tefuzz

that's what I am doing, but even if I leave the page and come back, it still keeps the session going and my values are still there...

took a look at that, but the page you linked to shows about having some malicious code within a page. when pulled up by a user with permissions it executes. should I be using something like $_SERVER['HTTP_REFERER'] to check? basically, if the token is set, but the referer is not my site, i can show them a session error or something? but looking at the PHP manula it says HTTP_REFERER "...This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted..." any ideas?

Well so that i dont have to write my password again and again. I am a kid of 15 years and my friend who becomes oversmart challenged me to do so. I beg u to solve my problem. thats why browsers have "do you want me to remember this password?" and autoComplete... all you have to do is click twice, and your username and password are in.

been looking around for answers, did not find much yet. anyone have any ideas?

ok, now I have another problem. I have the form validation set so that if there are errors it automatically fills in the valid fields again so the user doesn't need to retype everything for 1 error. However, If i run the script with an error, it fills in my valid data just like I want. Now the catch is, If I leave the page and go to say google.com, and go back, my form fields will still be filled in with that data. What can I do to make sure that if they leave the "session" it clears, and they have to start over again? Only if they leave the form (multi part) and come back. If they go to step2 and come back to step1, I want to keep the data.

OK, well I think I fixed one part of it... I changed this line of my page: <form action="step1.php" method="post" enctype="multipart/form-data" name="tutorApp" class="tutorAppForm"> to this: <form action="<?php echo($_SERVER['PHP_SELF']); ?>" method="post" enctype="multipart/form-data" name="tutorApp" class="tutorAppForm">

I have the first IF checking to see if they pressed the "next" button. If not, then it must be the first time on the page, so I am assigning a token. If it is pressed, then it is checking the token against the hidden input to see if they match. Or at least that what I thought it was doing.

I am trying to use a session token to protect my form a little bit for hijacking, and from timeouts in case the user takes 4 hours to complete it, the information will be cleared so someone couldn't hijack their data either. i have it creating a token automatically, and passing it through $_POST inside a hidden input 'token' I can't however get it to work...my code is this...seemed like it would work, but I always get "session error!". and yes, the hidden input for 'step1' is there. <?php session_start(); if (!isset($_POST['step1'])) { $_SESSION['token'] = uniqid(md5(microtime()), true); } elseif ($_POST['token'] !== $_SESSION['token']) { echo "session error!"; } else { ...this is where the validation goes...

I remember what it was! I was originally going to use $fields as $required, and pass it through a validation function but decided against it , I guess I just kept going with it without realizing and worked it into the $_SESSION

good question...for some reason I hadn't thought of just going directly to the $_POST

here's what comes out...I only entered firstname, lastname, month, day, and year Array ( [step1] => step1 [token] => 353cefcd1509a11e67b8196efb41284849eef876e280b4.76260405 [firstname] => dsvcasdv [lastname] => asdvasdvdsv [month] => Feb [day] => 4 [year] => 2005 [add1] => [add2] => [city] => [state] => [zip] => => [tel] => [submit] => Next ) dsvcasdv asdvasdvdsv Feb 4 2005

I'm a newbie too, i had asked a similar question to this, and got lots of advice. I decided to go with the switch(). just seemed cleaner, and easier to manage than a bunch of IF statements.

I have an IF statement checking to see if the form has been posted via a hidden input, this code is executed only after the form is submitted...how to i add the $_POST values to the $_SESSION array then with that?

you could also use a switch to accomplish the same goal...my index page is set up this way with multiple variables in the URL to determine what exactly the visitor is doing. but as wolfrage said, your URL would need to be something like http://www.mysite.com/index.php?code=1 (assuming the file you are using is named index.php) here's a quick example... $code = $_GET['code']; switch($code) { default: include('default.php'); break; case "1": include('one.php'); break; case "2": include('two.php'); break; }

I have a multi part form, and each step I am validating the previous step. I am storing all the values into a session, and i thought this was a way to do it, but my echo just gives me blank lines... $fields = array("firstname", "lastname", "month", "day", "year", "address1", "address2", "email", "telephone"); foreach ($fields as $field) { $_SESSION[$field] = $_POST[$field]; echo $_SESSION[$field] . "\n"; }

I have always used selected="selected" and it is validating according to the w3c...as for the === thanks, makes more sense to me.

Ok, so i created a function for my form to populate a list with years for use with birth dates. I added more functionality to it so that when validating and error checking, I could have the function still populate the list, but if a year was selected and there were other errors, not pertaining to the list it would still keep that year selected after reload. my function takes a start/end year and populates the list accordingly from highest to lowest, and checks to see which value is selected...That's where I cant figure out why it actually works. Anwyho, so here is how it is right now. Works flawlessly (might not be the best way, but im a beginner, and it works ) function getYears($name, $startYear, $endYear, $tabIndex, $selected) { $year = $endYear; echo ("\n\n<select name=\"$name\" id=\"$name\" tabindex=\"$tabIndex\">\n"); if(empty($selected)){ echo("\n\t<option selected=\"selected\" value=\"\"></option>"); } while ($year >= $startYear) { if ($year == $selected) { echo("\n\t<option selected=\"selected\" value=\"$selected\">$selected</option>"); } else { echo("\n\t<option value=\"$year\">$year</option>"); } $year --; } echo ("\n</select>"); } With it like that, it works 100% no problems, none ever...However, while trying to figure it out, I had coded it a little differently, and it would populate the list with only 2 values, both being blank. here is the only difference in code: echo("\n\t<option selected=\"selected\" value=\"$year\">$year</option>"); instead of echo("\n\t<option selected=\"selected\" value=\"$selected\">$selected</option>"); Considering the statement below, shouldnt $year AND $selected work in such a case since they are equal? if ($year == $selected) {

thats what I thought. thanks

I know, I ask a million questions but you guys are so damn helpful Anywho, In my form (multiple page) I am going to store the variables into a session. Do I start the session automatically when page 1 of the form is loaded? Or do I start it when page when begins getting validated? Also, does each subsequent page automatically follow the session?

no access to php.ini :-\

I have a form. It has 4 different <select> in it. If the lists are all valid (an item is selected) but there are other errors, how would I make PHP keep the selection when the page refreshes to show the fields with errors. Right now my <select> are borught in by a function like this: function getDays ($name, $tabIndex) { echo ("\n\n<select name=\"$name\" id=\"$name\" tabindex=\"$tabIndex\">\n <option selected=\"day\" value=\"\">"); $days = array ("1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11", "12", "13", "14", "15", "16", "17", "18", "19", "20", "21", "22", "23", "24", "25", "26", "27", "28", "29", "30", "31"); foreach ($days as $day) { echo("\n\t<option value=\"$day\">$day</option>"); } echo ("\n</select>"); }

[quote author=jOE link=topic=248705.msg1164671#msg1164671 date=1240190038] You always want to run any doing going into a db through mysql_real_escape_string(), but then there are other methods/functions for sanitizing things like HTML or non alpha numeric characters. like i said, my fields are all basic things like name, email telephone etc. how about things like zip codes? just check if its all numbers, and a correct length?

I am not currently entering the data from my form into a database, this feature will come later on. it is just an email script right now . However, I would like to make sure i am protected in either case. I have seen multiple examples using mysql_real_escape_string() and strip_tags() and strip_slashes(). but which do I use? I am not allowing HTML input in my form, it is all basic information, from small fields (name, address, phone #, email etc) There will however be a text area for comments. Right now I am validating my fields with no "security", and again, I eventually would like to enter the fields to a DB instead of an email, so i ned to be protected from injection. Any info would be great

how can I make sure the session will last long enough for the user to fill out all 6 pages of the form?

I was planning on using a session, but it's a 6 part form...It's an application, so some replies i got on here were if the user took too long to complete the steps the session would be lost. I guess my best bet is to stick them all into hidden fields after validation.