Tony Marston wrote:
Let me expand on that. When you have a form (which is what most of your
application will be composed of), it will return all the data you need
to process it. You process it, and proceed to a menu or somesuch to
tackle the next task. If, for some reason, you need to track data across
invocations of screens, you can typically do it with hidden fields in
your forms.
I would advise against this as hidden fields in forms are NOT in fact
invisible. The user can see what is there simply by using the browser's
"View Source" button. It is even possible for the user to copy the the form,
change the variables and submit it with different data. How much of a
security breach could that be? I use session data for everything so that
nothing is exposed on the client that does not need to be.
Hidden fields are good for some things but of course must be validated
along with anything else sent by post.
I use hidden fields for things where keeping it in session might not be
appropriate because the user may have several forms open at same time.
But yeah - if session variables will work, then session variables should
be used.
One place you should use hidden inputs is for a post validation token to
prevent CSRF attacks.
I wrote a class that I use for that. Some consider it overkill as I use
a database for it but it works for me:
http://www.clfsrpm.net/csrf/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
