Static Page A has a form with an action submitting to a Authorization page B which is a dynamic page. After authorization, B will redirect to a callback url C which is passed to B by A.
Besides redirecting to page C, B also post some parameters indicated the auth states. uin is a most important parameter that will be used in the content of page C namely the scripts. The scripts need uin to send Ajax request later. Question is how can I pass uin to the static page C?
A quick and dirty idea I got is to wrap the static page C with a PHP file, and output the data in a hidden div for example:
<?php
$html = file_get_contents("callback.html")
$div = "<div stype='display:none' uin={$_POST['uin']}></div>"
//add this div to $html and print it, need a little more work to figure out how to do this
?>
Is there a better way of doing this , because this is sort of 'idiot' I think...
3 Answers 3
Your code: (with stype typo fixed)
$div = "<div style=\"display:none\" uin={$_POST['uin']}></div>";
Looking at this code, the biggest problem I can see with it is that you're outputting a $_POST value without doing any escaping on it.
This a potential security threat; consider what would happen if someone provided a form that posted to your site, with the uin value set to a string of HTML code, starting with > to close the div. Their code would appear in your site, exactly as if you'd put it there. With a careful bit of styling, they could use this make your site look and behave however they want. Not great.
You can fix that by using wrapping the $_POST variable in html_entities() so it is properly escaped when it is output to the site.
Or, in this case, since it is (or appears to be) a numeric ID value, you could simply cast it as an int to ensure that it contains no unwanted data, no matter what the actual post data contains:
$uin = (int)$_POST['uin'];
...and then use $uin in the output rather than the raw post data.
The second point I'd make is one of validity. uin is not a valid HTML attribute. It may work, but it's not valid. The correct standards-compliant way to do custom attributes in HTML is to use a data attribute, like so:
$div = "<div style=\"display:none\" data-uin={$uin}></div>";
... ie the names of all custom attributes should start with data-
This is recommended because it allows you to have custom attributes with the same name as real attributes without risking any problems. eg you could have data-style, without colliding with the real style attribute.
It also means that the HTML spec can have new attributes added to it without risking clashes with other people's code. eg if a future version of HTML includes a uin attribute that future browsers use to do something clever with the element, it would cause problems with your code. Those problems would not happen if you use data-uin. (okay, so uin is an unlikely name for a new standard HTML attribute, but the point stands)
Comments
Perhaps you should store parameters from page B in user session. Than on page C you can use these parameters (after calling session_start() before anything is outputted to the browser). Also, if you are using javascript, consider placing uin in javascript variable instead of html div. Something like <script type="text/javascript">var uin = 123; </script>.
Comments
You have an syntax errors in your php code you need to mask the quotes around your inline style and you missed to add some colons:
<?php
$html = file_get_contents("callback.html");
$div = "<div style=\"display:none\" uin={$_POST['uin']}></div>";
//add this div to $html and print it, need a little more work to figure out how to do this
echo($html); // print variable $html
echo($div); // print variable $div
?>
stype--->style. :-)