Solved

Calling another PHP SCript

Posted on 2004-09-03
14
405 Views
Last Modified: 2008-01-09
What is the best and most secure way to call a php script from another php script and pass it some variables?

also, how can i check to that the request to the second script came from the first script and not somehwere else??
0
Comment
Question by:Fatlog
  • 4
  • 3
  • 2
  • +4
14 Comments
 
LVL 27

Expert Comment

by:Diablo84
ID: 11971590
>>  What is the best and most secure way to call a php script from another php script and pass it some variables?

It depends on exactly what your doing. The typical way of redirecting to a script is to use the header redirect, eg:

header("location: page2.php");
exit;

which MUST be called before any output including php echo/print html and new lines etc

However if you want the second file included within the first you can use include, eg:

include('page2.php');

With regards to passing variables you can use the query string, this will typically be done usinga hyperlink however if you do your processing prior to any output you can send them using the header too, eg:

$one = "value";
$two = "another value";

<a href="page2.php?var1=$one&var2=$two">link</a>

Note the first variable can be joined to the string using ?variablename=value
Subsequent variables can be added using &variablename=value

On the second page you can then retrieve these values using

$variable = $_GET['var1'];
$variable2 = $_GET['var2'];


>> also, how can i check to that the request to the second script came from the first script and not somehwere else??

Some people will say use the HTTP_REFERER however it is far less then reliable so i always recommend using the sessions work around...

page1.php

session_start(); //MUST be at top of page
$_SESSION['ref'] = $_SERVER['PHP_SELF'];

page2.php

session_start(); //MUST be at top of page
if (!isset($_SESSION['ref'])) {
 header ("location: page1.php"); //if the script didnt come from the last page then redirect to another page
 exit;
}

Note: you can add additional checks to this if you are controlling multiple pages to ensure the user came from a specific page for different pages  however its probably not needed.

Another note: If you are using sessions then you dont need to pass variables in the query string you can just pass them in session variables, eg.

$_SESSION['variable_name'] = "value";

$_SESSION['variable_name']  will then be globally available on any page as long as you have initialized the session data (by adding session_start(); to the top of the page).
0
 
LVL 26

Expert Comment

by:ushastry
ID: 11971599

Hi,

Im not clear about your first query..

and about second query,

It isn't reliable, still if you want to use then check this..

<?php
$page =  $_SERVER['HTTP_REFERER'];

if(eregi("first.php",$page))
{

    print ("you came from first page ...$page");
}else{

   print (" you came from anonymous $page");
}
?>
0
 

Author Comment

by:Fatlog
ID: 11971719
thanks for your replies

i am aware of passing variables about using the ? and & method. However, from reading various sites its suggested that it is not the most secure/safe way of doing this. i am just owndering if PHP has any fancy way of doing it??

basically i have three php scripts that each perform a different functiono/process. the initial script accepts a request and validates the request. I use the HTTP_REFERER variable to check their domain. valid connections will come from my own site so the HTTP_REFERER variable will work as it is enabled. i just check to make sure the connections come from my site. i do some other processing and create some variables.

i then want to call the next script in the processing. in effect passing control to it. i also need to pass the variables i have created to the second script. on the second script i need to check that it was called by the first script and not just called by someone for example typing in the URL of the script in the address bar.

would i just be better banging it all into one script? or as suggested using includes????

i'm open to any and all comments!!
0
 
LVL 2

Expert Comment

by:Rajkumar_G
ID: 11971827
If u r talking abt posting values from html form to php, then secure way to post values is through post method in form tag.
And retrieveing the values using $_POST  in the php page in which the action is posted. GET method is not the secure way of passing values.


Or else  if you are talking abt purely on php pages, then u can use hyperlink to pass values and redirect it using  headre("location:page2.php");
U can pass values in hyperlink by

 <a href="page2.php?val1=$value1&val2=$value2">Click here</a>

this will post your values to the page named page2.php. but this is not that much secure as u will get the data in the url. U can get these values in page2.php by using $_GET method.
 I think this is what you asked for.
0
 

Author Comment

by:Fatlog
ID: 11971875
sort of

as soon as the user makes the request to the first script that effectively ends their interaction with the scripts. the request will pass through the three scripts one by one without any more user interaction. so i cant use a hyperlink as this would require the user to press it to continue.

basically i want to be able to call a PHP script in a similar way to how you would call another class/function of a class in java or c. in effect i want to package the three scripts.
0
 
LVL 27

Expert Comment

by:Diablo84
ID: 11971905
Probably easiest to jhust process it all in one page then, and when doing something like this don't waste time passing variables in the query string just go for all out sessions.

session_start(); //always at the top of the page

$_SESSION['variable'] = "value"; //assign session variables like this

If you need to do things on other pages you don't need to check the referer just check to see if the session is set (if they havent come from the initial page it wont have been set).

if (isset($_SESSION['variable'])) {
 //continue
}
else {
 //invalid access
}
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 27

Expert Comment

by:Diablo84
ID: 11971921
>> HTTP_REFERER variable will work as it is enabled

Its client side so don't make any assumptions about its reliablity, for some users it will not be sent (due to various reasons such as an external program blocking it, one of the Norton titles apparently does this).
0
 
LVL 27

Expert Comment

by:Diablo84
ID: 11971935
oh by the way suposing you have a form on the first page, on the second you would convert the post data to session variables and then, as i said, that data will be globally accessible around the rest of the pages yon your site while the session is active.

eg (second page);

session_start();

$_SESSION['variable'] = $_POST['form_field_name'];

and so on for each
0
 
LVL 10

Accepted Solution

by:
eeBlueShadow earned 50 total points
ID: 11972868
The safest way to go about it is using includes. Any variables set in the script before the include() statement will be available in the included file.

To get around the "I don't want people to type the address in" problem, put the following statment in any *calling* files:

define("MYAPP_CALLING", true);

and this statement at the top of each of the *included* files

if(!is_defined("MYAPP_CALLING")) die("Hacking attempt!");

the MYAPP prefix is to ensure that no other constants are defined with the same name, you should change MYAPP to something unique to your use, for example if I was writing the site for blah.com I might call the constant BLAH_COM_CALLING

Hope this helps.
_Blue
0
 
LVL 10

Expert Comment

by:eeBlueShadow
ID: 11972879
*obviously, the define() statement has to be before the include() statement in the calling file
0
 
LVL 18

Expert Comment

by:arantius
ID: 11984684
For the files you include, put all code in a function() { } .  If the script is called directly through a URL, the function will not be executed.
include() this file in the first, and at the appropriate time, call the function.  Of course at that point, why separate it out into more than one file? (unless they are very long and this helps organization).
0
 

Author Comment

by:Fatlog
ID: 11987708
just a thought...

haven't looked at it yet but php has objects (classes) doesn't it???

how does php facilitate object to object comms?
0
 
LVL 1

Expert Comment

by:x-tinct
ID: 12008141
It is really easy, as eeBlueShadow explains in the first line of his post. Just assign the variables before the include, like this:

--------- file one ---------
<?php

// do the login check

$calling_page = "pageOne"; // to see what page is calling in the second page
// add any other variables you want to send

include "pageTwo.php";
?>

-------end file one-------
-------- file two ---------
<?php

if( !isset($calling_page) ){
  // redirect or die or whaterver you want
}

// do whatever you want with your variables defined in page one


?>
-------end file two-------


You may also do different things depending on which page that called page two with a switch.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Introduction Many web sites contain image galleries; a common design for these galleries includes a page with a collection of thumbnail images.  You can click on each of the thumbnail images to see the larger version of the image.  This is easily i…
Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now