Well maybe not PHP gurus, just web/apache/php knowledge required.
I want to pass a value from one web page to another, or to be exact from one piece of PHP (on web page A) to another piece of PHP (on web page B). Having said that I can sort of understand the problem, there's nothing necessarily tying the two pages together, they *could* be running on different hosts under different web servers for all the web servers know about it.
So, I have a Wiki where page A has a link to page B and I want to be able to pass some data from page A to page B. They *are* displayed by the same web server (which is apache2) and they *are* on the same host.
I can't use cookies because by the time I can execute some PHP code the headers are long gone.
So how can page A 'send' a value to page 'B'? Am I reduced to the nasty (but perfectly possible) expedient of page A writing something to a file somewhere and page B reading it?
On 8 June 2010 21:17, Chris G cl@isbd.net wrote:
Am I reduced to the nasty (but perfectly possible) expedient of page A writing something to a file somewhere and page B reading it?
Probably equally as nasty but another method would be to have a link on page a that is
<a href="PageB.php?val1=hello&val2=world">PageB</a>
And then on page B get the values with:
<?php echo $_GET['val1'] . " " . $_GET['val2']; ?>
...Just a thought!
On 8 June 2010 21:25, James Bensley jwbensley@gmail.com wrote:
On 8 June 2010 21:17, Chris G cl@isbd.net wrote:
Am I reduced to the nasty (but perfectly possible) expedient of page A writing something to a file somewhere and page B reading it?
Probably equally as nasty but another method would be to have a link on page a that is
<a href="PageB.php?val1=hello&val2=world">PageB</a>
Just whatever you do, do not pass var1 or var2 to anything that could spawn a shell or cause commands or custom php to run, or anything that will be used as includes.
Unless, of course, you want to be rooted.
Srdjan
On Tue, Jun 08, 2010 at 09:37:00PM +0100, Srdjan Todorovic wrote:
On 8 June 2010 21:25, James Bensley jwbensley@gmail.com wrote:
On 8 June 2010 21:17, Chris G cl@isbd.net wrote:
Am I reduced to the nasty (but perfectly possible) expedient of page A writing something to a file somewhere and page B reading it?
Probably equally as nasty but another method would be to have a link on page a that is
<a href="PageB.php?val1=hello&val2=world">PageB</a>
Just whatever you do, do not pass var1 or var2 to anything that could spawn a shell or cause commands or custom php to run, or anything that will be used as includes.
Unless, of course, you want to be rooted.
I realise that anything I do like this will probably be horribly insecure but these pages are on a server only visible to my home intranet so (barring serious misconfiguration) security is not a major consideration.
I am also aiming to make the web server a separate machine whose destruction would not be a disaster.
Yeah I guess that using the HTTP GET method to parse variables isn't they way to do things in terms of security like this but POST any really any more secure. I use stuff like this all the time at home on my internal server for use around the house but obviously its bad practice to get into the habit of doing this ;)
I wonder if I could have made any more grammatical errors and typo's in that last email?
*rhetorical question!*
On Tue, Jun 08, 2010 at 09:25:03PM +0100, James Bensley wrote:
On 8 June 2010 21:17, Chris G cl@isbd.net wrote:
Am I reduced to the nasty (but perfectly possible) expedient of page A writing something to a file somewhere and page B reading it?
Probably equally as nasty but another method would be to have a link on page a that is
<a href="PageB.php?val1=hello&val2=world">PageB</a>
And then on page B get the values with:
<?php echo $_GET['val1'] . " " . $_GET['val2']; ?>
...Just a thought!
I was reading about this method when searching for "alternatives to cookies", it might well be a better way for my particular requirement. It may well be that adding that 'parameter' to the link will avoid having to write any PHP on the 'calling' page.
Thanks for the idea.
Chris G cl@isbd.net wrote:
On Tue, Jun 08, 2010 at 09:25:03PM +0100, James Bensley wrote:
Probably equally as nasty but another method would be to have a link on page a that is <a href="PageB.php?val1=hello&val2=world">PageB</a>
[...]
I was reading about this method when searching for "alternatives to cookies", it might well be a better way for my particular requirement.
I can't remember how many times something along the lines of the above has been done insecurely. When asked why it was written that way, it's sometimes that they got in the habit on a site with only trusted users, or it's code from a trusted-user site that's been re-used. It's better not to get in that habit, especially when the safer alternative is pretty easy.
Use the PHP session handler, put the stuff in the session and make sure you are either:
1. running PHP with the run-time option session.use_trans_sid to put the session ID into URLs transparently; or
2. add the PHP constant SID to links as needed.
PHP probably handles both parameter passing and writing/reading stuff from storage far better than humans. Beware session expiry time, though.
See Also: http://uk.php.net/manual/en/session.idpassing.php
Hope that helps,
On Wed, Jun 09, 2010 at 09:17:02AM +0100, MJ Ray wrote:
Chris G cl@isbd.net wrote:
On Tue, Jun 08, 2010 at 09:25:03PM +0100, James Bensley wrote:
Probably equally as nasty but another method would be to have a link on page a that is <a href="PageB.php?val1=hello&val2=world">PageB</a>
[...]
I was reading about this method when searching for "alternatives to cookies", it might well be a better way for my particular requirement.
I can't remember how many times something along the lines of the above has been done insecurely. When asked why it was written that way, it's sometimes that they got in the habit on a site with only trusted users, or it's code from a trusted-user site that's been re-used. It's better not to get in that habit, especially when the safer alternative is pretty easy.
Use the PHP session handler, put the stuff in the session and make sure you are either:
- running PHP with the run-time option session.use_trans_sid to put
the session ID into URLs transparently; or
- add the PHP constant SID to links as needed.
PHP probably handles both parameter passing and writing/reading stuff from storage far better than humans. Beware session expiry time, though.
I agree in principle, the trouble is that I can't "get at" the PHP sesion handler because I can't easily insert code that runs before the HTML headers have been parsed.
As it turns out I need to completely rethink what I'm doing anyway because PHP code run 'from the page' (i.e. embedded in the HTML) can't really do what I want.
I'm now thinking that it's almost certainly easier to change the underlying Wiki code to do what I want, even though that means I'll have a patched/modified version of the Wiki.
Chris G cl@isbd.net wrote:
On Wed, Jun 09, 2010 at 09:17:02AM +0100, MJ Ray wrote:
Use the PHP session handler, put the stuff in the session and make sure you are either: [...]
I agree in principle, the trouble is that I can't "get at" the PHP sesion handler because I can't easily insert code that runs before the HTML headers have been parsed.
I don't think that's a blocker if using URL-based sessions. Happily, this is moot now:
As it turns out I need to completely rethink what I'm doing anyway because PHP code run 'from the page' (i.e. embedded in the HTML) can't really do what I want.
which is probably just as well because it feels like no suggestion is ever good enough. I'll go back to work.
Regards,
-
Chris G -
James Bensley -
MJ Ray -
Srdjan Todorovic