Calling another PHP SCript

Posted on 2004-09-03
Last Modified: 2008-01-09
What is the best and most secure way to call a php script from another php script and pass it some variables?

also, how can i check to that the request to the second script came from the first script and not somehwere else??
Question by:Fatlog
  • 4
  • 3
  • 2
  • +4
LVL 27

Expert Comment

ID: 11971590
>>  What is the best and most secure way to call a php script from another php script and pass it some variables?

It depends on exactly what your doing. The typical way of redirecting to a script is to use the header redirect, eg:

header("location: page2.php");

which MUST be called before any output including php echo/print html and new lines etc

However if you want the second file included within the first you can use include, eg:


With regards to passing variables you can use the query string, this will typically be done usinga hyperlink however if you do your processing prior to any output you can send them using the header too, eg:

$one = "value";
$two = "another value";

<a href="page2.php?var1=$one&var2=$two">link</a>

Note the first variable can be joined to the string using ?variablename=value
Subsequent variables can be added using &variablename=value

On the second page you can then retrieve these values using

$variable = $_GET['var1'];
$variable2 = $_GET['var2'];

>> also, how can i check to that the request to the second script came from the first script and not somehwere else??

Some people will say use the HTTP_REFERER however it is far less then reliable so i always recommend using the sessions work around...


session_start(); //MUST be at top of page
$_SESSION['ref'] = $_SERVER['PHP_SELF'];


session_start(); //MUST be at top of page
if (!isset($_SESSION['ref'])) {
 header ("location: page1.php"); //if the script didnt come from the last page then redirect to another page

Note: you can add additional checks to this if you are controlling multiple pages to ensure the user came from a specific page for different pages  however its probably not needed.

Another note: If you are using sessions then you dont need to pass variables in the query string you can just pass them in session variables, eg.

$_SESSION['variable_name'] = "value";

$_SESSION['variable_name']  will then be globally available on any page as long as you have initialized the session data (by adding session_start(); to the top of the page).
LVL 26

Expert Comment

ID: 11971599


Im not clear about your first query..

and about second query,

It isn't reliable, still if you want to use then check this..

$page =  $_SERVER['HTTP_REFERER'];


    print ("you came from first page ...$page");

   print (" you came from anonymous $page");

Author Comment

ID: 11971719
thanks for your replies

i am aware of passing variables about using the ? and & method. However, from reading various sites its suggested that it is not the most secure/safe way of doing this. i am just owndering if PHP has any fancy way of doing it??

basically i have three php scripts that each perform a different functiono/process. the initial script accepts a request and validates the request. I use the HTTP_REFERER variable to check their domain. valid connections will come from my own site so the HTTP_REFERER variable will work as it is enabled. i just check to make sure the connections come from my site. i do some other processing and create some variables.

i then want to call the next script in the processing. in effect passing control to it. i also need to pass the variables i have created to the second script. on the second script i need to check that it was called by the first script and not just called by someone for example typing in the URL of the script in the address bar.

would i just be better banging it all into one script? or as suggested using includes????

i'm open to any and all comments!!
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Expert Comment

ID: 11971827
If u r talking abt posting values from html form to php, then secure way to post values is through post method in form tag.
And retrieveing the values using $_POST  in the php page in which the action is posted. GET method is not the secure way of passing values.

Or else  if you are talking abt purely on php pages, then u can use hyperlink to pass values and redirect it using  headre("location:page2.php");
U can pass values in hyperlink by

 <a href="page2.php?val1=$value1&val2=$value2">Click here</a>

this will post your values to the page named page2.php. but this is not that much secure as u will get the data in the url. U can get these values in page2.php by using $_GET method.
 I think this is what you asked for.

Author Comment

ID: 11971875
sort of

as soon as the user makes the request to the first script that effectively ends their interaction with the scripts. the request will pass through the three scripts one by one without any more user interaction. so i cant use a hyperlink as this would require the user to press it to continue.

basically i want to be able to call a PHP script in a similar way to how you would call another class/function of a class in java or c. in effect i want to package the three scripts.
LVL 27

Expert Comment

ID: 11971905
Probably easiest to jhust process it all in one page then, and when doing something like this don't waste time passing variables in the query string just go for all out sessions.

session_start(); //always at the top of the page

$_SESSION['variable'] = "value"; //assign session variables like this

If you need to do things on other pages you don't need to check the referer just check to see if the session is set (if they havent come from the initial page it wont have been set).

if (isset($_SESSION['variable'])) {
else {
 //invalid access
LVL 27

Expert Comment

ID: 11971921
>> HTTP_REFERER variable will work as it is enabled

Its client side so don't make any assumptions about its reliablity, for some users it will not be sent (due to various reasons such as an external program blocking it, one of the Norton titles apparently does this).
LVL 27

Expert Comment

ID: 11971935
oh by the way suposing you have a form on the first page, on the second you would convert the post data to session variables and then, as i said, that data will be globally accessible around the rest of the pages yon your site while the session is active.

eg (second page);


$_SESSION['variable'] = $_POST['form_field_name'];

and so on for each
LVL 10

Accepted Solution

eeBlueShadow earned 50 total points
ID: 11972868
The safest way to go about it is using includes. Any variables set in the script before the include() statement will be available in the included file.

To get around the "I don't want people to type the address in" problem, put the following statment in any *calling* files:

define("MYAPP_CALLING", true);

and this statement at the top of each of the *included* files

if(!is_defined("MYAPP_CALLING")) die("Hacking attempt!");

the MYAPP prefix is to ensure that no other constants are defined with the same name, you should change MYAPP to something unique to your use, for example if I was writing the site for I might call the constant BLAH_COM_CALLING

Hope this helps.
LVL 10

Expert Comment

ID: 11972879
*obviously, the define() statement has to be before the include() statement in the calling file
LVL 18

Expert Comment

ID: 11984684
For the files you include, put all code in a function() { } .  If the script is called directly through a URL, the function will not be executed.
include() this file in the first, and at the appropriate time, call the function.  Of course at that point, why separate it out into more than one file? (unless they are very long and this helps organization).

Author Comment

ID: 11987708
just a thought...

haven't looked at it yet but php has objects (classes) doesn't it???

how does php facilitate object to object comms?

Expert Comment

ID: 12008141
It is really easy, as eeBlueShadow explains in the first line of his post. Just assign the variables before the include, like this:

--------- file one ---------

// do the login check

$calling_page = "pageOne"; // to see what page is calling in the second page
// add any other variables you want to send

include "pageTwo.php";

-------end file one-------
-------- file two ---------

if( !isset($calling_page) ){
  // redirect or die or whaterver you want

// do whatever you want with your variables defined in page one

-------end file two-------

You may also do different things depending on which page that called page two with a switch.

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
These days socially coordinated efforts have turned into a critical requirement for enterprises.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

680 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question