How in the world do I transfer variables from page to page? I'm creating a 40-question quiz, and I have divided it among 4 pages. Unfortunately, I'm not sure how I can transfer all the variables (after all, this is a quiz with many questions) from page to page. I have come up with 3 solutions:

1. hidden input fields
This is the easiest to sabotage.

2. cookies
Won't work if the user has cookies turned off.

3. sessions
If the user has cookies turned off, couldn't they just mess around with that random number in the URL?

Any other ideas? Thanks.

__________________
You're not supposed to be looking at this.

Out of the 3 methods you already mentioned, I would imagine that most programmers would settle for either 1 or 3.

I would also suggest using sessions... it's the most practical solution to your problem.

I wouldn't worry about about the user messing with their own session ids but if you're still not convinced; I suppose you could include on each page a unique value (to the session data) that will verify the user is able to access the next set of questions.

So in the event someone is twisted enough to send a fake session id midway, the script will halt and refer them back to the start.

For a similar issue, I plan to use a temporary MySQL table - though I haven't really figured out exactly how I am going to accomplish this yet.

__________________
J de Silva
Learning Journal | GIDForums™ | GIDNetwork™ | GIDWebhosts™ | GIDSearch™

Yup, go for sessions. Any other option is just far too much effort on your part.

There is no real worry about a user messing with a session id, as they'd find it impossible to guess someone else's ID.

I don't know if having a temporary table is a fantastic idea, for when people never complete it, there'll be rows of incomplete data you'll have to delete over time.

GF

Hi,

Thanks for your input! I'm actually kinda relieved that you guys said "sessions", since that's what I already started doing.

I'm just wondering...what exactly would happen if the user were to mess around with the session ID number?

__________________
You're not supposed to be looking at this.

This is something I discovered from a PHP magazine called www.phparch.com which I'm considering subscribing to. (There's a free issue on the site as a preview)

There is a highly remote chance that a hacker can "issue" a session ID to a user visiting another site. Say for instance I have a link like www.desilva.biz PHP will use 1234 as the session ID, and the script will (quite correctly) treat you like your not logged in.

For a slightly flawed login system, simply calling session_start() will use the afore-set session ID 1234 by default, so that 1234 is now a logged-in session ID, which the hacker can now use (but he'd have to know when the user has logged in, and what page to request - not easy stuff, highly improbable) to pretend he's logged in.

What you should do is ensure that a newly logged in user has a unique session ID, by passing something random to session_id() before you start the session.

Garth Farley

I was always under the impression that the default session id generated by PHP was already random and unique, so I need a little bit more explanation here.

__________________
J de Silva
Learning Journal | GIDForums™ | GIDNetwork™ | GIDWebhosts™ | GIDSearch™

Usually yes, but PHP cannot tell if the ID it's recieved is one it generated earlier, or something someone else made up.

If PHPSESSID is not set, when session_start() is called it creates a new random session id. But if it is already set by any means, and it doesn't matter how, it will use this value instead.

GF

Hi Garth,

Thanks, but what happens when a user just fiddles around with the session ID number in the URL?

__________________
You're not supposed to be looking at this.

Well usually there's a copy in a cookie, which is used by default. So playing with the query string has no effect. If not, then changing the Session ID is the same as being another user who is not logged in.

There is around a 1 in 62^16, (off the top of my head: 1 in 47672401706823533450263330816) chance of guessing a session ID of another person. You're more likely to win the lotto and get struck by lightning simultaneously.

GF

From what I have seen of the way the PHP Sessions work, I use them on my site and on my blog, if someone were to "mess with" or change the Session ID nothing untoward would happen unless you count the user being logged off. If, as Garth pointed out, you were lucky enough to win the lotto and get struck by lightning at the same time you could also change your session ID to be the same as someone elses who is currently using the system. In this instance, however, it STILL wouldn't affect much, it would just show them as being the other user and could POSSIBLY grant them access to that users information and what have you. But, again, the chances of actually hitting someone elses session ID in this way are somewhere in the neighborhood of 999999999999999999999999 to 1 against. it is not impossible, just very VERY imporbable!

Jay also mentioned that the session ID is randomly generated, generally this statement is true, but you CAN specify the session ID manually in php.ini so that ALL session ID's are the same if you wanted to (dunno why you would wnat to so don't ask ). You can also specify the parameters within session_start() itself to prevent people from entering bogus session ID's...I can't remember what I did on this one awhile back off hand, but I will try to remember and post it here sometime this week.