1 - Personal Details
Page 2 - Medical Details
Page 3 - Payment Details

Now I have written a function validate_form.php that basically takes a hidden "required" and "redirect" field from each form and checks that none of the field values in the "required" list (comma separated) are blank.

If any of the required fields are blank, the script does a header("Location: " . $_SERVER['HTTP_REFERER']); call and displays an error message on the page the user has just come from. If they are all ok, the script goes to the page listed in "redirect".

Now, the issue was, that if the user was sent back to page they just filled out, i wanted the data they had already entered to still be there. So I registered all of the $_POST variables as Session variables using this:

Code: 
// Assign all the form variables to an array
$aFormVars = &$HTTP_POST_VARS; 

// Set all passed variables to session variables
foreach ($aFormVars as $key => $field) {
	session_register($key); 
	$_SESSION[$key] = $field; 
}

So obviously this works no problem. Just display the Session vars in the text boxes when the user is sent back.

My question is, as the processing of the registration progresses, should I be unregistering these variables in favour of hidden form variables?

I'm thinking about both performance and security here, and I am unsure of the implications my solution will have in either of these departments.

Thanks in advance
Aaron
 
Sort by date Sort by votes
should I be unregistering these variables in favour of hidden form variables?
Click to expand...
I wouldn't. If data is being sent in hidden forms, data can be tinkered with, which is less secure. If you use cookie-based standard PHP sessions, only an ID to the session store is sent to the browser in a cookie. The actual data is not sent back and forth, so it's more difficult to tinker with.


Also, these two lines are of concern to me:

session_register($key);
$_SESSION[$key] = $field;

The PHP online manual entry for session_register(), states:

PHP online manual said:
CAUTION: If you are using $_SESSION (or $HTTP_SESSION_VARS), do not use session_register(), session_is_registered(), and session_unregister().
Click to expand...

So your script should read only:

$_SESSION[$key] = $field;





Want the best answers? Ask the best questions!

TANSTAAFL!!
 
Upvote 0 Downvote
Hi sleipnir,

Run into a bit of a problem when testing with either Nescape or Firefox.

In IE, if the user leaves some required fields blank and submits the form, it is reloaded with error messages and original data in the text boxes. If the user then resubmits the form, but still leaves some fields blank, it re-opens again, all ok.

However, with Firefox and Netscape: If the user leaves some fields blank and submits the form, it is re-opened as with IE the first time. But if you enter some data and resubmit the form, this data is not retained, nor does the error message go away. It's like its only allowing setting the session variables once.

Any Ideas? Here's the code:

Code: 
$error_flag = 0; // Flag for checking for form errors.

// Assign all the form variables to an array
$aFormVars = &$HTTP_POST_VARS; 

// Set all passed variables to session variables
foreach ($aFormVars as $key => $field) {
	$_SESSION[$key] = $field; 
} 

// Get the redirect location (what page we want to go to should this fail)
$aRedirect = &$_POST['redirect'];  

// Seperate the special fields strings (they are comma separated)
$a_list = TrimArray(explode(",",$aFormVars['required']));

// DOB is checked separately as it is derived from three drop downs
if ($aFormVars['dob_day'] == "" || $aFormVars['dob_month'] == "" || $aFormVars['dob_year'] == "") { 
	$_SESSION['err_dob'] = "  Required Field";
	$error_flag = 1;
} else {
	$_SESSION['err_dob'] = "";
}

// Go through each required field and set error message
foreach($a_list as $field) {
	if ($aFormVars[$field] == "" || is_null($aFormVars[$field])) { 
		$_SESSION['err_' . $field] = "  Required Field";
		echo $_SESSION['err_' . $field] . "<br>";
		$error_flag = 1; 
	} else {
		$_SESSION['err_' . $field] = "";
	}
}

// If an error has been flagged, send user back, otherwise, send to the redirect value
if ($error_flag == 1) {
	header("Location: " . $_SERVER['HTTP_REFERER']);
} else {
	header("Location: " . $aRedirect);
}


function TrimArray($a_list)
{
	foreach ($a_list as $m_key=>$m_item)
		if (is_array($m_item))
			$a_list[$m_key] = TrimArray($m_item);
		elseif (is_scalar($m_item))
			$a_list[$m_key] = trim("$m_item");
		else
			$a_list[$m_key] = "";
	return ($a_list);
}

?>

Like I said - works without fault in IE.

Thanks
Aaron
 
Upvote 0 Downvote
Strange,

Decided just to try put the session_register($key); line back in and it works in all browsers fine now....
 
Upvote 0 Downvote
It sounds to me like some caching error.

Oof. Looking at your code, I see:

header("Location: " . $_SERVER['HTTP_REFERER']);

This is not a good idea. $_SERVER['HTTP_REFERER'] cannot be depended on, as this information has to be provided by the browser and may not be there. Opera and Firefox, for example, both have the ability to turn off referer reporting. This could, as it stands, be your problem with Firefox in general.

If you have a set of pages that must aggregate, validate and process data, I generally set up a script for each page. Each script is responsible only for producing the form it needs the user to fill out, processing the data from that form, storing necessary values in a session and directing the browser to the next script in the set.

Each of these scripts has the form of:

Code: 
<?php
if (isset ($_POST['some necessary field from the form']))
{
   //process input

   if (/*all input is good */)
   {
      header ('Location: [URL unfurl="true"]http://www.some.domain/the/next/script/in/the/chain.php');[/URL]
   }
   else
   {
      //reproduce form, explicitly setting all fields to just-submitted values and outputting necessary error messages
   }
}
else
{
  //produce blank form
}
?>

The form each script produces is set to submit the data back to the script that produced it ($_SERVER['PHP_SELF'] is dependable).


Want the best answers? Ask the best questions!

TANSTAAFL!!
 
Upvote 0 Downvote
That looks like the problem, thanks sleipnir.

I'm actually rather liking the idea of making one file to process all form pages, so I'll stick with it for now.

But your solution regarding the $_SERVER['HTTP_REFERER'] call looks to be the key.

I have removed this, and the session_register() calls and included another hidden variable at the top of each form called "source". This will hold the address of the current page.

All seems to be working well.

Thanks Again!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Mandy_crw
  • Locked
  • Question
How to send sms in PHP using usb gsm modem?
Replies
1
Views
399
vishvajit
vishvajit
Wand850
  • Locked
  • Question
Parsing XML with multiple namespaces using PHP
Replies
3
Views
261
spamjim
spamjim
lexer
  • Locked
  • Question
Fetching Data from Mysql and filling Inputs in a Form
Replies
0
Views
174
lexer
lexer
Gerrit Broekhuis
  • Locked
  • Question
PHP form with captcha and file upload
Replies
4
Views
258
Gerrit Broekhuis
Gerrit Broekhuis
Kennelbloke
  • Locked
  • Question
Returning PostCode to Form field 1
Replies
3
Views
248
Kennelbloke
Kennelbloke

Part and Inventory Search

Sponsor

Back
Top