PHP sending HTTP_POST_VARS to another page?

Question

Whats the best was of doing this?

Sessions? How can I take all my variables defined on 1 page and send them over to another.

I read using serialize convert the HTTP_POST_VARS to a string, and then pass that (using a hidden form/input?) and use unserialize on the other PHP page to get the variables back.

Also I saw someone just use something like:

<?php 
foreach($HTTP_POST_VARS as $key => $val) { 
?> 
<input type="hidden" name="<?php echo $key; ?>" value="<?php echo $val; ?>"> 
<?php 
} 
?>

Which seems ugly and asking for trouble.

---

Basically this is the run down of what I am trying to do:

The user fills out a form and then submits the form with all the information thats required. A second page intercepts all the HTTP_POST_VARS and then defines more variables. The user is asked if the information is correct and asked if they would like to submit all information. So far I have gotten this far. Now I want a button/link where the user clicks it and then it sends all the information page 2 has to another page where it finally runs the code to process all the information. (MYSQL, EMAILS, etc)

My ideal solution would be able to define something like onclick where I can just run a PHP function at whim, but that doesn't exist. One thing is I want to make sure information thats posted/pushed/whatever to page3 (processing) that its legit and actually comes from page2 (confirmation)...I don't want people just randomly making HTTP POSTs and having it validate. I was thinking of running some kind of MD5 stuff with a secret key to validate.

Does anyone have an elegant solution of a form where you have PART 1 ( filling out), PART 2 (confirmation to user) and PART 3 (processing all information from PART 2).

Answer 1

I would store the values in a session variable after the initial submission and then use them accordingly after confirmation/validation:

<?php

/////////////////////////////////
// STEP 1 - Initial Form Display
/////////////////////////////////

session_start();
echo '<form>';
echo '<input type="text" name="usr_name" />';
echo '<input type="text" name="usr_phone" />';
echo '<input type="text" name="invalid_field" />';
echo '<input type="submit" name="submit" value="Submit" />';
echo '</form>';

/////////////////////////////////
// STEP 2 - Confirmation Page
/////////////////////////////////

// change this by your global of choice ($_POST, $_GET, $_REQUEST)
$input_source &= $_GET;
// create an array of all input fields that start with 'usr_'
$input_fields = @preg_grep( '#^usr_[a-z]+#i', array_keys( $input_source ) );
if( !empty( $input_fields ) )
{
    // store all valid input fields in the session
    $_SESSION['input_values'] = array();
    foreach( $input_fields as $key )
    {
        $_SESSION['input_values'][$key] = $input_source[$key];
    }

    // create a checksum from the user's IP address and all input values (for false sense of security ^_^)
    $_SESSION['input_checksum'] = md5( $_SERVER['REMOTE_ADDR'] . '|' . join( '', $_SESSION['input_values'] ) );

    // logic for data validation and confirmation HTML goes here...
}

/////////////////////////////////
// STEP 3 - Final Validation
/////////////////////////////////

// check for the existence of the session values from step 2
if( !empty( $_SESSION['input_values'] ) && !empty( $_SESSION['input_checksum'] ) )
{
    // create comparison checksum for validation purposes
    $_comp_checksum = md5( $_SERVER['REMOTE_ADDR'] . '|' . join( '', $_SESSION['input_values'] ) );

    // check session and comparisson checksums
    if( $_SESSION['input_checksum'] == $_comp_checksum )
    {
        // confirmation/validation looks good, proceed...
    }
}

?>

Answer 2

How about to share your needed information into the session after page1?

Well here you got everything you need: php - session reference

Answer 3

I generally just put everything into Session variables AFTER I have validated the information. I have always had pretty good luck with that and since there is generally not a lot of user information like you are talking about the overhead really isn't all that bad. Now, if you are talking A LOT of data then you may want to consider a different method.

Like I said, this may not be the most elegant solution but it will certainly work.

Answer 4

Ugly and asking for trouble? I think you're on to something.

Ideally, you could store previously-entered data in session state, which stores the data on the server.

Alternatively, if the state needs to be stored in the browser page, you can use the method you mentioned, or you can do something a bit more like Microsoft's "view state" variable.

Essentially, you serialize your data, perhaps encrypt and/or sign the result, and then base64 encode the whole lump and stick the result in hidden variable on the page. The advantage of doing it this way include (a) not polluting your namespace with old variable names, (b) not confusing form-filling addons and utilities, (c) tamper-resistant variable storage (esp. if encrypted or signed).