28

Which is the most secure way to send an array through POST?

foreach ($id as $array)
{
<input type="hidden" name="prova[]" value="<?php echo $array; ?>"/>
}
<input type="submit" name="submit"/>

or using implode() to create a single variable, pass the variable and then use explode() to get back the values into a new array?

Improve this question
9
  • 1
    What do you think is inherently insecure about passing an array via POST? It's just data. Commented Dec 28, 2012 at 15:14
  • 2
    I usually like to json_encode() things. Then json_decode() with option true to get it back out. Commented Dec 28, 2012 at 15:15
  • 2
    Your use of the word secure in this context makes no sense. What is your concern? Commented Dec 28, 2012 at 15:16
  • 2
    securing the shop does not mean we lock shop all time .. it mean keep eye on customer ..by camera Commented Dec 28, 2012 at 15:16
  • 1
    Please expand on this question. Why do you need to pass the array? What "security" are you looking for? What does the array contain? What is the context of the application? With it as it is now, it's very vague and won't get you a good answer... Commented Dec 28, 2012 at 15:27

5 Answers 5

Reset to default
33

Edit If you are asking about security, see my addendum at the bottom Edit

PHP has a serialize function provided for this specific purpose. Pass it an array, and it will give you a string representation of it. When you want to convert it back to an array, you just use the unserialize function.

$data = array('one'=>1, 'two'=>2, 'three'=>33);
$dataString = serialize($data);
//send elsewhere
$data = unserialize($dataString);

This is often used by lazy coders to save data to a database. Not recommended, but works as a quick/dirty solution.

Addendum

I was under the impression that you were looking for a way to send the data reliably, not "securely". No matter how you pass the data, if it is going through the users system, you cannot trust it at all. Generally, you should store it somewhere on the server & use a credential (cookie, session, password, etc) to look it up.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

If I encountered this requirement now, I might attempt to use some form of cryptographic signature to validate the data.
20

http://php.net/manual/en/reserved.variables.post.php

The first comment answers this.

<form ....>
<input name="person[0][first_name]" value="john" />
<input name="person[0][last_name]" value="smith" />
...
<input name="person[1][first_name]" value="jane" />
<input name="person[1][last_name]" value="jones" />
</form>

<?php
var_dump($_POST['person']);

array (
0 => array('first_name'=>'john','last_name'=>'smith'),
1 => array('first_name'=>'jane','last_name'=>'jones'),
)
?>

The name tag can work as an array.

Improve this answer

Comments

16

You could put it in the session:

session_start();
$_SESSION['array_name'] = $array_name;

Or if you want to send it via a form you can serialize it:

<input type='hidden' name='input_name' value="<?php echo htmlentities(serialize($array_name)); ?>" />

$passed_array = unserialize($_POST['input_name']);

Note that to work with serialized arrays, you need to use POST as the form's transmission method, as GET has a size limit somewhere around 1024 characters.

I'd use sessions wherever possible.

Improve this answer

2 Comments

SESSION is more secure than to store data in input type so SESSION is server side so user can not change it. Agree with you @laxonline
I have one question here. If there are thousands of input in the form, is the same thing gonna work?
10

There are two things to consider: users can modify forms, and you need to secure against Cross Site Scripting (XSS).

XSS

XSS is when a user enters HTML into their input. For example, what if a user submitted this value?:

" /><script type="text/javascript" src="http://example.com/malice.js"></script><input value="

This would be written into your form like so:

<input type="hidden" name="prova[]" value="" /><script type="text/javascript" src="http://example.com/malice.js"></script><input value=""/>

The best way to protect against this is to use htmlspecialchars() to secure your input. This encodes characters such as < into &lt;. For example:

<input type="hidden" name="prova[]" value="<?php echo htmlspecialchars($array); ?>"/>

You can read more about XSS here: https://www.owasp.org/index.php/XSS

Form Modification

If I were on your site, I could use Chrome's developer tools or Firebug to modify the HTML of your page. Depending on what your form does, this could be used maliciously.

I could, for example, add extra values to your array, or values that don't belong in the array. If this were a file system manager, then I could add files that don't exist or files that contain sensitive information (e.g.: replace myfile.jpg with ../index.php or ../db-connect.php).

In short, you always need to check your inputs later to make sure that they make sense, and only use safe inputs in forms. A File ID (a number) is safe, because you can check to see if the number exists, then extract the filename from a database (this assumes that your database contains validated input). A File Name isn't safe, for the reasons described above. You must either re-validate the filename or else I could change it to anything.

Improve this answer

1 Comment

htmlspecialchars() should be applied to all user inputs. StackOverflow probably does something similar to your username: it's written everywhere, so it must not be malicious HTML. Users can modify any HTML that they are looking at. I did this to fake a high score on one of the Google Olympics games: sphotos-b.xx.fbcdn.net/hphotos-ash4/… Forms are special because they contain input that users are sending back to the server. You need to check each input that they send to you to make sure that it makes sense, or people will hack your site.
7

Why are you sending it through a post if you already have it on the server (PHP) side?

Why not just save the array to s $_SESSION variable so you can use it when the form gets submitted, that might make it more "secure" since then the client cannot change the variables by editing the source.

It all depends on what you really want to do.

Improve this answer

4 Comments

Sessions and post data are two very different things that should be used for different data. Saying just save the array to the session variable is ignoring the differences between them. It may be right, or it may be wrong. From the question provided, we simply can't tell...
I thought also of that, but if I forget to clear the $_SESSION variable, or if happens something that prevents it, that would be a problem
@user1722791 and if a client changes the values that are in you hidden inputs, you also can get messed up.
After reading everything, seems that $_SESSION is the one most preferable. I'll try with this one.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.