Article:
  The PHP Scalability Myth
Subject:   Hidden variables for session state?
Date:   2003-10-17 12:09:23
From:   anonymous2
Response to: Hidden variables for session state?

My dear person..... To keep the user from inserting "anyting" they want one only needs to restrict hidden fields to a know set of responses AND restrict their use to the $_POST['<variable_name>'] usage type. These two things coupled make for a situation that is quite annoying to those who would "put anything they want" in the hidden field value. Have a nice day.
Main Topics Oldest First

Showing messages 1 through 1 of 1.

  • Hidden variables for session state?
    2003-10-17 12:32:11  anonymous2 [View]

    How about a known set of responses for, say, a price? Any non-combo-box sort of data? A credit card? There's plenty of data where it's not so easy to know what's valid and what's not. Just because there are say, four known responses, it doesn't mean that any of the four are really appropriate for the current user. As far as POST vs. GET...I can submit anything I want (with any claimed User-Agent) that I want via POST with HTTPUnit.

    Not to mention the overhead of taking a complex set of data, serializing it to something that is acceptable to HTTP forms, and then deserializing it back to object-land when the request is submitted. If you're a simple online store, sure, PHP and the bad patterns you suggest will suffice. Write a very complicated enterprise app that has to support tens of thousands of concurrent users with failover with PHP and then come back. You can unplug the LAN cable from a server mid-request and WebLogic will fail over without a hitch. Stick that in your crack pipe and smoke it.