[thelist] post variable availability

Phil Turmel pturmel-webdev at turmel.org
Thu Feb 28 13:02:32 CST 2008

Nan Harbison wrote:
> Phil,
> I think what I am doing wrong is - I have a form submit to itself, and then
> it shows sign up options on a form and then you submit again, and then it
> shows a credit card form, so I guess I am getting the form elements from
> first form. 
> So do I store the values that I keep needing as the process continues as
> session variables? I always feel guilty when I do that, like it is the
> cowards way out.
> Thanks for your help!
> Nan

Hi Nan,

Yes, you need to store the 1st page's responses somewhere. 
Either put them in session variables or hide them on subsequent 
forms.  (Sessions aren't cowardly, if that helps.) 
Unfortunately, there are pros and cons to each method you need to 
be aware of:

1) Cookie-based sessions won't automatically deal with your 
visitor opening multiple tabs or windows, and starting into the 
process on each.
2) Sessions store their data on the server's hard disk in one 
form or another.  You may have to examine how that's done to 
ensure your customer's confidential information is wiped when 
you're done with it.  (I don't process credit cards, so I can't 
speak to the details.)  Especially if they get partway through 
and then close their browser.
3) Hidden variables are susceptible to spoofing... you have to 
validate them on the server side on every submission.  Increases 
both processing time and traffic volume.
4) Hidden form variables aren't actually hidden from an 
interested user (view source), so if your validation process 
generates confidential internal codes, you would expose them to view.

If you are creating sessions anyways as part of a login process, 
just add the information to $_SESSION.  Maybe keep just the CC 
number in a hidden field so you don't have to deal with #2.  If 
you have a problem with #1, also add a hidden token to your forms 
so you can distinguish between multiple windows.

If you don't need sessions for other purposes, and #4 isn't a 
problem, use hidden fields.



Need to contact me offlist?
   Drop -webdev or you probably won't get through.

More information about the thelist mailing list