01-27-2010, 04:58 PM
i send users to pages based on what they did
header("Location: page2.php?error=Incorrect password.");
in page2.php i use $_GET[error] to display the error to the user.I have recently learned that this is a bad idea. In page2.php can i do something to minimize the risk?
01-27-2010, 05:08 PM
Being just a message, I don't see a problem with passing via get. The above won't work properly though, you'll likely want to urlencode the error message before sending it.
Otherwise, you can use a session.
// script calls session_start() usually at the top
// Something went wrong:
$_SESSION['error'] = 'Incorrect Password';
// Also needs a session start at the top
01-27-2010, 05:10 PM
I usually use sessions in order to send errors to a user using a template to output the error at the top of a page in bold colours no matter what page they are visiting (This is of course assuming you are using an MVC architecture)
01-30-2010, 05:35 PM
thanks. The problem is however, if i put errormessage as a session variable it gets shown in all pages!. any idea how to solve it?
01-30-2010, 05:37 PM
unset the error after you've displayed it