GET vs PHP_SELF vs SESSIONS

[dotkpay]

Hello,

Am currently using GET to transfer errors from a processing script back to the form script. For example if a user fills in a wrong password at form.php, the processing file(process.php) will header back to the location "form.php?e=1".

$_GET['e']=1; will be interpreted as "Wrong username or password" inside form.php.

This method works fine but the problem is that a user can activate the errors through browser history which seems pretty odd.

 

And then PHP_SELF can also work fine in displaying errors since you just require process.php first and any error will sink through to form.php and get echoed. The problem is that users are always inconvenienced by having to resend posted data in case they want to refresh the page or go forward/back.

 

If we take a look at SESSIONS: Is this the best way to deal with error printing. Please let me know if there is any inconvenience that can come from using $_SESSION to transfer errors.

And is there a limit to how many session variables can be used within one session.

 

Thanks in advance

[teynon]

Does displaying an error message do anything other than display the error message? If not, then I would just stick with GET. Usually when I send an error message, I just post the actual message in GET. I tend to keep error messages short.

 

Edit: I lied. I am tricking my head right now. Right now I am simply including the message on the current page and then including the content of the previous page. (I've set up a template system.) Sessions would be pretty straight forward / simple here, but I don't see why GET would cause any harm.

[dotkpay]

If am to go with GET then I have find a way of hiding GET variables so that they are not seen in the browser address bar but can still be sent to the server. Is their any such way of doing it. I know of .htaccess which enables hiding the .php extension of the file in the url. Is it possible to hide the GET variables as well?

 

Thanks in advance

[teynon]

GET is sent to the browser. It will always be visible. I really don't think you need to worry about them being able to see your error code numbers, but if you are still worried about it, just use sessions.

[Psycho]

For form processing, I always have my form scripts post back to themselves. That way if there any errors I can display the error as well as supply the form with the values the user last entered. I would never pass an error code. If validation passes THEN I will process then code and then use a header() to redirect the user to a confirmation page. By using a header, instead of an include, it prevents a double post if the user was to refresh the page.

 

Here is a working example script, except for the other files to process the data and provide the confirmation message. But they are only used when everything passes. Try submitting the form without required or valid data.

 

<?php

//Set default vars for form (can be used with DB SELECT for edit purposes)
$name    = '';
$email   = '';
$phone   = '';
$message = '';
$errorMsg = '';

function is_email($email) 
{
    $formatTest = '/^[\w!#$%&\'*+\-\/=?^`{|}~]+(\.[\w!#$%&\'*+\-\/=?^`{|}~]+)*@[a-z\d]([a-z\d-]{0,62}[a-z\d])?(\.[a-z\d]([a-z\d-]{0,62}[a-z\d])?)*\.[a-z]{2,6}$/i';
    $lengthTest = '/^(.{1,64})@(.{4,255})$/';
    return (preg_match($formatTest, $email) && preg_match($lengthTest, $email));
}

if(isset($_POST['name']))
{
    $name    = (isset($_POST['name'])) ? trim($_POST['name'])   : '';
    $email   = (isset($_POST['email'])) ? trim($_POST['email']) : '';
    $phone   = (isset($_POST['phone'])) ? trim($_POST['phone'])   : '';
    $message = (isset($_POST['message'])) ? trim($_POST['message']) : '';

    //Create array to track errors
    $errors = array();
    //Validate the input
    if(empty($name))
    {
        $errors[] = "name is required.";
    }
    if(empty($email))
    {
        $errors[] = "Email is required.";
    }
    elseif(empty($email))
    {
        $errors[] = "Email is not valid.";
    }
    if(empty($message))
    {
        $errors[] = "Message is required.";
    }

    //Check if there were errors
    if(count($errors)>0)
    {
        //Create error message text
        $errorMsg .= "The following errors occured:<ul>\n";
        foreach($errors as $err)
        {
            $errorMsg .= "<li>{$err}</li>\n";
        }
        $errorMsg .= "</ul>\n";
    }
    else
    {
        //No errors, include script to process the data, then redirect to confirmation page
        include('process.php');
        header("Location http://www.mysite.com/confirmation.php");
        exit();
    }
}

?>
<html>
<body>
<div style="color:#ff0000;"><?php echo $errorMsg; ?></div>
Please enter your contact info:<br />
<form name="contact" action="" method="POST">
    <b><label for="name">Name: </label></b>
    <input type="text" name="name" id="name" value="<?php echo $name; ?>" /><br />

    <b><label for="email">Email: </label></b>
    <input type="text" name="email" id="email" value="<?php echo $email; ?>" /><br />

    <label for="phone">Phone: </label>
    <input type="text" name="phone" id="phone" value="<?php echo $phone; ?>" /><br />

    <b><label for="message">Message</label></b>
    <textarea name="message" id="message"><?php echo $message; ?></textarea>
<br /><br />
<button type="submit">Submit</button>
</form>

</body>
</html>