Eddie Drapkin wrote: > On Mon, Aug 17, 2009 at 5:31 PM, Shawn McKenzie<nospam@xxxxxxxxxxxxx> wrote: >> nashrul wrote: >>> This is a newbie question... >>> Let's say there are 3 php files, page1.php, page2.php and page3.php. Form >>> submission from page1.php or page2.php will take user to page3.php. >>> I know that we can use parameter that is appended in the action attribute of >>> the form (e.g <FORM METHOD=POST ACTION="tes.php?var1=val1">) >>> But I think, appending this parameter is transparent to the user, since it's >>> visible in the url. >>> And I think we can also use the hidden field or (form name ??.). >>> So which one is most secured and better ?? >>> Thanks.. >> I personally don't see a problem with using get or post vars, but to >> keep the user from being able to manipulate it do this. This could also >> be in a header file included at the top of all pages: >> >> //page1.php and page2.php >> session_start(); >> $_SESSION['page'] = $_SERVER['PHP_SELF']; >> >> //page3.php >> session_start(); >> $page = $_SESSION['page'] >> // use $page somehow . . . >> >> -- >> Thanks! >> -Shawn >> http://www.spidean.com >> >> -- >> PHP General Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> >> > > This approach degrades very simply: > > 1) Say you have four pages, a.php, b.php, c.php and d.php. > 2) b expects user to come from a, d from c. > 3) I open two tabs, a.php and c.php. > 4) $_SESSION['from'] is now c.php > 5) I post to b from a, get an error. $_SESSION['from'] is now b.php. > 6) I post to d from c and get an error. > Yep, I didn't really think it through :-( -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
