0
I have a registration form that I send to a php script that does the processing and writes to the bd, the problem is that when some form field is invalid, I direct again to the form, but it is empty, I thought to save the fields in the $_SESSION, but it seems to be a bit of a scam like this.
Any suggestions?
1
If the request is handled in the same file, the reply of Marcos, where the variable is directly used $_POST, is valid. If there is a need to process the request in separate files, I believe that session is not the best way out, but yes cookie. Although they appear to be the same, the purpose is different. HTTP requests are characterized as stateless, because data does not persist between multiple requests, as soon as the response to the request is obtained the data is lost. The goal of session and cookie is exactly persist for a while some data that are interesting to the application in question, the difference is that the session persists the data on the server side and the cookies persist the user-side data. Since we are working with a form, in which the user himself will provide the data, does not present any risk to the application persist the data on the user side. For the server, it only matters the data when it is already valid.
A discussion about it can be read here:
In this way, your form can be defined by following the same logic presented in the other answer, but now replacing the variable $_POST for $_COOKIE:
<input type="text" value="<?= isset($_COOKIE['form_foo']['nome']) ? $_COOKIE['form_foo']['nome'] : '' ?>" name="nome">
And in the file that handles the requests, after validating the data, persist them through the function setcookie.
"does not present any risk to the application to persist the data on the user side" can’t agree with that. You can’t trust anything that comes from client-side. Good practice is always to mistrust and treat the data in the PHP, because risk always has.
@Shutupmagda, but there is validation. This persistence is only to present the data again in the form.
even so there will be risk to the application, mainly because the data can be manipulated by the client.
That’s the idea. That’s what the form is for. If the user typed in the email field "user#gmail.com", it will be invalid in server validation and will return to the form with this information already filled. If it somehow changes the value, it will be re-validated by the server until it has something valid. What is the risk?
The risk is Cross-Site Request Forgery, but there are others. It is possible to manipulate the information in one cookie to return arbitrary commands to the browser. You should not blindly rely on browser, and sometimes server-side validation is not enough.
But we’re talking about repopulating a form, not user authentication.
As I said, there are other risks, and CSRF is not linked only to authentication data. See, I just did not agree with the fact that you say the use of cookie to recover data poses no risk, that’s all.
@Shutupmagda, I understand. It seems that this was beyond my knowledge. I will take this statement to not cause confusion.
1
If you are using the $_POST or $_GET to send the data, when you validate the data, identify that it is invalid and display the form again, the data is still available to you.
So depending on how it is your form may change a little, but the idea is to do something like this:
<input type="text" value="<?=isset($_POST['nome'])?$_POST['nome']:''?>" name="nome">
According to your comments, the form is in a different request from the data processing. Then the $_SESSION is an alternative.
It wouldn’t be any different than $_POST, would just put it all on an Aray to avoid some possible conflict
In validating:
$_SESSION['form_foo'] = $_POST;
In the form:
<input type="text" value="<?=isset($_SESSION['form_foo']['nome'])?$_SESSION['form_foo']['nome']:''?>" name="nome">
Only works if the request is being handled on the same page as the form.
My request is handled on a different form page.
@Murilosouza _$SESSION is a good option.
If instead of making a redirect you include the page with the form at the end of the script, you can use the post and get variables.
Browser other questions tagged php
You are not signed in. Login or sign up in order to post.
It doesn’t have to be $_SESSION, just put the $_POST or $_GET, whatever you have using, on the same form page.
– viana
In fact SESSION try to be gambiarra (depending on the case and the technique, even the to use can be identified only). If the form is in the same request, the answer below serves. If it is not, you need to direct the person with some ID in the URL and recover from somewhere (DB, DB in memory, temporary file etc);
– Bacco