Phil, This helps a lot. Fortunately, the credit card details are on the last form, so they are available to the payment gateway code. I am using sessions since people have to pay to be able to see certain areas of the website. Thanks, Nan -----Original Message----- From: thelist-bounces at lists.evolt.org [mailto:thelist-bounces at lists.evolt.org] On Behalf Of Phil Turmel Sent: Thursday, February 28, 2008 2:03 PM To: thelist at lists.evolt.org Subject: Re: [thelist] post variable availability Nan Harbison wrote: > Phil, > > I think what I am doing wrong is - I have a form submit to itself, and > then it shows sign up options on a form and then you submit again, and > then it shows a credit card form, so I guess I am getting the form > elements from first form. > So do I store the values that I keep needing as the process continues > as session variables? I always feel guilty when I do that, like it is > the cowards way out. > > Thanks for your help! > Nan > Hi Nan, Yes, you need to store the 1st page's responses somewhere. Either put them in session variables or hide them on subsequent forms. (Sessions aren't cowardly, if that helps.) Unfortunately, there are pros and cons to each method you need to be aware of: 1) Cookie-based sessions won't automatically deal with your visitor opening multiple tabs or windows, and starting into the process on each. 2) Sessions store their data on the server's hard disk in one form or another. You may have to examine how that's done to ensure your customer's confidential information is wiped when you're done with it. (I don't process credit cards, so I can't speak to the details.) Especially if they get partway through and then close their browser. 3) Hidden variables are susceptible to spoofing... you have to validate them on the server side on every submission. Increases both processing time and traffic volume. 4) Hidden form variables aren't actually hidden from an interested user (view source), so if your validation process generates confidential internal codes, you would expose them to view. If you are creating sessions anyways as part of a login process, just add the information to $_SESSION. Maybe keep just the CC number in a hidden field so you don't have to deal with #2. If you have a problem with #1, also add a hidden token to your forms so you can distinguish between multiple windows. If you don't need sessions for other purposes, and #4 isn't a problem, use hidden fields. HTH, Phil -- Need to contact me offlist? Drop -webdev or you probably won't get through. -- * * Please support the community that supports you. * * http://evolt.org/help_support_evolt/ For unsubscribe and other options, including the Tip Harvester and archives of thelist go to: http://lists.evolt.org Workers of the Web, evolt !