How to set a PHP object in session upon a hyperlink click

Question

I have two PHP pages: One displays the information about an object retrieved from MySQL database and the other allows the user to edit it. The user is transferred from the first page (the view page) to the edit page upon clicking a hyperlink.

I would like to set the information retrieved from the database in session before passing on to the edit page so as to avoid an extra database call. How can I set an object in session upon a hyperlink click event? I know I could append the object as a variable to the GET request but is there a cleaner way than that?

Answer 1

For those who may be looking for a code snippet to help do this - here it is

Page 1 - this page just loads data from a DB and displays it in a non-editable mode on the screen. On this page we need an Javascript function that can be activated when the hyperlink is clicked

<script language="JavaScript" type="text/javascript">
    function processEditLink(){
        $.post('process_session_put.php', <?php echo "{S-Object:'".json_encode($obj_)."'});"; ?>
        window.location.href = 'edit_object.php';
    }
</script>   

To explain the above code - we are taking an object (referred to as obj_) and encoding it into the JSON version by using the inbuilt function json_encode. Remember to ensure your object implements JsonSerializable in order to accomplish this. After that we are passing that JSON string as a POST URI parameter via AJAX to a secret page called process_session_put.php. This call is never visible to the end user and happens secretly when the hyperlink is clicked. The secret PHP page will decode the JSON string back into the PHP object and put it in session for all to use. Finally, once that function is complete, the window redirects to the actual edit page that can access data from session and populate the screen.

Next we should modify the hyperlink to trigger this Javascript function when it is clicked as below

<a class="edit-link" href="javascript:processEditLink(this);return false;">[Edit]</a>

Finally - the PHP page called process_session_put.php - which actually does the background work of decoding the JSON string passed to it back into the object format and putting it in session

<?php

    if (!isset($_SESSION))
    {
        session_start();
    }

    // OBTAIN THE JSON STRING FROM POST URL, DECODE IT AND PUT IT BACK AS A OBJECT IN SESSION
    $_SESSION["E-Object"] = json_decode($_POST["S-Object"]);
?>

Answer 2

Put the object into the session ($_SESSION['object'] = $object) when the page one loads (or when you retrieve the object from the database). This way you avoid a second call to the database. If you want to place it into the session upon the click event, a second call would be necessary, since you would have to make an AJAX call to a PHP script that retrieves the object. However, this may only make sense if the user is expected to edit that information, otherwise it is just storing data into sessions for no reason, which may also expose security bugs. If your database call doesn't retrieve millions of records, or you don't have hundreds of millions of users editing data in the same time, I can assure you that the impact on the performance by making a second call will go unnoticed.

Answer 3

Adding an object to the session:

$_SESSION['the_object'] = $object;

(Disclaimer: Will not work if the object contains any non-serializable components like closures)

Now when to do it? Actually, you have to do it on the page that shows the data, because if you do it later when the user clicks the edit link, this already triggers a new request which then would again go to the database - you'd have two requests (one for the list, one for the edit).

Generally, the edit link has the ID of the database entry to be edited. But pay attention to carefully check whether the user is allowed to have access or not, because MySQL will simply increment the ID, so it's easy to guess which IDs are valid. Anyone with a tiny bit of clue can modify a HTML form to tamper with IDs.

The approach with the session is somewhat easier: You only allow to edit what has been stored in the session, so the access control has to be done on the list page only.