Hi there

I'm having a bit of a problem. As the title suggests, I'm creating $_SESSION's such as

$_SESSION[''.$row[0].'']

dynamically which is working perfectly, but the problem is I don't know how to call that same variable on a template page that I click through to.

At the moment I have the following:

$query = "SELECT eid, title, content, image, image2 FROM diary WHERE eid = '".$_SESSION[''.$row[0].'']."'";

Clearly this isn't working because the session variable could be any of the id's pulled from the database on the previous page and therefore the template page shows no content. I need some way of tying the variable from the previous page to the variable on the template page without using symantic URL encoding.

Why dont you assign the value to a variable and then use that variable ?
Eg.

<?php  //page1.php
session_start();
$_SESSION['eid']="1234";
// rest of your code... 
?>
<?php //page2.php
session_start();
$eid=$_SESSION['eid'];
$query = "SELECT eid, title, content, image, image2 FROM diary WHERE eid ='$eid'";
// rest of your code
?>

Why dont you assign the value to a variable and then use that variable ?
Eg.

<?php  //page1.php
session_start();
$_SESSION['eid']="1234";
// rest of your code... 
?>
<?php //page2.php
session_start();
$eid=$_SESSION['eid'];
$query = "SELECT eid, title, content, image, image2 FROM diary WHERE eid ='$eid'";
// rest of your code
?>

Beacuse my code goes like this:

<?php  //page1.php
session_start();
// some code
//create query
$query = "SELECT eid, title, SUBSTRING(content, 1, 200), thumb_image FROM diary ORDER BY eid DESC";
// some more code
while($row = mysql_fetch_row($result))
	{
	if (!$_SESSION[$row[0]]) {
		$_SESSION[$row[0]] = $row[0];
	} 				
	//echo output here
	}
// rest of your code... 
?>

This is intended so that if I click on the link to the template page only the info relating to a particular eid will be displayed

How are you differentiating between different links ? Say you have 4 links ? Arent you passing some id for different links ?

And how will you know which $_SESSION[$row[0]] value has to be passed ?

Thats exactly what I'm trying to figure out. Is there no way of doing this without having the info attached to the URL?

I dont think so. hmmm.. There is a weird way of doing it (which I wouldn't prefer). I hope you are looping to print the urls. What you can do is, use onclick event, set $_SESSION[$row[0]] value to a hidden variable and submit the form. :S

<html>
<body>
<?php
//connection
//select db
$query="select eid from table";
$result=mysql_query($query);
while($row=mysql_fetch_array($result)){
echo "<form method=\"post\">";
echo "<input type=\"hidden\" name=\"eid\">";

echo "<a href=\"#\" onclick=\"javascript: document.form.eid.value='$_SESSION[$row[0]]'; document.form.action=\"template.php\"; document.form.submit();\">";
}
?>

As I said, this is the 'worst' way of doing it :P . But if you dont want to attach the info to the url, then you can do it this way ! I haven't tested the code(maybe the code wont even work!). Just giving you an idea on how it might work.
Cheers,
Naveen

Hmmm, not ideal as you've said. Is there any real chance that a semantic URL attack could happen if I put the eid in the URL? Or am I relatively safe?

You can have an array of all the eids and put it in a session. Then, everytime a user clicks on a link, check whether the eid is in the array of eids. If its present, then display respective page. Else, send the user to "you know where" ! Also, use mysql_real_escape_string or addslashes.

You can have an array of all the eids and put it in a session. Then, everytime a user clicks on a link, check whether the eid is in the array of eids. If its present, then display respective page. Else, send the user to "you know where" ! Also, use mysql_real_escape_string or addslashes.

So what I'd need to do is dynamically create a form around each row of info that is displayed, linking it to template.php, and then have code on template.php that searches for the row with the relevant eid and displays it?

No. you dont need a form if you are passing the eid in the url. While displaying the links, just concat eid at the end of the links and in template.php, check if that eid is in the session array of eids. If eid is in the array, fetch relevant details for that eid from the table and display it !

No. you dont need a form if you are passing the eid in the url. While displaying the links, just concat eid at the end of the links and in template.php, check if that eid is in the session array of eids. If eid is in the array, fetch relevant details for that eid from the table and display it !

I'm not quite following you. I'm feeling really blonde today :P Could you be so kind as to give a rough example of what you mean.

Okay !

<?php //page1.php
//connection
//select db
session_start();
$valid_eid=array();
$query="select eid,description from table";
$result=mysql_query($query);
while($row=mysql_fetch_array($result)){
	$eid=$row['eid'];
	$description=$row['description'];
	$valid_eid[]=$eid;
	echo "<a href=\"template.php?eid=$eid\">".$description."</a>"; //will display all the links
}
$_SESSION['eid_array']=$valid_eid;
?>
<?php //template.php
session_start();
//connection
//select db
$eid=mysql_real_escape_string($_REQUEST['eid']);
$valid_eid=$_SESSION['eid_array'];
if(in_array($eid,$valid_eid)){
	$query="select * from table where eid='$eid'";
	//fetch details and print
} else {
	echo "Eid is not valid !";
	exit; //or redirect the user to an error page. 
}
?>

Hope that helps !

Okay !

<?php //page1.php
//connection
//select db
session_start();
$valid_eid=array();
$query="select eid,description from table";
$result=mysql_query($query);
while($row=mysql_fetch_array($result)){
	$eid=$row['eid'];
	$description=$row['description'];
	$valid_eid[]=$eid;
	echo "<a href=\"template.php?eid=$eid\">".$description."</a>"; //will display all the links
}
$_SESSION['eid_array']=$valid_eid;
?>
<?php //template.php
session_start();
//connection
//select db
$eid=mysql_real_escape_string($_REQUEST['eid']);
$valid_eid=$_SESSION['eid_array'];
if(in_array($eid,$valid_eid)){
	$query="select * from table where eid='$eid'";
	//fetch details and print
} else {
	echo "Eid is not valid !";
	exit; //or redirect the user to an error page. 
}
?>

Hope that helps !

I see the eid is part of the URL. Would it display like that? If it does then I already have a way of doing that simply using $_GET.

page1's link:

<a href=www.example.com/template.php?eid=$eid />

page2 code:

//create query
$query = "SELECT eid, title, content, image, image2 FROM diary WHERE eid = '".$_GET['eid']."'";

Yep. You can do it that way. But the user can change eid to whatever value he wants ! My code will check if the eid is valid or not.

Yep. You can do it that way. But the user can change eid to whatever value he wants ! My code will check if the eid is valid or not.

Ok, so even if someone adds a valid eid into the URL it will give an error?

It wont. Because, it will check if the eid is valid. I am adding all the valid eids to an array remember :P. It will display the error message if eid is not in the array. So, this way, the user can't alter with eids !

It wont. Because, it will check if the eid is valid. I am adding all the valid eids to an array remember :P. It will display the error message if eid is not in the array. So, this way, the user can't alter with eids !

Thought as much :P Well thanks for all your help nav33n. Keep well.

Hi nav33n

I have one more question. If there is no check to see if the eid is valid does it pose any sort of security risk?

It depends on the loopholes in your script. It wont be a threat if you handle it in a right way.

thanks! lol..that makes me feel lil 'old'. :P

LOL...I'll send you a zimmerframe ;)

Hmmm, not ideal as you've said. Is there any real chance that a semantic URL attack could happen if I put the eid in the URL? Or am I relatively safe?

its not good to put info into url which u dont want others to know.

its not good to put info into url which u dont want others to know.

Ok, well eid isn't sensitive data so I'm not worried

This article has been dead for over six months. Start a new discussion instead.