Safe to use two forms and hidden inputs?

[StevenOliver]

Customers visit a "select merchandise page."
Their list of items is displayed (merchandise SKU numbers). The displayed list of their expands as they add more stuff.
When they're done, they create a packing slip that appears on a new "finished.php" page.

Question: Is using 2 forms and hidden inputs the secure and accepted way to do this?

--------------------------------------------------------
<?php
$added = $_POST["added"] . ',' . $_POST["more-stuff"];
echo "Here is what's been added: $added"; // item 1, item 2, item 3, etc.
?>

<form method="post" action="<?=$SERVER['PHP_SELF']?>">
<input type="text" name="added">
<input type="hidden" name="more-stuff" value="<?=$added?>">
</form>

When finished, click here to create Packing Slip:

<form method="post" action="finished.php">
<input type="submit" value="CREATE PACKING SLIP">
<input type="hidden" name="finished" value="<?=$added?>">
</form>
--------------------------------------------------------

Thank you!!

 

[mac_gyver]

 external data can be anything and cannot be trusted. you have to validate all external data before using it, so, you should submit/pass a minimum of information through a form. by using a hidden field, you will have to validate the original data and then re-validate all the hidden field data before using it.

when items are selected, the item id (sku) and quantity should be the only information that gets submitted and should be stored in a 'cart' on the server, either in a session array variable or in a database table. you would use or display the server-side cart information as needed.

when an order is finalized/finished, you need to persistently store the items making up that order, in a database table. to display or print a packing slip, you would query for and retrieve the item information for the correct order number.

[StevenOliver]

2 hours ago, mac_gyver said:

....by using a hidden field, you will have to validate the original data and then re-validate all the hidden field data before using it.

...when items are selected, the item id (sku) and quantity should be the only information that gets submitted and should be stored in a 'cart' on the server=

mac_gyver, thank you for your reply. I think I understand!
Are you saying it is best to completely eliminate <input type="hidden"> and instead use Sessions (or Databases)?

So my simplified code would become:

-----------------------------------
<?php
session_start();
$_SESSION["added"] .= sanitize($_POST["added"]); // sanitize user input
echo '<html><body>';
echo "Here is what's been added: ".$_SESSION["added"];
?>

<form method="post" action="<?=$SERVER['PHP_SELF']?>">
<input type="text" name="added">
</form>

When finished, click here to create Packing Slip:

<form method="post" action="finished.php">
<input type="submit" value="CREATE PACKING SLIP">
</form>
</body></html>
-----------------------------------

... and the "finished.php" page would be as follows:
<?php
session_start();
print $_SESSION["added"];

Is that better?

 

[mac_gyver]

yes to storing the data in a session variable, no to just concatenating it to a single element.

the 'cart' session variable needs to be an array, with the array index being the item id and the value stored in the array being the quantity. this will result in the simplest code when referencing or manipulating the data. for example, how do you detect and deal with adding the same item to the cart more than once? with an array, you can just use isset() to detect if the item id is already in the cart. with concatenation, you must search though the string to find a match.