Hide GET Variables --> Pass values using Session

Re: Hide GET Variables --> Pass values using Session

On 17 Mar 2005 03:55:57 -0800, André Gasser wrote:[color=blue]
> the idea is to completely hide the url GET values... Sessions are ok.[/color]

I don't think you can remove them from the link, you can get them out of
the address bar though, for example like this:

Write the link <a href="set.php?s ortcol=name&sor torder=asc">. Let
set.php be a script without any output. Set session variables there
$_SESSION['sortcol']=$_GET['sortcol'] (with appropriate checks for
safety) and use header() to go back to $_SERVER['HTTP_REFERER']. Include
session_start() at top of every script.


--
Firefox Web Browser - Rediscover the web - http://getffox.com/
Thunderbird E-mail and Newsgroups - http://gettbird.com/

Re: Hide GET Variables --&gt; Pass values using Session

Ewoud Dronkert wrote:
[color=blue]
> [...] use header() to go back to $_SERVER['HTTP_REFERER'].[/color]

I would have thought that explicitly providing the URL would be
better. Relying on an optional header is a bad idea, surely?

Mike

--
Michael Winter
Replace ".invalid" with ".uk" to reply by e-mail.

Re: Hide GET Variables --&gt; Pass values using Session

André Gasser wrote:
[color=blue]
>
>
> now my question is, if it's possible to hide those values, so they
> don't appear on the url, but sorting should work anyway. This means
> that
>[/color]

You need to know about the HTML technology of forms and the "post" action,
and the PHP array $_POST.

Try this, then look up the HTML spec at www.w3c.org and reread the tutorial
to PHP:

<form action="somepro gram.php" method="post">
Type something here: <input name="test"/>
<button type="submit"/>
</form>

Then make someprogram.php :

<?php
echo "You entered: ".$_POST["test"];
?>

Whether or not you store these preferences in a session or a database is
another discussion.
--
Kenneth Downs
Secure Data Software, Inc.
(Ken)nneth@(Sec )ure(Dat)a(.com )

Re: Hide GET Variables --&gt; Pass values using Session

On Thu, 17 Mar 2005 12:36:51 GMT, Michael Winter wrote:[color=blue]
> I would have thought that explicitly providing the URL would be
> better. Relying on an optional header is a bad idea, surely?[/color]

Of course, that's the safest. If his environment is controlled enough
(company internal web app) he might not need it. Which browsers or
platforms/setups are known for not providing the referrer?

--
Firefox Web Browser - Rediscover the web - http://getffox.com/
Thunderbird E-mail and Newsgroups - http://gettbird.com/

Re: Hide GET Variables --&gt; Pass values using Session

Ewoud Dronkert wrote:
[color=blue]
> Which browsers or platforms/setups are known for not providing
> the referrer?[/color]

I recently upgraded Opera and by default it sent out my
referrer information. For what it's worth, I haven't
changed that yet.

I would advise against using $_SERVER['HTTP_REFERER']
without first checking not only that it is set, but also
that its value is in the form you're expecting. In short,
treat it as user input, because that's what it is.

news:MPG.1c8e5e b987e3ab3998987 f@News.Individu al.NET

--
Jock

Re: Hide GET Variables --&gt; Pass values using Session

Ewoud Dronkert wrote:
[color=blue]
> On Thu, 17 Mar 2005 12:36:51 GMT, Michael Winter wrote:
>[color=green]
>> I would have thought that explicitly providing the URL would be
>> better. Relying on an optional header is a bad idea, surely?[/color]
>
> Of course, that's the safest. If his environment is controlled enough
> (company internal web app) he might not need it.[/color]

True. It's also possible that the OP isn't aware that the Referer
[sic] header is optional, and that this /is/ for the Web. :P That's
the only reason why I brought it up.
[color=blue]
> Which browsers or platforms/setups are known for not providing the
> referrer?[/color]

None spring to mind at the moment. However, all of the user agents I
can remember using have provided me with the ability to disable the
header. Whether disabling the header is a good idea or not is not up
for debate: it is the user's choice to make. It might also be the
choice of a third-party and the user may have no control over that
decision.

Mike

--
Michael Winter
Replace ".invalid" with ".uk" to reply by e-mail.

Re: Hide GET Variables --&gt; Pass values using Session

Kenneth Downs wrote:[color=blue]
> André Gasser wrote:
>
>[color=green]
>>
>>now my question is, if it's possible to hide those values, so they
>>don't appear on the url, but sorting should work anyway. This means
>>that
>>[/color]
>
>
> You need to know about the HTML technology of forms and the "post" action,
> and the PHP array $_POST.
>
> Try this, then look up the HTML spec at www.w3c.org and reread the tutorial
> to PHP:
>
> <form action="somepro gram.php" method="post">
> Type something here: <input name="test"/>
> <button type="submit"/>
> </form>
>
> Then make someprogram.php :
>
> <?php
> echo "You entered: ".$_POST["test"];
> ?>
>
> Whether or not you store these preferences in a session or a database is
> another discussion.[/color]
Yup use forms and/or sessions to hide the info, a database table is
another option, guess it depends how sensitive the GET parms are. If you
can then do it server side.

Re: Hide GET Variables --&gt; Pass values using Session

NSpam wrote:
[color=blue]
> Kenneth Downs wrote:[color=green]
>> André Gasser wrote:
>>
>>[color=darkred]
>>>
>>>now my question is, if it's possible to hide those values, so they
>>>don't appear on the url, but sorting should work anyway. This means
>>>that
>>>[/color]
>>
>>
>> You need to know about the HTML technology of forms and the "post"
>> action, and the PHP array $_POST.
>>
>> Try this, then look up the HTML spec at www.w3c.org and reread the
>> tutorial to PHP:
>>
>> <form action="somepro gram.php" method="post">
>> Type something here: <input name="test"/>
>> <button type="submit"/>
>> </form>
>>
>> Then make someprogram.php :
>>
>> <?php
>> echo "You entered: ".$_POST["test"];
>> ?>
>>
>> Whether or not you store these preferences in a session or a database is
>> another discussion.[/color]
> Yup use forms and/or sessions to hide the info, a database table is
> another option, guess it depends how sensitive the GET parms are. If you
> can then do it server side.[/color]

I've been meaning to run some definitive speed tests to determine relative
speeds of db queries vs includes (with various path depths) vs extra bytes
on the wire for hidden inputs, but I'm just too durn lazy, it keeps getting
pushed back.

--
Kenneth Downs
Secure Data Software, Inc.
(Ken)nneth@(Sec )ure(Dat)a(.com )