[thelist] post variable availability

Nan Harbison nan at nanharbison.com
Thu Feb 28 13:11:01 CST 2008


This helps a lot. Fortunately, the credit card details are on the last form,
so they are available to the payment gateway code.
I am using sessions since people have to pay to be able to see certain areas
of the website.



-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On Behalf Of Phil Turmel
Sent: Thursday, February 28, 2008 2:03 PM
To: thelist at lists.evolt.org
Subject: Re: [thelist] post variable availability

Nan Harbison wrote:
> Phil,
> I think what I am doing wrong is - I have a form submit to itself, and 
> then it shows sign up options on a form and then you submit again, and 
> then it shows a credit card form, so I guess I am getting the form 
> elements from first form.
> So do I store the values that I keep needing as the process continues 
> as session variables? I always feel guilty when I do that, like it is 
> the cowards way out.
> Thanks for your help!
> Nan

Hi Nan,

Yes, you need to store the 1st page's responses somewhere. 
Either put them in session variables or hide them on subsequent forms.
(Sessions aren't cowardly, if that helps.) Unfortunately, there are pros and
cons to each method you need to be aware of:

1) Cookie-based sessions won't automatically deal with your visitor opening
multiple tabs or windows, and starting into the process on each.
2) Sessions store their data on the server's hard disk in one form or
another.  You may have to examine how that's done to ensure your customer's
confidential information is wiped when you're done with it.  (I don't
process credit cards, so I can't speak to the details.)  Especially if they
get partway through and then close their browser.
3) Hidden variables are susceptible to spoofing... you have to validate them
on the server side on every submission.  Increases both processing time and
traffic volume.
4) Hidden form variables aren't actually hidden from an interested user
(view source), so if your validation process generates confidential internal
codes, you would expose them to view.

If you are creating sessions anyways as part of a login process, just add
the information to $_SESSION.  Maybe keep just the CC number in a hidden
field so you don't have to deal with #2.  If you have a problem with #1,
also add a hidden token to your forms so you can distinguish between
multiple windows.

If you don't need sessions for other purposes, and #4 isn't a problem, use
hidden fields.



Need to contact me offlist?
   Drop -webdev or you probably won't get through.

* * Please support the community that supports you.  * *

For unsubscribe and other options, including the Tip Harvester and archives
of thelist go to: http://lists.evolt.org Workers of the Web, evolt ! 

More information about the thelist mailing list