PHP storing input variable alternative

Question

I am making a payment process/checkout system where a user is required to go through 3 separate pages (chooseplan.php -> payment-details.php -> confirm.php) before the checkout information is sent to paypal.

Already in the first page (chooseplan.php) a user is required to pick a pricing plan, and that is being posted to payment-details.php in a form, such as:

From the payment-details.php I am retrieving it by $_POST to do validation and later drop it in an input tag again, just to be able to post it in a form (again) to the last page: confirm.php.

I was wondering if there is another way of storing this variable, rather than constantly reposting it, validating and creating another input field on every page it goes through. I would prefer not seeing the variable in the url (GET). Also, without javascript or session.

PatomaS · Accepted Answer

Sessions are the best way to go, but if you want to increase the security of the whole transaction, you can generate a token based on the data already selected, then keep that token on the session or a database.

Then you have two options, one is sending the token with the new form, including the hidden fields and on the way back, compare the token with the one you already have, if it's different, then something happened and you abort; if the same, you generate again the token with the hidden data and compare it to the token saved, if it's not the same, you abort. The second option is only sending the data, without the token and saving one step.

Of course all the steps to generate a secure token have to be taken.

On each page you will generate a new token based on the new information.

I hope I explained myself clearly enough with all the back and forth.

PHP storing input variable alternative

Answers (2)

Related Questions