[thelist] any PHP session experts out there?

Diego Barcia webmaster at sci-web.com.ar
Wed Dec 11 17:42:01 CST 2002 

Hi,

> I've been struggling with some PHP session tutorials, and I wondered
> if I could get some tips. Most of the tutorials I find seem to be for
> PHP3 not 4. The one I am using the guy says not to use superglobals
> due to security. Anyway, I am doing this very simple code:
>
> From a simple form that has only a 'name' text field, I send it to a
> process page that does this:

(..)

> in the page, and I get nothing but blanks.

This is a security issue, probably the server is configured not to print any
error messages so any output is interrupted. I will not add anything more to
the previous messages in regard to sessions, only I would say that, if
"register_globals" is set to off in your server, then you need to use the
$_POST array, because any global you use to refer to the POST variables
won't work.

> I suppose $_SESSION['name'] = $name; could be $_SESSION['name'] =
> $_POST['name']; as well, but I like using the globals myself.

Instead of using $name, you should use $_POST['name'] (is register_globals =
off, which is now the default configuration; check phpinfo() to get
information about the server's configuration). If you don't want to use
$_POST again and again, you could use the import_request_variables()
function. This function takes two arguments, one is needed, the other is
tecnically optional but you need it too. In the first argument, you specify
what kind of variables you want to import (this is an option to
register_globals, which is not safe, and it would be of use I hope, it was
for me and I had to do some hours of research to get to it). That is, the
POST variables. It is only a letter in this case "p" (points to "POST"). The
second argument, is the prefix that will be used to import the POST
variables. For example, "f_".

import_request_variables("p", "f_");

This would create the $f_name variable for your example, which would hold
the "name" form field value. And so on for any other POST vars (for example,
if they were in the form "address" and "phone" fields, the $f_address and
$f_phone vars would be created). Although the second argument is optional,
if you don't specify it, you will get a warning, perhaps causing the code
not to work. This is the "where the variables are coming from" security
thing.

Diego
Web Designer & Developer
http://sci-web.com.ar

More information about the thelist mailing list