Hiding variables passed via URL

**The Natural Philosopher** · Jul 15 '08, 12:55 PM

Re: Hiding variables passed via URL

Michael Fesser wrote:

.oO(The Natural Philosopher)
>

>Geoff Berrow wrote:
>>

>>You started digging a hole when you suggested using the POST method and
>>clearly haven't stopped digging yet.

>Post method perfectly valid in fact.

>
Not really, as already mentioned at the beginning of the thread. A POST
can't automatically be redirected to another URL. And you surely don't
want to put every single page into a form and use submit buttons instead
of links ... or maybe you do.
>

if you use Javascript methods to SUBMIT, it looks and feel just the way
a standard link does.

>There are only three ways of preserving states across http sessions:
>Post, Get and cookies.

>
POST - almost useless
GET - dangerous
COOKIE - recommended
>
But we're spinning in circles.
>
Micha

**Ameen** · Jul 15 '08, 06:25 PM

Re: Hiding variables passed via URL

On Jul 12, 6:44 pm, choch...@gmail. com wrote:

Hi,
>
I have a PHP script that does some processing, and stores an error
message as a variable. The script then redirects to another script
with the error string in the URL, with the second script displaying
the message and continues with the rest of the logic.
>
Now I want to hide the error message from the URL, but the second
script needs to continue working as is. How can I do this? I have
thought about md5'ing the message but the URLs still look messy. Any
other alternatives?
>
The script works like this;
$err = "";
$res = process();
if ($res == 0)
{
$err = "An error message";}
>
header("Locatio n: script2.php?err =".urlencode($e rr));
>
Script2.php would display this message and continue with the rest of
the logic. Now I want to hide the Error message $err from the URL
after a redirect. How do I do this?
>
Thanks in advance.

I feel that these might help:

http://us.php.net/manual/en/function.http-redirect.php

PHP: 404 Not Found

http://us.php.net/manual/en/function.http-post-data.php

PHP is a popular general-purpose scripting language that powers everything from your blog to the most popular websites in the world.

http://us.php.net/manual/en/function.http-post-fields.php

the main page:

PHP: 404 Not Found

http://us.php.net/manual/en/ref.http.php

PHP is a popular general-purpose scripting language that powers everything from your blog to the most popular websites in the world.

But I don't know how to use it even if it really do the purpose or
not.
Actually I am beginner in php.

**Michael Fesser** · Jul 17 '08, 08:05 AM

Re: Hiding variables passed via URL

..oO(The Natural Philosopher)

>Michael Fesser wrote:
>

>Not really, as already mentioned at the beginning of the thread. A POST
>can't automatically be redirected to another URL. And you surely don't
>want to put every single page into a form and use submit buttons instead
>of links ... or maybe you do.
>>

>
>if you use Javascript methods to SUBMIT, it looks and feel just the way
>a standard link does.

Sure. Makes the pages perfectly inaccessible for many people, perhaps
even for search engines.

Micha

**Chuck** · Jul 18 '08, 02:35 PM

Re: Hiding variables passed via URL

"Jerry Stuckle" <jstucklex@attg lobal.netwrote in message
news:g5gj6a$vu2 $1@registered.m otzarella.org.. .

burgermeister01 @gmail.com wrote:

>On Jul 14, 3:47 pm, The Natural Philosopher <a...@b.cwrot e:

>>Michael Fesser wrote:
>>>.oO(The Natural Philosopher)
>>>>I have no trouble understanding cookies and sessions.
>>>>Its jerry's assumptions that I didn't know that irritate.
>>>>All that is needed t preserve states across a session is to have some
>>>>unique session ID. That has to be carried by a cookie or by a URL .
>>>>After that, you can associate any amount of crap with that session ID.
>>>>I simply didn't see any difference in principle between carrying the
>>>>session ID as a URL than as a cookie.
>>>There are a dozen ways for a URL to leak (the HTTP_REFERER is just one
>>>way), which would easily allow other sites to grab valid session IDs.
>>>Such attacks were done some years ago against a number of big free mail
>>>services, which led to thousands of stolen accounts.
>>>Session cookies are much more secure, because you actually have to
>>>sniff
>>>the HTTP communication between the clients and the server or use XSS to
>>>grab them.
>>>>Which I pointed out. Jerry then said 'what's cookies got to do with
>>>>it'
>>>>so I explained what they had to do with it.
>>>But they don't have anything to do with the OPs problem, which was
>>>about
>>>passing data from one page to another. POST won't work here, GET is not
>>>wanted, so the only viable alternative is a session. Question answered.
>>No the only viable way is a cookie. Whether or not that is used with PHP
>>sessions or not, is actually not the point. They are no more secure than
>>simply setting a number in your own custom cookie.
>>>
>>All PHP sessions are area wasy of pasing a unique ID using cookies, and
>>a handy interface fr dummies, but they still use either the URL or the
>>cookie to pass that one vital bit of info.
>>>
>>Now I also thought that the point was that the user was worried about
>>his clients seeing the info in the URL and messing with it.
>>>
>>My point was that they could as easily mess with the cookies.
>>>
>>I don't recall any issues about security with respect to third parties
>>at all, which makes your point another straw man.
>>>
>>>
>>>
>>>Micha- Hide quoted text -
>>- Show quoted text -- Hide quoted text -
>>>
>>- Show quoted text -

>>
>Okay, I'm beginning to see why some other group members are rather
>frustrated with Natural Philosopher.
>>
>Using sessions only stores the ID associated with the user on the
>client machine. That ID is linked to the client's data which is stored
>on a file on the server the client is communicating with. Cookies
>actually store all the data on the client machine. That means that
>when you use cookies, all the data is available for the client to view
>and edit. Using sessions seperates the client from his or her data,
>thus making it uneditable; the only thing that can be edited on the
>client is the session ID, which isn't very useful, since at best you
>associate yourself with someone else's data, and at worse, you divorce
>the client from its session data. Therefore, using sessions is more
>secure because the client cannot directly access his or her data.
>>
>How did this even become a security discussion????
>>

>
Ever since The Natural Philosopher made another stupid comment and I
called him on it.
>
Now he's doing his best to try to justify his stupidity.

It seems to me, Jerry, that Phil is making a point you are not catching. You
seem busy about all manner of things NOT related to what he is saying, yet
you are bashing him for what he IS saying. You haven't stopped to hear him.

You asked what cookies had to do with anything. He's saying that it's one
way for the PHP_SESSION_ID to be passed between the client and server. You
assume, inappropriately , that he means ALL SESSION DATA is passed around in
a cookie. You seemed to be a bit in a rush to 'call him on it'...even when
he clearly explained that was NOT what he meant. However, now that he has
painstakingly TRIED to clear up YOUR confusion, you keep playing the
champion...beat ing your chest, as it were, like a juvenile gorilla afraid of
a real confrontation, hoping all the arm-waving comotion will scare off your
'rival' before he notices it's all a front.

He's only talking about passing the session ID. Nothing more than that,
Jerry. Since you were the one who was pondering how cookies fit into
sessions, I fail to see how you could possibly a good argument...sinc e yours
would seemingly be made from ignorance. Further, after all of your raging
tantrums in a know-it-all fashion, it seems you have projection issues as
all fingers should be pointing to your own lack of reading
comprehension.. .or your willingness to only give others' remarks cursory
scans. Obviously, the latter is quite dangerous as it can lead to the
offender looking a fool.

Consider yourself, 'called on it'.

Someone needs to grow up. And if he can't read that, maybe he'll catch his
name...JERRY.

**Chuck** · Jul 18 '08, 02:45 PM

Re: OT Re: Hiding variables passed via URL

Ah, joining a flame war...nothing quite like it.

Jerry might be a dick from time to time, but his participation and
helpfulness to the PHP groups is unprecedented. On days I lurk he has
questions answered before I even can write a response.

To top that I've actually seen messages where he admits he's wrong;
the last thing he's doing here is stroking his e-peen.

=======

From what I've seen, he's becoming a 'dick' more and more as of late. I've
only seen him admit he was wrong ONCE...and that was after beating him to
death with the facts until he had to say something. He was going to let it
slide.

He may have copious replies, but even though quantity may have a quality all
it's own it hardly matters to an individual looking for a single quality
response. I've seen Jerry wrong almost as often as I've seen him be right.

He also seems to relish being confronted. You can tell when Jerry is wrong
when he plonks people that kindly disagree with him - all the while Jerry is
cursing and throwing insults. That is a very common occurance. He loves to
claim 'troll' or 'stoopid'. Yes, there's some mighty big stroking going on
there.

What I truly wonder is how Jerry can afford to post here 24/7/365? He
obviously is NOT employed, or, is waisting his employer's time and money.
That, or he's loaded...and not just with booze and pills. :)

**Chuck** · Jul 18 '08, 02:45 PM

Re: Hiding variables passed via URL

"Jerry Stuckle" <jstucklex@attg lobal.netwrote in message
news:g5dkfu$qc2 $1@registered.m otzarella.org.. .

Jeff wrote:

>Jerry Stuckle wrote:

>>Jeff wrote:
>>>C. (http://symcbean.blogspot.com/) wrote:
>>>>On Jul 13, 7:13 am, The Natural Philosopher <a...@b.cwrot e:
>>>>>Michael Fesser wrote:
>>>>>>.oO(The Natural Philosopher)
>>>>>>>Michae l Fesser wrote:
>>>>>>>>You can't redirect a POST request.
>>>>>>>Are you sure?
>>>>>>Sending POST data to another location must be triggered or at least
>>>>>>confirm ed by the user. Automatically redirecting anything other than
>>>>>>GET or HEAD is explicitly forbidden by the HTTP spec ("MUST NOT").
>>>>>Ah, it may be forbidden, but does it work? ;-)
>>>>>>
>>>>>>Micha
>>>>>
>>>>NO
>>>>
>>>>
>>> Lets say we wanted to post something in the background (ie, not
>>>redirect the browser). How do you do that in PHP? In perl, I'd use the
>>>LWP library.
>>>>
>>> I'm not sure what I'd be looking for, but I don't seem to find it
>>>here:
>>>>
>>>http://www.php.net/manual/en/funcref.php
>>>>
>>> Jeff
>>>>
>>>
>>What do you mean by "post something in the background"? You either post
>>or you don't post. There is no foreground or background on the web.

>>
> I found this just after I posted:
>>
>http://us.php.net/manual/en/book.http.php
>>
> But I'm unsure how that works as it is missing the examples.
>>
> Having a server retrieve a page or post data is not an unusual thing to
>do, You may refer to it differently and my choice of terms may be bad.
>One use would be if you are transparently handling something like a
>Credit Card transaction and you don't want to take the customer off the
>site. Usually you'd want that done with SSL and not on the query string.
>>
> Jeff

>>>

>>

>
Ok, you're talking about using the cURL libraries - that's the easiest
way, although you could do it with sockets, also.
>
Additionally, whether you're using SSL or not is completely independent of
whether you're using a query string (GET method) or not. GET/POST is a
means of transferring data between applications. SSL runs at a lower
level to encrypt/decrypt data. There is no relationship between them.

Here's my case-in-point, Jerry. You muttle what he's saying about SSL and
the query string. It would seem you can't allow that the conjunction 'and'
is joining two independent entities, as in, "you should use such
transactions over SSL...oh, and it's NOT a good idea to use the query string
to pass that transaction data to the server".

Again, it would seem that you have your own way of reading. It's just not
exactly in line with what others are writing/saying.

**Jerry Stuckle** · Jul 18 '08, 08:25 PM

Re: OT Re: Hiding variables passed via URL

Chuck wrote:

Ah, joining a flame war...nothing quite like it.
>
Jerry might be a dick from time to time, but his participation and
helpfulness to the PHP groups is unprecedented. On days I lurk he has
questions answered before I even can write a response.
>
To top that I've actually seen messages where he admits he's wrong;
the last thing he's doing here is stroking his e-peen.
>
=======
>
From what I've seen, he's becoming a 'dick' more and more as of late. I've
only seen him admit he was wrong ONCE...and that was after beating him to
death with the facts until he had to say something. He was going to let it
slide.
>
He may have copious replies, but even though quantity may have a quality all
it's own it hardly matters to an individual looking for a single quality
response. I've seen Jerry wrong almost as often as I've seen him be right.
>
He also seems to relish being confronted. You can tell when Jerry is wrong
when he plonks people that kindly disagree with him - all the while Jerry is
cursing and throwing insults. That is a very common occurance. He loves to
claim 'troll' or 'stoopid'. Yes, there's some mighty big stroking going on
there.
>
What I truly wonder is how Jerry can afford to post here 24/7/365? He
obviously is NOT employed, or, is waisting his employer's time and money.
That, or he's loaded...and not just with booze and pills. :)
>
>
>

I plonk people when they become obnoxious - not when they disagree kindly.

And I have a job - I am self-employed with my own company. I can afford
to take breaks to answer questions here.

And yes, I do admit when I'm wrong. But just because someone else
disagrees with me doesn't mean I'm wrong.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**Jerry Stuckle** · Jul 18 '08, 08:25 PM

Re: Hiding variables passed via URL

Chuck wrote:

"Jerry Stuckle" <jstucklex@attg lobal.netwrote in message
news:g5gj6a$vu2 $1@registered.m otzarella.org.. .

>burgermeister01 @gmail.com wrote:

>>On Jul 14, 3:47 pm, The Natural Philosopher <a...@b.cwrot e:
>>>Michael Fesser wrote:
>>>>.oO(The Natural Philosopher)
>>>>>I have no trouble understanding cookies and sessions.
>>>>>Its jerry's assumptions that I didn't know that irritate.
>>>>>All that is needed t preserve states across a session is to have some
>>>>>unique session ID. That has to be carried by a cookie or by a URL .
>>>>>After that, you can associate any amount of crap with that session ID.
>>>>>I simply didn't see any difference in principle between carrying the
>>>>>session ID as a URL than as a cookie.
>>>>There are a dozen ways for a URL to leak (the HTTP_REFERER is just one
>>>>way), which would easily allow other sites to grab valid session IDs.
>>>>Such attacks were done some years ago against a number of big free mail
>>>>services, which led to thousands of stolen accounts.
>>>>Session cookies are much more secure, because you actually have to
>>>>sniff
>>>>the HTTP communication between the clients and the server or use XSS to
>>>>grab them.
>>>>>Which I pointed out. Jerry then said 'what's cookies got to do with
>>>>>it'
>>>>>so I explained what they had to do with it.
>>>>But they don't have anything to do with the OPs problem, which was
>>>>about
>>>>passing data from one page to another. POST won't work here, GET is not
>>>>wanted, so the only viable alternative is a session. Question answered.
>>>No the only viable way is a cookie. Whether or not that is used with PHP
>>>sessions or not, is actually not the point. They are no more secure than
>>>simply setting a number in your own custom cookie.
>>>>
>>>All PHP sessions are area wasy of pasing a unique ID using cookies, and
>>>a handy interface fr dummies, but they still use either the URL or the
>>>cookie to pass that one vital bit of info.
>>>>
>>>Now I also thought that the point was that the user was worried about
>>>his clients seeing the info in the URL and messing with it.
>>>>
>>>My point was that they could as easily mess with the cookies.
>>>>
>>>I don't recall any issues about security with respect to third parties
>>>at all, which makes your point another straw man.
>>>>
>>>>
>>>>
>>>>Micha- Hide quoted text -
>>>- Show quoted text -- Hide quoted text -
>>>>
>>>- Show quoted text -
>>Okay, I'm beginning to see why some other group members are rather
>>frustrated with Natural Philosopher.
>>>
>>Using sessions only stores the ID associated with the user on the
>>client machine. That ID is linked to the client's data which is stored
>>on a file on the server the client is communicating with. Cookies
>>actually store all the data on the client machine. That means that
>>when you use cookies, all the data is available for the client to view
>>and edit. Using sessions seperates the client from his or her data,
>>thus making it uneditable; the only thing that can be edited on the
>>client is the session ID, which isn't very useful, since at best you
>>associate yourself with someone else's data, and at worse, you divorce
>>the client from its session data. Therefore, using sessions is more
>>secure because the client cannot directly access his or her data.
>>>
>>How did this even become a security discussion????
>>>

>Ever since The Natural Philosopher made another stupid comment and I
>called him on it.
>>
>Now he's doing his best to try to justify his stupidity.

>
It seems to me, Jerry, that Phil is making a point you are not catching. You
seem busy about all manner of things NOT related to what he is saying, yet
you are bashing him for what he IS saying. You haven't stopped to hear him.
>
You asked what cookies had to do with anything. He's saying that it's one
way for the PHP_SESSION_ID to be passed between the client and server. You
assume, inappropriately , that he means ALL SESSION DATA is passed around in
a cookie. You seemed to be a bit in a rush to 'call him on it'...even when
he clearly explained that was NOT what he meant. However, now that he has
painstakingly TRIED to clear up YOUR confusion, you keep playing the
champion...beat ing your chest, as it were, like a juvenile gorilla afraid of
a real confrontation, hoping all the arm-waving comotion will scare off your
'rival' before he notices it's all a front.
>
He's only talking about passing the session ID. Nothing more than that,
Jerry. Since you were the one who was pondering how cookies fit into
sessions, I fail to see how you could possibly a good argument...sinc e yours
would seemingly be made from ignorance. Further, after all of your raging
tantrums in a know-it-all fashion, it seems you have projection issues as
all fingers should be pointing to your own lack of reading
comprehension.. .or your willingness to only give others' remarks cursory
scans. Obviously, the latter is quite dangerous as it can lead to the
offender looking a fool.
>
Consider yourself, 'called on it'.
>
Someone needs to grow up. And if he can't read that, maybe he'll catch his
name...JERRY.
>
>
>

No, I know what he meant. And my comment stands - as do the comments of
others in this thread. His comment was completely unrelated to the
discussion at hand.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**Chuck** · Jul 18 '08, 08:35 PM

Re: OT Re: Hiding variables passed via URL

"Jerry Stuckle" <jstucklex@attg lobal.netwrote in message
news:g5qttp$j0l $5@registered.m otzarella.org.. .

Chuck wrote:

>Ah, joining a flame war...nothing quite like it.
>>
>Jerry might be a dick from time to time, but his participation and
>helpfulness to the PHP groups is unprecedented. On days I lurk he has
>questions answered before I even can write a response.
>>
>To top that I've actually seen messages where he admits he's wrong;
>the last thing he's doing here is stroking his e-peen.
>>
>=======
>>
>From what I've seen, he's becoming a 'dick' more and more as of late.
>I've only seen him admit he was wrong ONCE...and that was after beating
>him to death with the facts until he had to say something. He was going
>to let it slide.
>>
>He may have copious replies, but even though quantity may have a quality
>all it's own it hardly matters to an individual looking for a single
>quality response. I've seen Jerry wrong almost as often as I've seen him
>be right.
>>
>He also seems to relish being confronted. You can tell when Jerry is
>wrong when he plonks people that kindly disagree with him - all the while
>Jerry is cursing and throwing insults. That is a very common occurance.
>He loves to claim 'troll' or 'stoopid'. Yes, there's some mighty big
>stroking going on there.
>>
>What I truly wonder is how Jerry can afford to post here 24/7/365? He
>obviously is NOT employed, or, is waisting his employer's time and money.
>That, or he's loaded...and not just with booze and pills. :)

>
I plonk people when they become obnoxious - not when they disagree kindly.

No...generally I see you are the first to call names, illicitly, and only
plonk when you've no way to defend your position...beca use you are wrong in
those cases.

And I have a job - I am self-employed with my own company. I can afford
to take breaks to answer questions here.

You look to be 65 and you have no website. You post consistently, not
sporatically as I'd expect to see if you were 'breaking'. I hope your
medicare is up to date.

And yes, I do admit when I'm wrong. But just because someone else
disagrees with me doesn't mean I'm wrong.

Once in a blue moon, a gray wolf will cackle like a hen too. And, just
because you *think* you're right doesn't make you right. RARELY do I ever
see you support your arguments with proof, i.e. cites, references, results,
etc..

**Chuck** · Jul 18 '08, 08:35 PM

Re: Hiding variables passed via URL

"Jerry Stuckle" <jstucklex@attg lobal.netwrote in message
news:g5qu03$j0l $6@registered.m otzarella.org.. .

Chuck wrote:

>"Jerry Stuckle" <jstucklex@attg lobal.netwrote in message
>news:g5gj6a$vu 2$1@registered. motzarella.org. ..

>>burgermeister01 @gmail.com wrote:
>>>On Jul 14, 3:47 pm, The Natural Philosopher <a...@b.cwrot e:
>>>>Michael Fesser wrote:
>>>>>.oO(The Natural Philosopher)
>>>>>>I have no trouble understanding cookies and sessions.
>>>>>>Its jerry's assumptions that I didn't know that irritate.
>>>>>>All that is needed t preserve states across a session is to have
>>>>>>some
>>>>>>unique session ID. That has to be carried by a cookie or by a URL .
>>>>>>After that, you can associate any amount of crap with that session
>>>>>>ID.
>>>>>>I simply didn't see any difference in principle between carrying the
>>>>>>session ID as a URL than as a cookie.
>>>>>There are a dozen ways for a URL to leak (the HTTP_REFERER is just
>>>>>one
>>>>>way), which would easily allow other sites to grab valid session IDs.
>>>>>Such attacks were done some years ago against a number of big free
>>>>>mail
>>>>>services , which led to thousands of stolen accounts.
>>>>>Session cookies are much more secure, because you actually have to
>>>>>sniff
>>>>>the HTTP communication between the clients and the server or use XSS
>>>>>to
>>>>>grab them.
>>>>>>Which I pointed out. Jerry then said 'what's cookies got to do with
>>>>>>it'
>>>>>>so I explained what they had to do with it.
>>>>>But they don't have anything to do with the OPs problem, which was
>>>>>about
>>>>>passing data from one page to another. POST won't work here, GET is
>>>>>not
>>>>>wanted, so the only viable alternative is a session. Question
>>>>>answered .
>>>>No the only viable way is a cookie. Whether or not that is used with
>>>>PHP
>>>>sessions or not, is actually not the point. They are no more secure
>>>>than
>>>>simply setting a number in your own custom cookie.
>>>>>
>>>>All PHP sessions are area wasy of pasing a unique ID using cookies,
>>>>and
>>>>a handy interface fr dummies, but they still use either the URL or the
>>>>cookie to pass that one vital bit of info.
>>>>>
>>>>Now I also thought that the point was that the user was worried about
>>>>his clients seeing the info in the URL and messing with it.
>>>>>
>>>>My point was that they could as easily mess with the cookies.
>>>>>
>>>>I don't recall any issues about security with respect to third parties
>>>>at all, which makes your point another straw man.
>>>>>
>>>>>
>>>>>
>>>>>Micha- Hide quoted text -
>>>>- Show quoted text -- Hide quoted text -
>>>>>
>>>>- Show quoted text -
>>>Okay, I'm beginning to see why some other group members are rather
>>>frustrated with Natural Philosopher.
>>>>
>>>Using sessions only stores the ID associated with the user on the
>>>client machine. That ID is linked to the client's data which is stored
>>>on a file on the server the client is communicating with. Cookies
>>>actually store all the data on the client machine. That means that
>>>when you use cookies, all the data is available for the client to view
>>>and edit. Using sessions seperates the client from his or her data,
>>>thus making it uneditable; the only thing that can be edited on the
>>>client is the session ID, which isn't very useful, since at best you
>>>associate yourself with someone else's data, and at worse, you divorce
>>>the client from its session data. Therefore, using sessions is more
>>>secure because the client cannot directly access his or her data.
>>>>
>>>How did this even become a security discussion????
>>>>
>>Ever since The Natural Philosopher made another stupid comment and I
>>called him on it.
>>>
>>Now he's doing his best to try to justify his stupidity.

>>
>It seems to me, Jerry, that Phil is making a point you are not catching.
>You seem busy about all manner of things NOT related to what he is
>saying, yet you are bashing him for what he IS saying. You haven't
>stopped to hear him.
>>
>You asked what cookies had to do with anything. He's saying that it's one
>way for the PHP_SESSION_ID to be passed between the client and server.
>You assume, inappropriately , that he means ALL SESSION DATA is passed
>around in a cookie. You seemed to be a bit in a rush to 'call him on
>it'...even when he clearly explained that was NOT what he meant. However,
>now that he has painstakingly TRIED to clear up YOUR confusion, you keep
>playing the champion...beat ing your chest, as it were, like a juvenile
>gorilla afraid of a real confrontation, hoping all the arm-waving
>comotion will scare off your 'rival' before he notices it's all a front.
>>
>He's only talking about passing the session ID. Nothing more than that,
>Jerry. Since you were the one who was pondering how cookies fit into
>sessions, I fail to see how you could possibly a good argument...sinc e
>yours would seemingly be made from ignorance. Further, after all of your
>raging tantrums in a know-it-all fashion, it seems you have projection
>issues as all fingers should be pointing to your own lack of reading
>comprehension. ..or your willingness to only give others' remarks cursory
>scans. Obviously, the latter is quite dangerous as it can lead to the
>offender looking a fool.
>>
>Consider yourself, 'called on it'.
>>
>Someone needs to grow up. And if he can't read that, maybe he'll catch
>his name...JERRY.

>
No, I know what he meant. And my comment stands - as do the comments of
others in this thread. His comment was completely unrelated to the
discussion at hand.

If you knew, then you wouldn't have thought cookies were some foreign dish
to the conversation. He explained perfectly well how they do. You simply
took it for what you wanted. Something you could 'call him on'. Think what
you want.

**Jerry Stuckle** · Jul 18 '08, 08:35 PM

Re: Hiding variables passed via URL

Chuck wrote:

"Jerry Stuckle" <jstucklex@attg lobal.netwrote in message
news:g5dkfu$qc2 $1@registered.m otzarella.org.. .

>Jeff wrote:

>>Jerry Stuckle wrote:
>>>Jeff wrote:
>>>>C. (http://symcbean.blogspot.com/) wrote:
>>>>>On Jul 13, 7:13 am, The Natural Philosopher <a...@b.cwrot e:
>>>>>>Michael Fesser wrote:
>>>>>>>.oO(Th e Natural Philosopher)
>>>>>>>>Micha el Fesser wrote:
>>>>>>>>>You can't redirect a POST request.
>>>>>>>>Are you sure?
>>>>>>>Sendin g POST data to another location must be triggered or at least
>>>>>>>confirme d by the user. Automatically redirecting anything other than
>>>>>>>GET or HEAD is explicitly forbidden by the HTTP spec ("MUST NOT").
>>>>>>Ah, it may be forbidden, but does it work? ;-)
>>>>>>>
>>>>>>>Micha
>>>>>NO
>>>>>
>>>> Lets say we wanted to post something in the background (ie, not
>>>>redirect the browser). How do you do that in PHP? In perl, I'd use the
>>>>LWP library.
>>>>>
>>>> I'm not sure what I'd be looking for, but I don't seem to find it
>>>>here:
>>>>>
>>>>http://www.php.net/manual/en/funcref.php
>>>>>
>>>> Jeff
>>>>>
>>>What do you mean by "post something in the background"? You either post
>>>or you don't post. There is no foreground or background on the web.
>> I found this just after I posted:
>>>
>>http://us.php.net/manual/en/book.http.php
>>>
>> But I'm unsure how that works as it is missing the examples.
>>>
>> Having a server retrieve a page or post data is not an unusual thing to
>>do, You may refer to it differently and my choice of terms may be bad.
>>One use would be if you are transparently handling something like a
>>Credit Card transaction and you don't want to take the customer off the
>>site. Usually you'd want that done with SSL and not on the query string.
>>>
>> Jeff

>Ok, you're talking about using the cURL libraries - that's the easiest
>way, although you could do it with sockets, also.
>>
>Additionally , whether you're using SSL or not is completely independent of
>whether you're using a query string (GET method) or not. GET/POST is a
>means of transferring data between applications. SSL runs at a lower
>level to encrypt/decrypt data. There is no relationship between them.

>
Here's my case-in-point, Jerry. You muttle what he's saying about SSL and
the query string. It would seem you can't allow that the conjunction 'and'
is joining two independent entities, as in, "you should use such
transactions over SSL...oh, and it's NOT a good idea to use the query string
to pass that transaction data to the server".
>
Again, it would seem that you have your own way of reading. It's just not
exactly in line with what others are writing/saying.
>
>
>

Yes, another case-in-point. You're missing the entire issue. You want
to use SSL to transfer credit card data. That is completely independent
of whether you pass the data in the query string or as POST values.

Both GET and POST data are passed in the clear if you're not using SSL,
and can be intercepted. Neither is passed in the clear if you're using
SSL, so it doesn't matter.

And he's talking about passing the data between two servers, so the user
will never see the query string if it is in the URL. Only the two
servers will see the data, whether it is sent as POST or GET data.

So you missed the point entirely, Chuck. Or should I say Barry, or
Steve? Which is the next name you'll be using?

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**Jerry Stuckle** · Jul 19 '08, 12:45 AM

Re: OT Re: Hiding variables passed via URL

Chuck wrote:

"Jerry Stuckle" <jstucklex@attg lobal.netwrote in message
news:g5qttp$j0l $5@registered.m otzarella.org.. .

>Chuck wrote:

>>Ah, joining a flame war...nothing quite like it.
>>>
>>Jerry might be a dick from time to time, but his participation and
>>helpfulness to the PHP groups is unprecedented. On days I lurk he has
>>questions answered before I even can write a response.
>>>
>>To top that I've actually seen messages where he admits he's wrong;
>>the last thing he's doing here is stroking his e-peen.
>>>
>>=======
>>>
>>From what I've seen, he's becoming a 'dick' more and more as of late.
>>I've only seen him admit he was wrong ONCE...and that was after beating
>>him to death with the facts until he had to say something. He was going
>>to let it slide.
>>>
>>He may have copious replies, but even though quantity may have a quality
>>all it's own it hardly matters to an individual looking for a single
>>quality response. I've seen Jerry wrong almost as often as I've seen him
>>be right.
>>>
>>He also seems to relish being confronted. You can tell when Jerry is
>>wrong when he plonks people that kindly disagree with him - all the while
>>Jerry is cursing and throwing insults. That is a very common occurance.
>>He loves to claim 'troll' or 'stoopid'. Yes, there's some mighty big
>>stroking going on there.
>>>
>>What I truly wonder is how Jerry can afford to post here 24/7/365? He
>>obviously is NOT employed, or, is waisting his employer's time and money.
>>That, or he's loaded...and not just with booze and pills. :)

>I plonk people when they become obnoxious - not when they disagree kindly.

>
No...generally I see you are the first to call names, illicitly, and only
plonk when you've no way to defend your position...beca use you are wrong in
those cases.
>

ROFLMAO!

>And I have a job - I am self-employed with my own company. I can afford
>to take breaks to answer questions here.

>
You look to be 65 and you have no website. You post consistently, not
sporatically as I'd expect to see if you were 'breaking'. I hope your
medicare is up to date.
>

I'm not anywhere near 65 yet, although I have been programming for a
good number of years. I started young.

And no, I don't have a website I've told you about. But I actually have
three different websites, for different things.

I just see no need to give that information to trolls. My customers
have the URL's, and that's what counts.

>And yes, I do admit when I'm wrong. But just because someone else
>disagrees with me doesn't mean I'm wrong.

>
Once in a blue moon, a gray wolf will cackle like a hen too. And, just
because you *think* you're right doesn't make you right. RARELY do I ever
see you support your arguments with proof, i.e. cites, references, results,
etc..
>
>
>

ROFLMAO!

But then you always were stoopid, Steve (I mean Barry... Oops - today
it's Chuck).

Still lying to the people you go to church with and let them think you
believe in God?

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**Jerry Stuckle** · Jul 19 '08, 12:45 AM

Re: Hiding variables passed via URL

Chuck wrote:

"Jerry Stuckle" <jstucklex@attg lobal.netwrote in message
news:g5qu03$j0l $6@registered.m otzarella.org.. .

>Chuck wrote:

>>"Jerry Stuckle" <jstucklex@attg lobal.netwrote in message
>>news:g5gj6a$v u2$1@registered .motzarella.org ...
>>>burgermeister01 @gmail.com wrote:
>>>>On Jul 14, 3:47 pm, The Natural Philosopher <a...@b.cwrot e:
>>>>>Michael Fesser wrote:
>>>>>>.oO(The Natural Philosopher)
>>>>>>>I have no trouble understanding cookies and sessions.
>>>>>>>Its jerry's assumptions that I didn't know that irritate.
>>>>>>>All that is needed t preserve states across a session is to have
>>>>>>>some
>>>>>>>unique session ID. That has to be carried by a cookie or by a URL .
>>>>>>>After that, you can associate any amount of crap with that session
>>>>>>>ID.
>>>>>>>I simply didn't see any difference in principle between carrying the
>>>>>>>sessio n ID as a URL than as a cookie.
>>>>>>There are a dozen ways for a URL to leak (the HTTP_REFERER is just
>>>>>>one
>>>>>>way), which would easily allow other sites to grab valid session IDs.
>>>>>>Such attacks were done some years ago against a number of big free
>>>>>>mail
>>>>>>service s, which led to thousands of stolen accounts.
>>>>>>Session cookies are much more secure, because you actually have to
>>>>>>sniff
>>>>>>the HTTP communication between the clients and the server or use XSS
>>>>>>to
>>>>>>grab them.
>>>>>>>Which I pointed out. Jerry then said 'what's cookies got to do with
>>>>>>>it'
>>>>>>>so I explained what they had to do with it.
>>>>>>But they don't have anything to do with the OPs problem, which was
>>>>>>about
>>>>>>passing data from one page to another. POST won't work here, GET is
>>>>>>not
>>>>>>wanted, so the only viable alternative is a session. Question
>>>>>>answere d.
>>>>>No the only viable way is a cookie. Whether or not that is used with
>>>>>PHP
>>>>>sessions or not, is actually not the point. They are no more secure
>>>>>than
>>>>>simply setting a number in your own custom cookie.
>>>>>>
>>>>>All PHP sessions are area wasy of pasing a unique ID using cookies,
>>>>>and
>>>>>a handy interface fr dummies, but they still use either the URL or the
>>>>>cookie to pass that one vital bit of info.
>>>>>>
>>>>>Now I also thought that the point was that the user was worried about
>>>>>his clients seeing the info in the URL and messing with it.
>>>>>>
>>>>>My point was that they could as easily mess with the cookies.
>>>>>>
>>>>>I don't recall any issues about security with respect to third parties
>>>>>at all, which makes your point another straw man.
>>>>>>
>>>>>>
>>>>>>
>>>>>>Micha- Hide quoted text -
>>>>>- Show quoted text -- Hide quoted text -
>>>>>>
>>>>>- Show quoted text -
>>>>Okay, I'm beginning to see why some other group members are rather
>>>>frustrate d with Natural Philosopher.
>>>>>
>>>>Using sessions only stores the ID associated with the user on the
>>>>client machine. That ID is linked to the client's data which is stored
>>>>on a file on the server the client is communicating with. Cookies
>>>>actually store all the data on the client machine. That means that
>>>>when you use cookies, all the data is available for the client to view
>>>>and edit. Using sessions seperates the client from his or her data,
>>>>thus making it uneditable; the only thing that can be edited on the
>>>>client is the session ID, which isn't very useful, since at best you
>>>>associate yourself with someone else's data, and at worse, you divorce
>>>>the client from its session data. Therefore, using sessions is more
>>>>secure because the client cannot directly access his or her data.
>>>>>
>>>>How did this even become a security discussion????
>>>>>
>>>Ever since The Natural Philosopher made another stupid comment and I
>>>called him on it.
>>>>
>>>Now he's doing his best to try to justify his stupidity.
>>It seems to me, Jerry, that Phil is making a point you are not catching.
>>You seem busy about all manner of things NOT related to what he is
>>saying, yet you are bashing him for what he IS saying. You haven't
>>stopped to hear him.
>>>
>>You asked what cookies had to do with anything. He's saying that it's one
>>way for the PHP_SESSION_ID to be passed between the client and server.
>>You assume, inappropriately , that he means ALL SESSION DATA is passed
>>around in a cookie. You seemed to be a bit in a rush to 'call him on
>>it'...even when he clearly explained that was NOT what he meant. However,
>>now that he has painstakingly TRIED to clear up YOUR confusion, you keep
>>playing the champion...beat ing your chest, as it were, like a juvenile
>>gorilla afraid of a real confrontation, hoping all the arm-waving
>>comotion will scare off your 'rival' before he notices it's all a front.
>>>
>>He's only talking about passing the session ID. Nothing more than that,
>>Jerry. Since you were the one who was pondering how cookies fit into
>>sessions, I fail to see how you could possibly a good argument...sinc e
>>yours would seemingly be made from ignorance. Further, after all of your
>>raging tantrums in a know-it-all fashion, it seems you have projection
>>issues as all fingers should be pointing to your own lack of reading
>>comprehension ...or your willingness to only give others' remarks cursory
>>scans. Obviously, the latter is quite dangerous as it can lead to the
>>offender looking a fool.
>>>
>>Consider yourself, 'called on it'.
>>>
>>Someone needs to grow up. And if he can't read that, maybe he'll catch
>>his name...JERRY.

>No, I know what he meant. And my comment stands - as do the comments of
>others in this thread. His comment was completely unrelated to the
>discussion at hand.

>
If you knew, then you wouldn't have thought cookies were some foreign dish
to the conversation. He explained perfectly well how they do. You simply
took it for what you wanted. Something you could 'call him on'. Think what
you want.
>
>
>

I know a lot more about it than you do, Chuck/Steve/Barry. I didn't
need his explanation. But even others told him his comment was unrelated.

But then you always were a stoopid troll, and this just proves it more.

Enough of you, idiot. <plonk!>

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**Chuck** · Jul 19 '08, 02:05 AM

Re: OT Re: Hiding variables passed via URL

"Jerry Stuckle" <jstucklex@attg lobal.netwrote in message
news:g5rd8n$9tb $5@registered.m otzarella.org.. .

Chuck wrote:

>"Jerry Stuckle" <jstucklex@attg lobal.netwrote in message
>news:g5qttp$j0 l$5@registered. motzarella.org. ..

>>Chuck wrote:
>>>Ah, joining a flame war...nothing quite like it.
>>>>
>>>Jerry might be a dick from time to time, but his participation and
>>>helpfulnes s to the PHP groups is unprecedented. On days I lurk he has
>>>questions answered before I even can write a response.
>>>>
>>>To top that I've actually seen messages where he admits he's wrong;
>>>the last thing he's doing here is stroking his e-peen.
>>>>
>>>=======
>>>>
>>>From what I've seen, he's becoming a 'dick' more and more as of late.
>>>I've only seen him admit he was wrong ONCE...and that was after beating
>>>him to death with the facts until he had to say something. He was going
>>>to let it slide.
>>>>
>>>He may have copious replies, but even though quantity may have a
>>>quality all it's own it hardly matters to an individual looking for a
>>>single quality response. I've seen Jerry wrong almost as often as I've
>>>seen him be right.
>>>>
>>>He also seems to relish being confronted. You can tell when Jerry is
>>>wrong when he plonks people that kindly disagree with him - all the
>>>while Jerry is cursing and throwing insults. That is a very common
>>>occurance. He loves to claim 'troll' or 'stoopid'. Yes, there's some
>>>mighty big stroking going on there.
>>>>
>>>What I truly wonder is how Jerry can afford to post here 24/7/365? He
>>>obviously is NOT employed, or, is waisting his employer's time and
>>>money. That, or he's loaded...and not just with booze and pills. :)
>>I plonk people when they become obnoxious - not when they disagree
>>kindly.

>>
>No...general ly I see you are the first to call names, illicitly, and only
>plonk when you've no way to defend your position...beca use you are wrong
>in those cases.
>>

>
ROFLMAO!
>

>>And I have a job - I am self-employed with my own company. I can afford
>>to take breaks to answer questions here.

>>
>You look to be 65 and you have no website. You post consistently, not
>sporatically as I'd expect to see if you were 'breaking'. I hope your
>medicare is up to date.
>>

>
I'm not anywhere near 65 yet, although I have been programming for a good
number of years. I started young.
>
And no, I don't have a website I've told you about. But I actually have
three different websites, for different things.
>
I just see no need to give that information to trolls. My customers have
the URL's, and that's what counts.
>

>>And yes, I do admit when I'm wrong. But just because someone else
>>disagrees with me doesn't mean I'm wrong.

>>
>Once in a blue moon, a gray wolf will cackle like a hen too. And, just
>because you *think* you're right doesn't make you right. RARELY do I ever
>see you support your arguments with proof, i.e. cites, references,
>results, etc..

>
ROFLMAO!
>
But then you always were stoopid, Steve (I mean Barry... Oops - today it's
Chuck).

well, it took you long enough!

Still lying to the people you go to church with and let them think you
believe in God?

uhmmm, that wouldn't be lying, jerry. i cannot be expected to correct
assumptions made by others. sinners as well as saints go to church. only a
fool would think that everyone present believes in the same things...unless
yours is a social club rather than a hospital. as i've said before, i'm
willing to tell anyone that asks. now, if i told them something other than
the truth at that point, it would be lying. what is amusing to me, jerry, is
that you're a bible thumper and are content with living hypocracy. your
treatment of others is very counter to what you've been taught (or should
have been taught) to believe.

btw, you never were able to make a material case for the existence of any
god. i see you still allow faith to trump reason and logic. it is not
surprising at all that you are likewise ignorant of the same in your posts
to others.

cheers.

**Chuck** · Jul 19 '08, 02:15 AM

Re: Hiding variables passed via URL

"Jerry Stuckle" <jstucklex@attg lobal.netwrote in message
news:g5rdb1$9tb $6@registered.m otzarella.org.. .

Chuck wrote:

>"Jerry Stuckle" <jstucklex@attg lobal.netwrote in message
>news:g5qu03$j0 l$6@registered. motzarella.org. ..

>>Chuck wrote:
>>>"Jerry Stuckle" <jstucklex@attg lobal.netwrote in message
>>>news:g5gj6a$ vu2$1@registere d.motzarella.or g...
>>>>burgermeister01 @gmail.com wrote:
>>>>>On Jul 14, 3:47 pm, The Natural Philosopher <a...@b.cwrot e:
>>>>>>Michael Fesser wrote:
>>>>>>>.oO(Th e Natural Philosopher)
>>>>>>>>I have no trouble understanding cookies and sessions.
>>>>>>>>Its jerry's assumptions that I didn't know that irritate.
>>>>>>>>All that is needed t preserve states across a session is to have
>>>>>>>>some
>>>>>>>>uniqu e session ID. That has to be carried by a cookie or by a URL
>>>>>>>>.
>>>>>>>>After that, you can associate any amount of crap with that session
>>>>>>>>ID.
>>>>>>>>I simply didn't see any difference in principle between carrying
>>>>>>>>the
>>>>>>>>sessi on ID as a URL than as a cookie.
>>>>>>>There are a dozen ways for a URL to leak (the HTTP_REFERER is just
>>>>>>>one
>>>>>>>way), which would easily allow other sites to grab valid session
>>>>>>>IDs.
>>>>>>>Such attacks were done some years ago against a number of big free
>>>>>>>mail
>>>>>>>services , which led to thousands of stolen accounts.
>>>>>>>Sessio n cookies are much more secure, because you actually have to
>>>>>>>sniff
>>>>>>>the HTTP communication between the clients and the server or use
>>>>>>>XSS to
>>>>>>>grab them.
>>>>>>>>Which I pointed out. Jerry then said 'what's cookies got to do
>>>>>>>>with it'
>>>>>>>>so I explained what they had to do with it.
>>>>>>>But they don't have anything to do with the OPs problem, which was
>>>>>>>about
>>>>>>>passin g data from one page to another. POST won't work here, GET is
>>>>>>>not
>>>>>>>wanted , so the only viable alternative is a session. Question
>>>>>>>answered .
>>>>>>No the only viable way is a cookie. Whether or not that is used with
>>>>>>PHP
>>>>>>session s or not, is actually not the point. They are no more secure
>>>>>>than
>>>>>>simply setting a number in your own custom cookie.
>>>>>>>
>>>>>>All PHP sessions are area wasy of pasing a unique ID using cookies,
>>>>>>and
>>>>>>a handy interface fr dummies, but they still use either the URL or
>>>>>>the
>>>>>>cookie to pass that one vital bit of info.
>>>>>>>
>>>>>>Now I also thought that the point was that the user was worried
>>>>>>about
>>>>>>his clients seeing the info in the URL and messing with it.
>>>>>>>
>>>>>>My point was that they could as easily mess with the cookies.
>>>>>>>
>>>>>>I don't recall any issues about security with respect to third
>>>>>>parties
>>>>>>at all, which makes your point another straw man.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>Micha- Hide quoted text -
>>>>>>- Show quoted text -- Hide quoted text -
>>>>>>>
>>>>>>- Show quoted text -
>>>>>Okay, I'm beginning to see why some other group members are rather
>>>>>frustrat ed with Natural Philosopher.
>>>>>>
>>>>>Using sessions only stores the ID associated with the user on the
>>>>>client machine. That ID is linked to the client's data which is
>>>>>stored
>>>>>on a file on the server the client is communicating with. Cookies
>>>>>actually store all the data on the client machine. That means that
>>>>>when you use cookies, all the data is available for the client to
>>>>>view
>>>>>and edit. Using sessions seperates the client from his or her data,
>>>>>thus making it uneditable; the only thing that can be edited on the
>>>>>client is the session ID, which isn't very useful, since at best you
>>>>>associat e yourself with someone else's data, and at worse, you
>>>>>divorce
>>>>>the client from its session data. Therefore, using sessions is more
>>>>>secure because the client cannot directly access his or her data.
>>>>>>
>>>>>How did this even become a security discussion????
>>>>>>
>>>>Ever since The Natural Philosopher made another stupid comment and I
>>>>called him on it.
>>>>>
>>>>Now he's doing his best to try to justify his stupidity.
>>>It seems to me, Jerry, that Phil is making a point you are not
>>>catching. You seem busy about all manner of things NOT related to what
>>>he is saying, yet you are bashing him for what he IS saying. You
>>>haven't stopped to hear him.
>>>>
>>>You asked what cookies had to do with anything. He's saying that it's
>>>one way for the PHP_SESSION_ID to be passed between the client and
>>>server. You assume, inappropriately , that he means ALL SESSION DATA is
>>>passed around in a cookie. You seemed to be a bit in a rush to 'call
>>>him on it'...even when he clearly explained that was NOT what he meant.
>>>However, now that he has painstakingly TRIED to clear up YOUR
>>>confusion, you keep playing the champion...beat ing your chest, as it
>>>were, like a juvenile gorilla afraid of a real confrontation, hoping
>>>all the arm-waving comotion will scare off your 'rival' before he
>>>notices it's all a front.
>>>>
>>>He's only talking about passing the session ID. Nothing more than that,
>>>Jerry. Since you were the one who was pondering how cookies fit into
>>>sessions, I fail to see how you could possibly a good argument...sinc e
>>>yours would seemingly be made from ignorance. Further, after all of
>>>your raging tantrums in a know-it-all fashion, it seems you have
>>>projection issues as all fingers should be pointing to your own lack of
>>>reading comprehension.. .or your willingness to only give others'
>>>remarks cursory scans. Obviously, the latter is quite dangerous as it
>>>can lead to the offender looking a fool.
>>>>
>>>Consider yourself, 'called on it'.
>>>>
>>>Someone needs to grow up. And if he can't read that, maybe he'll catch
>>>his name...JERRY.
>>No, I know what he meant. And my comment stands - as do the comments of
>>others in this thread. His comment was completely unrelated to the
>>discussion at hand.

>>
>If you knew, then you wouldn't have thought cookies were some foreign
>dish to the conversation. He explained perfectly well how they do. You
>simply took it for what you wanted. Something you could 'call him on'.
>Think what you want.

>
I know a lot more about it than you do, Chuck/Steve/Barry.

really? here's where proving what you say should be important, rather than
just believing what you say to be true.

I didn't need his explanation. But even others told him his comment was
unrelated.

let's have the 'others'...post the news link(s). and, it's not the
definition that was important. it was the fact that you plod along in
ignorance of a point being made outside of the ones you want to make.

But then you always were a stoopid troll, and this just proves it more.

really? how am i trolling, jerry?

NOTICE, i've been pleasant (kindly). now i'm a 'stoopid' 'troll'. and as we
all know (as is quoted in this thread), what should be expected to follow?

Enough of you, idiot. <plonk!>

there it is...the plonk. roflmao!

jerry, you lose.

Hiding variables passed via URL

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment