Reputation: 1261
Hiding $_GET variables by a re-direct
I'm using a 3rd party app that I need to integrate with my own app. In the 3rd party app, information is posted via a form and then re-directed to my site for further processing. The re-direct to my site will contain variables that I'll need from the form within the re-direct URL. However, I don't want the user who published the form to be able to view those variables.
If the re-direct link is hidden on the 3rd party app (i.e. it's not in the form), then one method that I thought which could work would be to direct the 3rd party app to a "pre-processing" script which does the following:
session_start();
$_SESSION['some_variable_to_save'] = $_GET['some_variable_to_save']; //properly sanitized!!
header('Location: where_i_really_want_to_process.php');
exit;
Then, in where_i_really_want_to_process.php I can process the session variables. Is this a secure method to ensure that the user never sees the $_GET variables?
Upvotes: 0
Views: 48
Answers (3)
Reputation: 94682
Your suggestion of using $_SESSION seems to be the only solution.
However to make life a little easier and to cope with any changes that may occur just put the whole $_GET array onto a Session variable
session_start();
// dont sanitization here, do it in the where_i_really_want_to_process.php
$_SESSION['previous_GET'] = $_GET;
header('Location: where_i_really_want_to_process.php');
exit;
Upvotes: 2
Reputation: 1306
It is physically impossible to "ensure" the user never "sees" some form of the data being passed if you have to have the user forward the data to you. They must see some form of the data, otherwise they can't turn around and tell your server what the data was.
If you could encrypt the data, that would effectively hide the data from the user (assuming you use good encryption). But you lack control of the third party, so this may not be viable.
Another option would be to find a third party you can trust to give limited db access, and have them contact your server directly instead of using the client as a middleman. Without knowing exactly what you're doing, I have no idea if this is viable.
If all you're doing is trying to protect "normies" from bookmarking the GET values, the shove-into-session-then-redirect trick is plenty. Only other option would be to write something js/ajax/whatever that does it client side- however that's less transparent to the user than doing it serverside, as well as depends on the user not blocking your method of hand-waving. Very very few people disable internal redirects.
I do endorse Riggs's method (shove all of $_GET into session instead of just the current key you want) over the solution in-question, however, as it lets you pretty much ignore this helper script for the life of the application.
Upvotes: 1
Reputation: 443
Try to use an associative array of variables $_POST:
$_POST = $_GET;
$_GET = [];
header('Location: where_i_really_want_to_process.php');
Upvotes: -1
Related Questions
- hiding get variable in url
- How can I hide a $_GET variable to be more secured in PHP?
- Hiding GET parameters in php
- Hide PHP Variables in URL with url rewrite
- how to hide GET variable from url
- Handle $_GET safely PHP
- Is hiding GET parameters by rewriting it to POST and redirect a good idea?
- Masking $_GET variables of the URL when passing pages in PHP
- Safely redirect to a $_GET variable using header()
- How to obscure a GET variable?