Ok, I currently have three different pages in play here.

  1. Cigar.php - This is the individual cigar page, dynamically generated based on a GET Value
  2. Cigarreview.php - This is where a user goes to review a cigar. It has a drop down menu that pulls from the DB and based on which one the user selects, this value is passed to the #3 in the form of a POST value
  3. ProcessCigarReview - The script that actually processes the review, updates the db, works voodoo magic, etc

I would like to add an option on #1 to "Rate this Cigar" which would then redirect the user to #2 for a review. Once the user gets to #2, there would no longer be a dropdown menu, instead it would just be text with the name of the cigar and the applicable rating scale. I'm able to get this working no problem using a simple GET and if statement that checks to see if the GET value ISSET. The problem is #3. Currently that script looks for a POST value for the CigarID. I don't want to use a GET value to pass this info to the DB (for security reasons) and I also don't want to have a hidden form value.

Is there a way to get this value to pass that I'm not thinking of?

Applicable Code From #2

<?PHP

include 'dbconnection.php';

if (isset($CigarID)) {
	
	$query = "Select CigarID,CName FROM cigar WHERE CigarID = $CigarID";
	$result = mysql_query($query) or die ("Error in query: $query. ".mysql_error());
	$row = mysql_fetch_row($result);
	echo "$row[1]";
	echo "</td></tr>";
	
}

else {

echo "<select name=\"Cigar\">";

$query = "Select CigarID,CName FROM cigar";
$result = mysql_query($query) or die ("Error in query: $query. ".mysql_error());
 
	echo("<option select value=\"0\">Select Cigar</option>");
 
	if (mysql_num_rows($result) > 0) { 
		 while ($row = mysql_fetch_row($result)) {
			echo("<option value=\"$row[0]\">$row[1] ($row[0])</option>");
		 }
	}
	else { 
      echo "No rows found!"; 
	} 
	mysql_free_result($result);

echo "</select></td></tr>";

}

?>

As far as i know, the only two possible ways to send data between two pages is using GET and POST super global arrays. You can use ajax to send information via post but that will only work if you're staying on the same page. The most common way to solve this problem is to hash the id string using something like md5 encryption and then decrypt the md5 string in the next page to get the value back, its easy to do, and secured enough for most common tasks...

@RisTar: md5 is one way encryption (hashing). Decrypting it is close to impossible.

@Joel: How about storing the information in a session variable? In #3 you could check if the variable is set, and if it is, execute db query and reset it.

Sessions wont work if cookies are disabled in the browser..
You'd be surprised, some mobile phone browsers has cookies disabled by default!

How about storing the information in a session variable

@RisTar: md5 is one way encryption (hashing). Decrypting it is close to impossible.

@Joel: How about storing the information in a session variable? In #3 you could check if the variable is set, and if it is, execute db query and reset it.

I actually thought about setting it in the session; however, I'm worried that may cause a problem if a user rates multiple cigars while they are at the site. At the very least it would be a headache to manage because I would have to keep setting and un-setting variables in the session as the user navigates through the site.

If you want to keep the flow of your application at it is now, when the user clicks on the "Rate this Cigar" button and the cigar id is passed to the second page via a GET value e.g. ?CigarId=####

Then on the second page, if that get value is present, swap out the dropdown for the text field with the information and add in a hidden field with the same name as your drop-down.

When the form is posted it will process the form and the $_POST array will contain $_POST just as if it had been selected in the drop-down.

If you want to keep the flow of your application at it is now, when the user clicks on the "Rate this Cigar" button and the cigar id is passed to the second page via a GET value e.g. ?CigarId=####

Then on the second page, if that get value is present, swap out the dropdown for the text field with the information and add in a hidden field with the same name as your drop-down.

When the form is posted it will process the form and the $_POST array will contain $_POST just as if it had been selected in the drop-down.

I thought about this but I've never been a fan of hidden values since they can be viewed in the source code. It appears though that this may be the only option without getting overly complicated. :-/

Having the value in a hidden input field would be no different than the user selecting it from a drop-down where it is also visible in the source.

If you inspect the source of most web forms you're going to commonly find the use of hidden input fields. This is why filtering/validating input and escaping your output is so important.

commented: exactly. +2

Having the value in a hidden input field would be no different than the user selecting it from a drop-down where it is also visible in the source.

If you inspect the source of most web forms you're going to commonly find the use of hidden input fields. This is why filtering/validating input and escaping your output is so important.

Good point, I never really thought about it that way. ;)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.