Global vars

Posted on 2003-03-10
Medium Priority
Last Modified: 2013-11-18
Hi All,

I was just wondering what you lot would consider the correct way to pass $vars through a series of forms. Via Session vars, hidden form values or using the 'global' variable definition?


Question by:enune
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 8107910
I'd be inclined to pass it as a global variable. It's less likely to be tampered with than sending it through the querystring or form submit.


Expert Comment

ID: 8108238
i hope session is a very good idea to use and there is not much difference making a variable global or session
en is right

Accepted Solution

beachbum_boy earned 200 total points
ID: 8108561
This response is pretty extensive and I hope doesn't go beyond what you require (or understand).

The various methods of passing data basically all have a place depending on your application and as such there are a couple of things to consider:

PHP Global Variables: uses cookies but pretty secure.

The php global variables use cookies (under a normal configuration). So this means that for the session variables to work the client must be willing to accept session cookies from your site.

This also means that if the variable was being passed across multiple servers the session cookies need to be tweaked to work. Basically under the normal setup for php a file on the server with a unique id identifies which cookies go with which clients. So obviously this will be a problem across multiple servers because both servers need to be able to access the cookie data AND know the cookie id. Incidentally you can get around this by using a mysql backend for you cookie data.

In theory it would be possible under some circumstances to forge a cookie and get the cookie details of somebody else. Although this would be pretty difficult.

Another issue with session variables is that earlier versions of PHP did not have session variables.

Form Hidden Variables: no cookies, somewhat insecure.

The real advantage of passing form variables is that you don’t require cookies. Many people (including me) don’t allow cookies until something breaks and then I enable them as I choose.

Another advantage for some applications is that you can easily pass some variables in the url allowing skipping of some steps in a wizard for example without actually writing any code to handle this. Sure in the session variable case you could write code to allow this but with straight form vars in can happen automagically.

The main problem with form variables (related to the last advantage) is that even with POST forms the variable names are know simply by looking at the html generated. And as such can easily be forged.

You can get around these problems for some applications by checking the variable in your PHP code to make sure they are not going to cause anything crazy to happen. But generally is anything crazy is possible don’t use form variables.

Although I do use form variables a lot the main thing I hate about them is that you have to do all the lines for every hidden var in every form that they move through. This can be tedious exercise of cut and paste.


So summing up, if you want something to be secure as possible use session variables. If security doesn't matter then form vars may be slightly more robust.


Author Comment

ID: 8110544
Thanks for your opinion, all three of you!
The points were given to Beachbum_boy for having the most verbose answer :)

But my thanks go to all of you.


Expert Comment

ID: 8114845
I was thinking that beachbum's answer was quite good too - made me aware of a few things that I hadnt previously considered. Thanks!


Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
There are times when I have encountered the need to decompress a response from a PHP request. This is how it's done, but you must have control of the request and you can set the Accept-Encoding header.
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question