Web Forms/Preserving state with $_GET - should I be doing this?

Re: Web Forms/Preserving state with $_GET - should I be doing this?

sketch wrote:
[color=blue]
> I have one page that does 3 different things depending on $_GET:
> 1. It shows an index with items.
> 2. It shows an item with a form to submit an amount.
> 3. It confirms the amount.
> I was just wondering, since I haven't approached anything like this if I'm
> ding something I shouldn't be doing. To get the post variable to work, I
> had to add some get variables to the form action. Would it be better to
> use hidden fields?
>[/color]

Well, you are supposed to sanitize your $_GET and $_POST variables before
using them in code, but anyway...

But anyway, I prefer to treat $_GET and $_POST interchangeably , so my
universal page does this (notice simplified to assume no arrays). Because
GETs override POSTs, I can code normal behavior into the hidden vars and
debug/test by putting special values into the URL. It makes it easier for
some troublemaker to experiment with screwing up the system, but then the
system should be protected against that anyway.

foreach ($_POST as $tkey=>$tvalue) {
$GLOBALS["clean"][$tkey] = YourSanitize($t value);
}
foreach ($_GET as $tkey=>$tvalue) {
$GLOBALS["clean"][$tkey] = YourSanitize($t value);
}

Now in code you can have your own version of $_GET and $_POST with things
like this:

$post=&$GLOBALS["clean"]

if ($post["key"]=="value") {
....
}

--
Kenneth Downs
Secure Data Software, Inc.
(Ken)nneth@(Sec )ure(Dat)a(.com )

Re: Web Forms/Preserving state with $_GET - should I be doing this?

I observed something when GET and POST are mixed in the same call.
For example:
..../test.php?code=a bcd

If the form has this in the action but uses POST method, then the
test.php gets called twice (once for GET and second time for POST) by
IE or firefox (forgot at this moment which one was doing this).

Had serious trouble from this double calling and ended up spending a
day debugging php in eclipse for runtime tracking.

I would avoid mixing GET and POST for form submission.

Re: Web Forms/Preserving state with $_GET - should I be doing this?

saayan@gmail.co m wrote:
[color=blue]
> I observed something when GET and POST are mixed in the same call.
> For example:
> .../test.php?code=a bcd
>
> If the form has this in the action but uses POST method, then the
> test.php gets called twice (once for GET and second time for POST) by
> IE or firefox (forgot at this moment which one was doing this).
>
> Had serious trouble from this double calling and ended up spending a
> day debugging php in eclipse for runtime tracking.
>
> I would avoid mixing GET and POST for form submission.[/color]

Let me clarify. The action of the form is always just "index", with no
variables passed in. The POST data of course is coming from the form.

However, the method of merging them allows me to simulate form posts by
typing the following into the location bar:



and easily walk through the results.


--
Kenneth Downs
Secure Data Software, Inc.
(Ken)nneth@(Sec )ure(Dat)a(.com )

Re: Web Forms/Preserving state with $_GET - should I be doing this?

Ken, Thanks - understood.

I have a question (just to satisfy my curiosity):

In case of mixing, is the double GET and POST action expected - or is
it a browser bug?
What does the standard say about it?

Re: Web Forms/Preserving state with $_GET - should I be doing this?

On Sat, 12 Mar 2005 08:35:39 -0500, Kenneth Downs <knode.wants.th is@see.sigblock > wrote:
[color=blue]
>Well, you are supposed to sanitize your $_GET and $_POST variables before
>using them in code, but anyway...
>[/color]

Thanks, I'm going to play around with your suggestions.


J Moore

Re: Web Forms/Preserving state with $_GET - should I be doing this?

On 12 Mar 2005 09:08:29 -0800, saayan@gmail.co m wrote:
[color=blue]
>Ken, Thanks - understood.
>
>I have a question (just to satisfy my curiosity):
>
>In case of mixing, is the double GET and POST action expected - or is
>it a browser bug?
>What does the standard say about it?[/color]

I'm using Mozilla Firebird 0.7 and IE 6 to test my scripts, and am
unable to reproduce the same bug. I'll try this under Linux where I
have some even older browsers.

What alternative to $_GET and $_POST are you thinking of? I've tried
using Javascript submits, but I wanted to avoid that for this project.



J Moore

Re: Web Forms/Preserving state with $_GET - should I be doing this?

saayan@gmail.co m wrote:
[color=blue]
> Ken, Thanks - understood.
>
> I have a question (just to satisfy my curiosity):
>
> In case of mixing, is the double GET and POST action expected - or is
> it a browser bug?
> What does the standard say about it?[/color]

Sorry, I've never run across it. I tend to either POST or GET, not both
together. The merge utility just allows me to type URLs into the address
bar that would give the same results as a user POST, making testing easier,
that's really all its for.

--
Kenneth Downs
Secure Data Software, Inc.
(Ken)nneth@(Sec )ure(Dat)a(.com )