TalkPHP - can someone write an article regarding passing variables from one page to another

TalkPHP (http://www.talkphp.com/forums.php)

- General (http://www.talkphp.com/general/)

- - can someone write an article regarding passing variables from one page to another (http://www.talkphp.com/general/2815-can-someone-write-article-regarding-passing-variables-one-page-another.html)

can someone write an article regarding passing variables from one page to another

can someone write an article about all the different and secure ways to pass a variable from one page to another? and how the professionals do it.

thanks

including how ids are passed from one page to another and how to secure the a hidden textbox if it is being passed with that method.

Here is a basic overview of how its done:

GET: Those names after the ? on the url. Can be easily edited
POST: Send from page to page apart from the URL. It is, however, still passed by the browser. If passed from multiple pages, hidden forms can be used to continue the chain. Not quite as easy to forge as GET, but still very possible to forge to what you want. It also becomes very cumbersome to pass multiple values over many pages.
Sessions: Can not be edited by the client without the help of a server side script. While the data can not be accessed and modified by the client after it has been set, it is difficult to confirm you are indeed talking to the same person since HTTP is a non-persistent protocol (it has no way of saying for sure who is who). Sessions can be hijacked if the proper measures are not taken into consideration. And like the other methods, the content of the container is only as safe as the script that places it in.

It is all about what you are passing that determines how you do it. I tend to pass small things via get, and most of my ajax calls are via get. POST is better for larger things (like posts on forms) and sessions are great for passing things though many pages since you don't have to continue with hidden forms.

One thing remains consistent no matter which you use, you must verify your data when it is received. Just assume the hacker can put whatever he wants in the value. Like many other things in programming; there is no right way to do it, but there are many wrong ways.

thank you thats what i needed to know, when i am programming i always try to think of how a professional programmer would do things but i guess everyone is in the same shoe and there isnt just one way of doing something..

one thing i did wonder was, i have a login script and i use cookies to keep a uerers session alive. what are the possible chances that would deny a user to use cookies besides having them disabled. is there a risk to them?

thanks

Users who disable cookies don't really have to be catered to. Besides being smaller then non-javascript users, they normally know that they cant do many things on the web.