Session variables in functions via includes

[JRBeltman]

Dear all,
I am trying to get the following code functioning in a much more complex situation as this example.

I wish to set the session variable in a function that is in a separate php file called with include : )

If I test it without this 'include' my code will be working:
(I know that for the real thing using $_SESSION[] is better, but it does not solve my problem)

File test1.php

<?
  session_start();
  if(!session_is_registered('testing'))
  {
    session_register('testing');
  }
?>
  <A HREF="test3.php"
    onMouseOver="window.status='hi you';return true"
    onclick="<?=$testing=75?>">HTML Goodies</A>
<?
?>

File test3.php

<?php
  session_start();
  echo $testing." points for me";
  session_destroy();
?>

This will output: 75 points for me

Now the problem (please keep in mind that due to some factors I can not call the session_register only in test2.php and it must be set and used in test1.php)

File test1.php

<?
  include("test2.php");

  session_start();
  if(!session_is_registered('testing'))
  {
    session_register('testing');
  }
  testsession();
?>

File test2.php

<?
  function testsession()
  {
    ?>
      <A HREF="test3.php"
        onMouseOver="window.status='hi you';return true"
        onclick="<?=$testing=75?>">HTML Goodies</A>
    <?
  }
?>

File test3.php

<?
  session_start();
  echo $testing." points for me";
  session_destroy();
?>

I expected the same outcome, but instead the $testing variable has not registered?!

Anyone who can help?

Many thanks
JR

 

[sleipnir214]

I'm not sure what's going on in your code, as your first example does not work on my installation, either.



Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[JRBeltman]

Dear sleipnir214.
It may well have to do with global vars not being switched on orso...

try: test1.php

<?php

  session_start();

?>
  <A HREF="test3.php"
    onMouseOver="window.status='hi you';return true"
    onclick="<?=$_SESSION['testing']=80?>">HTML Goodies</A>
<?
?>

hope this helps

 

[sleipnir214]

Neither code works unless register_globals is set to "ON".

The only reason I can see that it works is because you're actually using the variable poisoning warned about in the PHP online manual page titled "Using register Globals".

Your sessions aren't doing anything as far as I can see. It's all because $_GET or $_POST is creating the variable.



Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[JRBeltman]

ok, this is weird!
I go it working now. And will see if it can work using a class..... but dont ask me how I fixed it!

Anyway I replaced the sessio_register with $_SESSION[]
and done the whole thing from scratch....

 

[sleipnir214]

You need to carefully look at that code and see what is going on. You're doing some very strange things here.

The operative question is, since you're not setting the value into your session variable, where is the printing of $testing coming from?



Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[JRBeltman]

Hi sleipnir214,
you are absolutely correct, weird things going on just to try and hide things from the status bar when clicking a hyperlink....

The idea was (as per my earlier posting) to have a list of hyperlinks created and the 'id' of the clicked hyperlink should be stored in the session variable, hence the JAVA script 'Onclick' action.

In the onclick action as in the examples it executes a statement storing the 'id' value of that hyperlink in the session variable. If done correctly this is where the $testing comes from.

So the hyperlink will on clicking it first store the value in the session varaible and then go to the page required.

If you are interested I can now post the working code. Anyway I solved this many thanks to your comments about the super global $_SESSION.

Many thanks!
JR

 

[sleipnir214]

Oh, I understand what's going on now

The "onclick" attribute does absolutely nothing on the web browser side. You'll get the same behavior with the scripts:

test1.php

<?php
session_start();
$_SESSION['testing'] = 80;

print '<A HREF="test3.php" onclick="90">HTML Goodies</A>';
?>

test3.php:

<?php
session_start();
echo $_SESSION['testing'] ." points for me";
?>

The reason the value gets into $_SESSION['test'] has nothing whatsoever to do with the "onclick" attribute of your link. It only has to do with the fact that you executed the statement:

$_SESSION['testing'] = 80;

in the middle of your HTML output. Look as the source code of what is produced by your script test1.php. The "onclick" attribute of the anchor is "80".

Now look at the code I just posted. I'm setting the session variable to 80, but I'm setting the "onclick" attribute's value to "90". If the onclick attribute did anything, the value returned by test3.php would be "90". But you'll find it's actually still 80. You can remove the "onclick" attribute completely and it won't make any difference.


The problem is that you're not going to be able to use that method to hide ids in links.




Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[DRJ478]

Never forget that all PHP code is intepreted before the page evr reaches the browser. Whatever, wherever you click has absolutely no effect.
Think about encryption for links if you want to hide attributes or IDs.

 

[JRBeltman]

Hi All,
well thanks for your explanation.. I am afriad I found the same yesterday

So what would I use to get the desired effect? Say 3 hyperlinks on a page and only the clicked hyperlink passing the value to the session variable?

DRJ478 mentions encryption. Is there a guide on how to use this and would it be applicable?

Anyway the links would look like
print '<A HREF="test3.php"> HTML Goodies</A>';
(passing value=1 to the session variable 'testing' when clicked)
print '<A HREF="test3.php">FTP Stuff</A>';
(passing value=20 to the session variable 'testing' when clicked)
print '<A HREF="test3.php">Pappa Smurf</A>';
(passing value=6 to the session variable 'testing' when clicked)

Hope it makes sense what I am trying to do?
Many thanks for your replies so far.

 

[JRBeltman]

Just a quick add on to my previous reply before I get a 'RTFM' .
I just read about the encryption thing, which I have used in the past, but am not sure if that is a relevant or the best solution to the problem.

Apart from what could be the solution to my original question, what would expert users such as yourself advise me to use when it comes to online payment transactions? Encryption of information or forms/session variables?

JR

 

[sleipnir214]

I use session variables to store user information between pages.

But I didn't think we were talking about online payments, but rather item selection.



Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[JRBeltman]

Hiya,

Thanks for answering the question on safety and what is felt most practical to use....

Any idea how I can fix my original problem with item selection?

Cheers

 

[sleipnir214]

I've simply used links of the form:

<a href="somescript.php?somename=someIDvalue">Item Description</a>






Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[JRBeltman]

Is what I am trying to do impossible?
Because using some other php script would mean transmitting the data or at least showing the 'real' action in the status bar when clicking the hyperlink.

Cheers
JR

 

[sleipnir214]

There are two ways to get data from a web browser to a web server -- GET-method input and POST-method input.

The link I just provided is an example of GET-method.

You can't do POST-method through a link, but you can get creative with POST-method forms on a page.



Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[sleipnir214]

You can also get creative with client-side scripting. But that is a topic for another forum.



Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[JRBeltman]

That client-side scripting would be interesting, but not now

If only PhP would not excute everything on the page on loading it.

Can you set a php session using java, or add to a php variable using java? That could possibly help?

 

[sleipnir214]

PHP doesn't have to execute everything in a script. It all depends on your program logic.

And when you're talking about Java, do you mean client-side or server-side? If client-side, the answer is an unqualified "no". Since the session data is stored on the server, only code running on the server can modify it.

I suppose that server-side Java could modify PHP session data -- but it wouldn't be easy.



Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[DRJ478]

I recommend to use GET parameters attached to the URL. Just obfuscate them enough so people can't just fabricate them easily.
Have a look at the rc4crypt project:

http://sourceforge.net/projects/rc4crypt

print '<A HREF="test3.php?param='.obfuscate(1).'"> HTML Goodies</A>';
print '<A HREF="test3.php?param='.obfuscate(20).'">FTP Stuff</A>';

Write a function obfuscate and use the rc4crypt functions to en/decrypt the parameter.