tags:

views:

2292

answers:

5

I want to get user input in one page, store that in a php variable and use it in another php page. I have tried using 'sessions' but it doesn't seem to be working. Is there another safe alternative? This information is likely to be usernames and passwords.

+6  A: 

I Agree with carson, sessions should work for this. Make sure you are calling session_start() before anything else on any page you want to use the session variables.

Also, I would not store password info directly, rather use some kind of authentication token mechanism. IMHO, it is not intrinsically unsafe to store password data in a session, but if there is no need to do so, you should probably try to avoid it.

ZombieSheep
It is slightly unsafe to store raw passwords in the session depending on what the backing store is. Most of the time the backing is to disk and that will result in a password being stored in plain text on disk somewhere.
carson
True, but my point was that the session variable itself isn't an unsafe place to do it. As you say, though, the possibility of persisting as plain text to the disk is another matter.
ZombieSheep
A: 

You can try using POST and GET methods for transferring user inputs within PHP scripts.

PHP GET

PHP POST

milot
This is potentially very unsafe. Passing the username and password back and forth to the browser is just asking for trouble. The session variable is the place to store this kind of data, although I would still recommend tokenising the data.
ZombieSheep
Well it is more safe if you use one-way hashing.
milot
+8  A: 

Try changing your session code as this is the best way to do this.

For example:

index.php

<?php
session_start();

if (isset($_POST['username'], $_POST['password']) {
    $_SESSION['username'] = $_POST['username'];
    $_SESSION['password'] = $_POST['password'];
    echo '<a href="nextpage.php">Click to continue.</a>';
} else {
    // form
}
?>

nextpage.php

<?php
session_start();

if (isset($_SESSION['username'])) {
    echo $_SESSION['username'];
} else {
    header('Location: index.php');
}
?>

However I'd probably store something safer like a userid in a session rather than the user's login credentials.

Ross
+2  A: 

There are several ways:

  • use sessions (but don't forget to call session_start() on every page you'll use the session data store ($_SESSION))
  • append your data to the query string of the "next" page ($_GET)
  • post your data to the "next" page ($_POST)

The session-way is the only way on which the data does not "leave" the server as it's stored on the server itself. For all other ways mentioned above you have to take care of sanitizing and validating the data on the receiving page.

The most simple way would be

//page1.php
session_start();
$_SESSION['user']='user';
$_SESSION['password']='password';

//page2.php
session_start();
echo $_SESSION['user'] . ' ' . $_SESSION['password'];
Stefan Gehrig
A: 

I agree too, sessions are the best solution. See this chapter from Web Database Applications with PHP & MySQL for some examples.

Treb