Originally posted by neotransotakuI'm curious to know how you use arrays to do what you wanted to do... and I didn't really understand the scope of your problem, could you explain?
And I can save the form, edit the HTML, and hit submit in my browser. You can also easily encode information placed in cookies (and forms) to make tampering harder, but that's leading down the wrong path anyway. Not that it's not a good idea, but it's not how you should go about looking at security.
Security comes in knowing not to trust information that comes from the user in the first place. If the user is in control of sending any information that can easily pose a security risk or lets them choose options they shouldn't have access to, then something's wrong with the basic design of your script. It doesn't matter how hard it is to tamper with the information they send, but merely that they can send it.
Telling someone that avoiding cookies makes their script more secure merely distracts them from the real problems, like plugging data straight into SQL servers or simply calling include(); on whatever string happens to be in a certain $_GET variable.
@The Punisher:
PHP sessions don't have to last indefinitely. Just use session_start(); while working with the form, then use $_SESSION = array(); and session_destroy(); after the form has been submitted.
I'm not saying hidden input types are completely secure, but they are at least more secure than cookies. All one has to do to edit cookie files are edit one simple text file which is right on their computer, while a hidden input is harder to manipulate.
Originally posted by NarfIf you have a form, use to process 'preset' data. Basically, it's like a text input type, but one that already has data/a value and the user can't change it
Of yeah, and using cookies is a quick and dirty solution for this, but we DON'T WANT INSECURE SCRIPTS, RIGHT?!
I don't see how hidden form fields are more secure, considering you have to be just as careful with them as with cookies. They're just as easy to change, since all information that supposedly comes from the browser can be faked very easily using even generic tools such as curl.
Originally posted by NarfOn a side note, it is suspicious that you don't know about this while you programmed your own forum, which has various forms using the hidden input type. *rolls eyes*
I know how to use the hidden form type, but i didnt know how to make so i can come back again, do some more and come back again. etc.
If you have a form, use <input type="hidden" name="name_of_data" value="value_of_data" /> to process 'preset' data. Basically, it's like a text input type, but one that already has data/a value and the user can't change it
Of yeah, and using cookies is a quick and dirty solution for this, but we DON'T WANT INSECURE SCRIPTS, RIGHT?!
On a side note, it is suspicious that you don't know about this while you programmed your own forum, which has various forms using the hidden input type. *rolls eyes*
Using a memory buffer that's shared between different views of the script as you described is nearly impossible due to the stateless nature of HTTP.
If it's just a small amount of data, you can use a cookie to hold the information until it's finalized. That's what most shopping cart systems do. Or as someone else mentioned, you can use PHP sessions, which is even easier (and PHP hides the data on the server as long as the session is alive, instead of storing it in a cookie).
You can also consider using Javascript to dynamically add form fields until the user submits all of the options.
I want it to enter the database after all the changes have been made.
eg. i have an option i submit it, then submit another, and another. Then i clikc the finalize button, and then it inserts all of the options into the database.
what do you mean by not having it enter the database? if you don't call mysql functions in PHP, it never will enter the database. If you want data to remain through continous php processing, then just save your data inside the $_SESSION variable.
How does one make a memory sort of thing in PHP, like submiting something and then make it go into a buffer sort of thing without it actually going into the Database?
