Repost $_POST vars

[rondog]

I have a page where you first choose a group. Once they submit the first form, I POST whichever group they have chosen. I then have an if statement saying(sudo)

if(group is posted)
{
   show the next form;
}
else
{
   show the first form;
}

 

My issue is that when they submit they second form, group is no longer posted so it goes back to the first form. Is their a way to repost the group variable? I could essentially just turn it into a session I know. Is their any other way with the method I am current doing? Here is a dumbed down version of my code:

<?php
//shoot manager
$group = $_POST['chosenGroup'];

if(isset($_POST['savechanges']))
{
$num = $_POST['shootnum'];
for ($i = 1; $i<=$num; $i++)
{
	$setValue = $_POST['shoot'.$i];
	$id = $_POST['shootid'.$i];
	$query = mysql_query("UPDATE shoot SET active = '".$setValue."' WHERE id = '".$id."'") or die(mysql_error());
}
echo "<p style=\"color:#ffd530;background-color:#6F6161;text-align:center;\">Successfully saved changes.</p>";			
}


if(!isset($group)) //if $group isnt set show the first form
{

echo "show the first form";
}
else //else show the second form
{
//once this form is submited $group is no longer posted so it shows the first form which is the problem
echo "show the second form-a";
echo "show the second form-b";
}
?>

 

[Asheeown]

Simple way to do it is use a hidden field

 

<?php
echo "<input type=\"hidden\" name=\"chosenGroup\" value=\"$group\" />";
?>

[DarkWater]

Simple way to do it is use a hidden field

 

<?php
echo "<input type=\"hidden\" name=\"chosenGroup\" value=\"$group\" />";
?>

 

That could be edited en route, which could mess up previous queries.

[discomatt]

That could be edited en route, which could mess up previous queries.

 

The user screwing up their own request is not something you need to take into account... as long as it doesn't affect anything server side.

 

If a user wants to change their POST headers, they should expect to see unnatural results.

[DarkWater]

That could be edited en route, which could mess up previous queries.

 

The user screwing up their own request is not something you need to take into account... as long as it doesn't affect anything server side.

 

If a user wants to change their POST headers, they should expect to see unnatural results.

 

The point of editing the data would be to affect things server side.  If he does a query on one page, then expects the same data to be on the second page and it isn't, things are effectively messed up server side (i.e: passing an ID from mysql_insert_id in a hidden input).

[Asheeown]

However he's not using that var for identification and if it were to have sql injection in it that's another issue that should be dealt with anyway.

[DarkWater]

However he's not using that var for identification and if it were to have sql injection in it that's another issue that should be dealt with anyway.

 

But he already did some querying using that $group data, so if it changed during this process, it could certainly mess things up.  I'd use sessions.

[Asheeown]

If you don't want to use sessions and you want to take more security measures just encrypt the data in the hidden field, they can screw with it but when unencrypted on the following page it will bounce anything not formally correct to it's encryption standards.

[discomatt]

The point of editing the data would be to affect things server side.  If he does a query on one page, then expects the same data to be on the second page and it isn't, things are effectively messed up server side (i.e: passing an ID from mysql_insert_id in a hidden input).

 

In this case, sessions would be a 'better' solution than POSTing the data... but I wouldn't call either a 'good' solution.

 

Summing the forms into a single query would be the ideal solution IMO.