View Full Version : Passing PHP variables between pages through a link

06-01-2011, 02:39 PM
Hi there, I am looking for some information on how to pass a user's id number between pages on my website. I need to also do this through a link because it would be the edit and delete buttons. Now, I know the standard use GET or POST or Session variables, but I am having difficulty because GET seems to be the easiest way to do it yet I know its insecure. Is there anyway to make it any more secure, i.e. if a user changes the url it will just go back to a certain page? Or is there a way to create a POST form button each time for the edit and delete buttons and have the variables passed that way? Any help would be greatly appreciated.

06-01-2011, 02:50 PM
if a user changes the url it will just go back to a certain page?
Why don't you use sessions?

06-01-2011, 03:29 PM
How would I pass the session variable through a link?

06-01-2011, 04:04 PM
You wouldn't need to.

Session variables are available to any script on the server. They're basically an array that sits in a session file. Each visitor gets their own session and session file so the scripts only ever get the correct session data for each visitor.

You use it the same as any other array except you need to use session_start() near the top of each script that uses sessions.

That way you don't need to pass anything in the url or via post.

06-01-2011, 04:06 PM
pass user's id through session
pass 'delete' or 'edit' through GET

06-01-2011, 04:07 PM
Go through the examples provided at http://php.net/session_start, to get some idea.

06-01-2011, 04:25 PM
I fail to see how you consider a GET any less secure than a POST? I can send either to a server, if I know what it expects than I can push whatever I want to it. Sessions on the otherhand would require a method of obtaining other session identifiers in order for me to hijack.
What it comes down to is really quite simple. It doesn't matter if you pass it by post or get. You can certainly chain post buttons to passthru on pages by providing a value based from a previous POSTed value. What you need to do is ensure you have proper privileges set up that prevent me from deleting a user by simply giving it a command and an id. That of course requires a login system to be implemented. If I were to give it a delete command an in id of 1, I'd expect that it will tell me I'm not privileged for the action requested (or be successful if it is).

06-01-2011, 04:30 PM
Okay because obviously I am not making myself clear. I know how to use session variables and have them already in the script. Here is the code that I am dealing with:

$query = "SELECT location_name, street FROM address WHERE user_id = '" . $_SESSION['user_id'] . "'";
$data = mysqli_query($dbc, $query);
$address_array = array();

while ($row = mysqli_fetch_assoc($data)) {
array_push($address_array, $row);
//loop through each array to create a table with the address info
echo '<table class="address_table">';
echo '<th class="table_top" colspan="5"></th>';
foreach ($address_array AS $address) {
echo '<tr>';
foreach ($address AS $item) {
echo '<td class="address">' . $item . '</td>';
echo '<td class="edit"><a href="/settings/edit_address.php"><img src="images/edit_button.png" border="0" /></a></td>';
echo '<td class="delete"><a href="/settings/delete_address.php"><img src="images/delete_button.png" border="0" /></a></td>';
echo '</tr>';
echo '</table>';


I need some help in getting the address_id to pass through the links, edit and delete buttons. I know I have to add the address_id to the query, however, I also dont want this to be an item in the table, I just want it passed through the links.

Does this make it clear?

06-01-2011, 04:38 PM
Does this make it clear?

If only you'd posted that code in the first place...

echo '<td class="edit"><a href="/settings/edit_address.php?uid=__UserID__"><img src="images/edit_button.png" border="0" /></a></td>';
echo '<td class="delete"><a href="/settings/delete_address.php?uid=__UserID__"><img src="images/delete_button.png" border="0" /></a></td>';

Replace __UserID__ with the id of the user in the DB.

This doesn't make it any more secure though and frankly there isn't really a simple way you can make it more secure because one way or the other you still need to know which users address you're referring to.

Then in your edit and delete address scripts you do this:
$UserId = $_GET['uid'];

Run it through mysql_real_escape_string and then run the query on it to get the address from the DB for your editor or to delete.

You claim you know how to use sessions, GET and POST so i am still puzzled how you couldn't understand this and why you seem irritated about us not understanding you.

06-01-2011, 04:42 PM
Looking back at your question up top, you could MD5 hash each users id from the database, then store each id in the session using the hash as the session key.

Then in the URL you could use the hash instead of the actual user id.

06-01-2011, 04:47 PM
I am not irritated just frustrated. I am not looking to pass the user_id, I know I referenced that in the first post but that was just to use an example. In the code I posted above, I need to pass the address id for the particular address that I am looking to edit/delete. The edit and delete scripts will then either present a form with the addresses information already filled in, or it will do a delete query where that particular address_id is in my db.

06-01-2011, 06:05 PM
Well you can easily change that can't you. I only used the userid as an example.. it's not set in stone is it but apparently you can use that as an example but not me. Ok, thats fine..

I've given you an example of how to perform this, how to hide the id (of whatever) in the session now you have nothing to be frustrated about yet you pick fault with me for showing you how to pass an id.

Next time i'll just use $ID_of_Whatever then (if i bother to help at all).

No thanks needed for my time and effort..