On Thu, October 6, 2005 4:52 am, Ragnar wrote: Everything you are trying to do with the cURL, multiple pages, and whatnot scares the bejesus out of me... Especially that you seem to be passing people's credit card numbers around in this manner. [shudder] > I did see that there is a FOLLOWLOCATION option you can set in cURL > when you > do you request, and though "wicked, just what I needed" only to find > out > that it's not working (probably because I understand what it does > wrong). Most definitely you mis-understood what it does. Here's what it REALLY does: Suppose when cURL loads up the URL you ask for, it gets this back: HTTP 302 Resource moved Location: http://example.com/new_location_for_it.htm If you have FOLLOWLOCATION set to 1, then cURL is just gonna go ahead and request the new Location: and get you the damn answer you asked for. If you have it set to 0, you only get back the output from the 302 page -- So you can figure out exactly what the server is doing, bouncing you around from page to page, with all these silly Location: headers, chewing up valuable HTTP connection resources, and basically putting a big server burden on whatever you are trying to get to. [Actually, if HTTP/1.1 is being used, and Keep-alive is working properly on all fronts, the burden is not so huge... But that's not a "given" for most servers/software today.] > Pretty pretty please if anyone knows a solution for the above, let me > know. So I don't have any answer for what you're trying to do, except to sit down and re-think all the bouncing around of data you're doing, and most importantly where/how the credit card numbers are being stored/transmitted, even in such temporary things as RAM, which is swapped to hard drive, which is susceptible to attack. On most shared servers, putting credit card info in SESSION data is Really Bad Idea (tm) as every other user on the shared system can troll through your session data with little to no effort. > Oh, and I'd also like to add that the information I am trying to get > to the > 3rd page in the example is sensitive (Credit Card details etc.), so > $_GET > and $_COOKIE are out of the question. This statement alone makes me think that you believe that $_POST is somehow "safer" than $_GET and $_COOKIE. Please purge that idea right out of your head this instant. By the time you are on your PHP script, talking to some other server, the data you send to/from that other server, via GET, POST, or COOKIE is no more or less secure in any of the three. POST data from the browser is only 1/100000000th "more secure" than GET in that any idiot can see the "Location" URL and play with it, and it takes a tenth of a clue to do "Save As.." and muck with the <INPUT tags to change POST data... As an exercise, please try this yourself: Surf to some page that has a FORM on it. Save As... to your hard drive. Change the <INPUT tags to whatever you think will cause "interesting" results on that server. Open that file in your browser and click on the "Submit" button. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
