PHP pass array through POST

Question

Which is the most secure way to send an array through POST   foreach   id as  array     lt input type  hidden  name  prova    value   lt  php echo  array    gt    gt     lt input type  submit  name  submit   gt    or using implode   to create a single variable  pass the variable and then use explode   to get back the values into a new array

User · Answer

http   php net manual en reserved variables post php  The first comment answers this    lt form      gt   lt input name  person 0  first name   value  john    gt   lt input name  person 0  last name   value  smith    gt       lt input name  person 1  first name   value  jane    gt   lt input name  person 1  last name   value  jones    gt   lt  form gt    lt  php var dump   POST  person      array   0   gt  array  first name   gt  john   last name   gt  smith    1   gt  array  first name   gt  jane   last name   gt  jones        gt    The name tag can work as an array

User · Answer

There are two things to consider  users can modify forms  and you need to secure against Cross Site Scripting  XSS    XSS  XSS is when a user enters HTML into their input  For example  what if a user submitted this value        gt  lt script type  text javascript  src  http   example com malice js  gt  lt  script gt  lt input value     This would be written into your form like so    lt input type  hidden  name  prova    value      gt  lt script type  text javascript  src  http   example com malice js  gt  lt  script gt  lt input value     gt    The best way to protect against this is to use htmlspecialchars   to secure your input  This encodes characters such as  lt  into  amp lt   For example    lt input type  hidden  name  prova    value   lt  php echo htmlspecialchars  array     gt    gt    You can read more about XSS here  https   www owasp org index php XSS  Form Modification  If I were on your site  I could use Chrome s developer tools or Firebug to modify the HTML of your page  Depending on what your form does  this could be used maliciously    I could  for example  add extra values to your array  or values that don t belong in the array  If this were a file system manager  then I could add files that don t exist or files that contain sensitive information  e g   replace myfile jpg with    index php or    db-connect php    In short  you always need to check your inputs later to make sure that they make sense  and only use safe inputs in forms  A File ID  a number  is safe  because you can check to see if the number exists  then extract the filename from a database  this assumes that your database contains validated input   A File Name isn t safe  for the reasons described above  You must either re-validate the filename or else I could change it to anything

User · Answer

You could put it in the session   session start      SESSION  array name      array name    Or if you want to send it via a form you can serialize it    lt input type  hidden  name  input name  value   lt  php echo htmlentities serialize  array name      gt     gt    passed array   unserialize   POST  input name       Note that to work with serialized arrays  you need to use POST as the form s transmission method  as GET has a size limit somewhere around 1024 characters   I d use sessions wherever possible

User · Answer

Why are you sending it through a post if you already have it on the server  PHP  side   Why not just save the array to s   SESSION variable so you can use it when the form gets submitted  that might make it more  secure  since then the client cannot change the variables by editing the source    It all depends on what you really want to do

User · Answer

Edit If you are asking about security  see my addendum at the bottom Edit  PHP has a serialize function provided for this specific purpose  Pass it an array  and it will give you a string representation of it  When you want to convert it back to an array  you just use the unserialize function    data   array  one   gt 1   two   gt 2   three   gt 33    dataString   serialize  data     send elsewhere  data   unserialize  dataString     This is often used by lazy coders to save data to a database  Not recommended  but works as a quick dirty solution   Addendum  I was under the impression that you were looking for a way to send the data reliably  not  securely   No matter how you pass the data  if it is going through the users system  you cannot trust it at all  Generally  you should store it somewhere on the server  amp  use a credential  cookie  session  password  etc  to look it up

[php] PHP, pass array through POST

Examples related to php

Examples related to arrays

Examples related to http

Examples related to post