• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 429
  • Last Modified:

Calling another PHP SCript

What is the best and most secure way to call a php script from another php script and pass it some variables?

also, how can i check to that the request to the second script came from the first script and not somehwere else??
  • 4
  • 3
  • 2
  • +4
1 Solution
>>  What is the best and most secure way to call a php script from another php script and pass it some variables?

It depends on exactly what your doing. The typical way of redirecting to a script is to use the header redirect, eg:

header("location: page2.php");

which MUST be called before any output including php echo/print html and new lines etc

However if you want the second file included within the first you can use include, eg:


With regards to passing variables you can use the query string, this will typically be done usinga hyperlink however if you do your processing prior to any output you can send them using the header too, eg:

$one = "value";
$two = "another value";

<a href="page2.php?var1=$one&var2=$two">link</a>

Note the first variable can be joined to the string using ?variablename=value
Subsequent variables can be added using &variablename=value

On the second page you can then retrieve these values using

$variable = $_GET['var1'];
$variable2 = $_GET['var2'];

>> also, how can i check to that the request to the second script came from the first script and not somehwere else??

Some people will say use the HTTP_REFERER however it is far less then reliable so i always recommend using the sessions work around...


session_start(); //MUST be at top of page
$_SESSION['ref'] = $_SERVER['PHP_SELF'];


session_start(); //MUST be at top of page
if (!isset($_SESSION['ref'])) {
 header ("location: page1.php"); //if the script didnt come from the last page then redirect to another page

Note: you can add additional checks to this if you are controlling multiple pages to ensure the user came from a specific page for different pages  however its probably not needed.

Another note: If you are using sessions then you dont need to pass variables in the query string you can just pass them in session variables, eg.

$_SESSION['variable_name'] = "value";

$_SESSION['variable_name']  will then be globally available on any page as long as you have initialized the session data (by adding session_start(); to the top of the page).
UmeshMySQL Principle Technical Support EngineerCommented:


Im not clear about your first query..

and about second query,

It isn't reliable, still if you want to use then check this..

$page =  $_SERVER['HTTP_REFERER'];


    print ("you came from first page ...$page");

   print (" you came from anonymous $page");
FatlogAuthor Commented:
thanks for your replies

i am aware of passing variables about using the ? and & method. However, from reading various sites its suggested that it is not the most secure/safe way of doing this. i am just owndering if PHP has any fancy way of doing it??

basically i have three php scripts that each perform a different functiono/process. the initial script accepts a request and validates the request. I use the HTTP_REFERER variable to check their domain. valid connections will come from my own site so the HTTP_REFERER variable will work as it is enabled. i just check to make sure the connections come from my site. i do some other processing and create some variables.

i then want to call the next script in the processing. in effect passing control to it. i also need to pass the variables i have created to the second script. on the second script i need to check that it was called by the first script and not just called by someone for example typing in the URL of the script in the address bar.

would i just be better banging it all into one script? or as suggested using includes????

i'm open to any and all comments!!
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

If u r talking abt posting values from html form to php, then secure way to post values is through post method in form tag.
And retrieveing the values using $_POST  in the php page in which the action is posted. GET method is not the secure way of passing values.

Or else  if you are talking abt purely on php pages, then u can use hyperlink to pass values and redirect it using  headre("location:page2.php");
U can pass values in hyperlink by

 <a href="page2.php?val1=$value1&val2=$value2">Click here</a>

this will post your values to the page named page2.php. but this is not that much secure as u will get the data in the url. U can get these values in page2.php by using $_GET method.
 I think this is what you asked for.
FatlogAuthor Commented:
sort of

as soon as the user makes the request to the first script that effectively ends their interaction with the scripts. the request will pass through the three scripts one by one without any more user interaction. so i cant use a hyperlink as this would require the user to press it to continue.

basically i want to be able to call a PHP script in a similar way to how you would call another class/function of a class in java or c. in effect i want to package the three scripts.
Probably easiest to jhust process it all in one page then, and when doing something like this don't waste time passing variables in the query string just go for all out sessions.

session_start(); //always at the top of the page

$_SESSION['variable'] = "value"; //assign session variables like this

If you need to do things on other pages you don't need to check the referer just check to see if the session is set (if they havent come from the initial page it wont have been set).

if (isset($_SESSION['variable'])) {
else {
 //invalid access
>> HTTP_REFERER variable will work as it is enabled

Its client side so don't make any assumptions about its reliablity, for some users it will not be sent (due to various reasons such as an external program blocking it, one of the Norton titles apparently does this).
oh by the way suposing you have a form on the first page, on the second you would convert the post data to session variables and then, as i said, that data will be globally accessible around the rest of the pages yon your site while the session is active.

eg (second page);


$_SESSION['variable'] = $_POST['form_field_name'];

and so on for each
The safest way to go about it is using includes. Any variables set in the script before the include() statement will be available in the included file.

To get around the "I don't want people to type the address in" problem, put the following statment in any *calling* files:

define("MYAPP_CALLING", true);

and this statement at the top of each of the *included* files

if(!is_defined("MYAPP_CALLING")) die("Hacking attempt!");

the MYAPP prefix is to ensure that no other constants are defined with the same name, you should change MYAPP to something unique to your use, for example if I was writing the site for blah.com I might call the constant BLAH_COM_CALLING

Hope this helps.
*obviously, the define() statement has to be before the include() statement in the calling file
For the files you include, put all code in a function() { } .  If the script is called directly through a URL, the function will not be executed.
include() this file in the first, and at the appropriate time, call the function.  Of course at that point, why separate it out into more than one file? (unless they are very long and this helps organization).
FatlogAuthor Commented:
just a thought...

haven't looked at it yet but php has objects (classes) doesn't it???

how does php facilitate object to object comms?
It is really easy, as eeBlueShadow explains in the first line of his post. Just assign the variables before the include, like this:

--------- file one ---------

// do the login check

$calling_page = "pageOne"; // to see what page is calling in the second page
// add any other variables you want to send

include "pageTwo.php";

-------end file one-------
-------- file two ---------

if( !isset($calling_page) ){
  // redirect or die or whaterver you want

// do whatever you want with your variables defined in page one

-------end file two-------

You may also do different things depending on which page that called page two with a switch.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

  • 4
  • 3
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now