View Full Version : passing stuff through query strings

01-27-2010, 04:58 PM
i send users to pages based on what they did

header("Location: page2.php?error=Incorrect password.");

in page2.php i use $_GET[error] to display the error to the user.I have recently learned that this is a bad idea. In page2.php can i do something to minimize the risk?

01-27-2010, 05:08 PM
Being just a message, I don't see a problem with passing via get. The above won't work properly though, you'll likely want to urlencode the error message before sending it.

Otherwise, you can use a session.

// script calls session_start() usually at the top
// Something went wrong:
$_SESSION['error'] = 'Incorrect Password';
header("Location: page2.php");

// Also needs a session start at the top
if (isset($_SESSION['error']))
print $_SESSION['error'];

01-27-2010, 05:10 PM
I usually use sessions in order to send errors to a user using a template to output the error at the top of a page in bold colours no matter what page they are visiting (This is of course assuming you are using an MVC architecture)

01-30-2010, 05:35 PM
thanks. The problem is however, if i put errormessage as a session variable it gets shown in all pages!. any idea how to solve it?

01-30-2010, 05:37 PM
unset the error after you've displayed it

if(isset($_SESSION['error'])) {
echo $_SESSION['error'];