[thelist] post variable availability
Phil Turmel
pturmel-webdev at turmel.org
Thu Feb 28 13:02:32 CST 2008
Nan Harbison wrote:
> Phil,
>
> I think what I am doing wrong is - I have a form submit to itself, and then
> it shows sign up options on a form and then you submit again, and then it
> shows a credit card form, so I guess I am getting the form elements from
> first form.
> So do I store the values that I keep needing as the process continues as
> session variables? I always feel guilty when I do that, like it is the
> cowards way out.
>
> Thanks for your help!
> Nan
>
Hi Nan,
Yes, you need to store the 1st page's responses somewhere.
Either put them in session variables or hide them on subsequent
forms. (Sessions aren't cowardly, if that helps.)
Unfortunately, there are pros and cons to each method you need to
be aware of:
1) Cookie-based sessions won't automatically deal with your
visitor opening multiple tabs or windows, and starting into the
process on each.
2) Sessions store their data on the server's hard disk in one
form or another. You may have to examine how that's done to
ensure your customer's confidential information is wiped when
you're done with it. (I don't process credit cards, so I can't
speak to the details.) Especially if they get partway through
and then close their browser.
3) Hidden variables are susceptible to spoofing... you have to
validate them on the server side on every submission. Increases
both processing time and traffic volume.
4) Hidden form variables aren't actually hidden from an
interested user (view source), so if your validation process
generates confidential internal codes, you would expose them to view.
If you are creating sessions anyways as part of a login process,
just add the information to $_SESSION. Maybe keep just the CC
number in a hidden field so you don't have to deal with #2. If
you have a problem with #1, also add a hidden token to your forms
so you can distinguish between multiple windows.
If you don't need sessions for other purposes, and #4 isn't a
problem, use hidden fields.
HTH,
Phil
--
Need to contact me offlist?
Drop -webdev or you probably won't get through.
More information about the thelist
mailing list