#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2003
    Posts
    34
    Rep Power
    16

    Question multipage form: sessions or hidden fields?


    Another implementation issue. I've got a registration form spread over 5 pages. As all 5 pages are filled out correctly the registration can be confirmed (after accepting the policy) and all entered data is to be inserted into the database.

    What would be the best way to pass the data across the 5 pages. Each page/form got about 10-20 entry fields. As registration is near complete it should also still be possible to move to one of the previous pages to alter some information.

    Been thinking of the following:
    1. Session variables
    2. Hidden form elements
    3. Session array
    4. Use the QueryString

    Option 4 is out of the question. First question is... sessions or hidden variables. What would be best? Some formfields may contain wicked weird names, not sure if I'd have to tackle them with some sort of html entity to make 'em fit in a hidden field without complaints.

    I'm not sure if it's just a personal issue whether to choose sessions or hidden fields. Right now I'm doing it as follows:

    Page 1: fill out the form, send to itself, if all entered information is valid set the session variables for all fields and proceed to the next page 2 (header redirect). Procedure repeats.

    Hidden fields seems troublesome as I would either have to use a single php file that covers all 5 sections or I would have to sent the data to the next page for data-verifying to make the form values known by a following page. Javascript checking is not the ideal solution as it can be deactivated and doesn't work well on all browsers.

    Plus... the amount of fields is not fixed. If the person defines a variable A as "yes" and B as "5" he would get e.g. 5 extra fields in a form that follows. Extra information that is required for a certain condition (A in this case).

    1) So is sessions the way to go here or should I avoid it like the plague?
    2) Second question is.... session arrays are a big plus and should be used if I've got fixed parts with the form (basic information) or should I avoid session arrays?

    A third question is as following and I noticed this as I was testing the sessions in my tryout form. I filled out some information on the first page and (since there was no required fields checking yet) and pressed Next on all following pages to get to the end... but there it showed a name and email address eventhough I hadn't specified them on page two. Basically empty session variables must have been set for those remaining pages since the formfields were empty. How can it be there I could have a name and email address specified for information then? Are session variables not unique or simply used by php if someone else starts another php application on another pc in the network?

    Okay.... a big post hopefully you say sessions are okay :P
  2. #2
  3. No Profile Picture
    Devshed Novice (500 - 999 posts)

    Join Date
    Feb 2003
    Location
    Indonesia
    Posts
    905
    Rep Power
    22
    combine session, hidden, and javascript
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2003
    Posts
    34
    Rep Power
    16
    Originally posted by tommy.pr
    combine session, hidden, and javascript
    I'm not sure i understand combine? why should i use hidden when i use session already? hmmmz do you mean something like this:

    - fill out form on page 1
    - check data with javascript
    - post-submit it to page 2 if checked okay
    - put posted fields as hidden fields in page 2

    but where do the sessions enter the scene then? If I use sessions what for should I still be using hidden fields then? As for javascript I'm okay, it would mean an extra datacheck before submitting it. What advantages are there using both? I'm not unsure where I should be using hidden fields instead of session variables. Can you tell me what you had in mind exactly?
  6. #4
  7. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2001
    Location
    Madrid, Spain
    Posts
    240
    Rep Power
    24
    Personally, I would use sessions.

    Hidden form values are risky, any user will see in the HTML code that you are using hidden form values, and (although I'm not 100% sure of this) could trick you by submitting new values for fields you've already javascript checked, which means you'd have to check every value in each of the 5 pages.

    I think it's better to use sessions, just create a session variable for each of the possible values, and generate one form or another based on the previous forms values. This also has the advantage of PHP checking, much safer than JS checking.

    I'd not mix hidden form values and sessions, sessions were designed to store data from one user while he stays on a site, which I think is exactly what you need.

    About your third question: maybe the session is still active when you did that test, make sure it doesn't remain active between tests, usually closing the browser window is enough, but you could also delete the session files (I suppose you, like most of us, work in a local server installed in your own computer).

    Hope any of this helps
    Last edited by Koas; June 24th, 2003 at 04:56 AM.
    --
    No, no... he's not dead, he's, he's restin'! Remarkable bird, the Norwegian Blue, isn'it, ay? Beautiful plumage!!
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2003
    Posts
    34
    Rep Power
    16
    Originally posted by Koas
    could trick you by submitting new values for fields you've already javascript checked, which means you'd have to check every value in each of the 5 pages.
    'The disadvantage would simply be that it involves more data-processing with the created hidden fields and grabbing the values with $_POST all the time. Maybe some whizkid would be able to set some new value although I'm not sure how it'd be done, but yeah I think sessions works cleaner. It takes a little more server resources I'd say, but less loading and vulnerability with the pages. Checking on all 5 pages, that would be evil.

    Originally posted by Koas
    About your third question: maybe the session is still active when you did that test, make sure it doesn't remain active between tests, usually closing the browser window is enough, but you could also delete the session files (I suppose you, like most of us, work in a local server installed in your own computer).
    Well I think I've solved the problem already. I perform tests on an intranet and there's more php applications residing there. An employee information application apparently also works with session variables and happens to give them the exact same name. That's how session name and email got set. Still annoying though since I have to make sure there won't be any other applications used on the same computer which use the same names for sessions.

    I wonder now if there's a way to stop this, besides using sessionnames nobody will ever think of using for another php application on the intranet. There are no protocols here in the company on how to name functions whatsoever.

    Thanks I think for a part it is a matter of personal preference, but you have given me a few points that give credit to the use of sessions.

    Do you know by any chance if arrays in sessions are good or bad? Only of secundaire importance right now though
  10. #6
  11. No Profile Picture
    Devshed Novice (500 - 999 posts)

    Join Date
    Feb 2003
    Location
    Indonesia
    Posts
    905
    Rep Power
    22
    It's depends on the security level, that's why I choose combining.

    Let's just say, you enter personal data. In those kind of form, as you see, there's field that not mandatory (for example: hair color). Now, why we should worry about someone "steal" my haircolor data ? But, for the crucial data, "yes", I suggest you use session.

    JavaScript ? use for validating the entry of each field. For example, you don't want someone fill "asx" for height-field, do you ?
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2003
    Posts
    34
    Rep Power
    16
    Well people can disable Javascript plus I've noticed that JS can give problems with some browsers. Not sure if it was a result of the security level of their browser or anything else, but there was nothing dodgy about the JS I used. And it remains necessary to do proper checking by PHP. Javascript would be optional for implementation.

    As for security-level no session will help you as they still have to be set with values sent through a form and thus could be sniffed. It'd be a matter of SSL imho.

    But thanks How about arrays in session-variable? In another forum or article someone was shouting not to use it if possible. I'm unsure why it was being discouraged. It concerned ASP though, but it kept me wondering if it's also discouraged for PHP. I don't see why though.
    Last edited by Ssy; June 24th, 2003 at 08:55 AM.
  14. #8
  15. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2001
    Location
    Madrid, Spain
    Posts
    240
    Rep Power
    24
    I don't think there's any problem with arrays in session variables. I'm currently working in an online shop, and it uses an array to store the products the visitor selects. It works great. I don't know if ASP has any problems with them, but surely PHP hasn't.

IMN logo majestic logo threadwatch logo seochat tools logo