www.webdeveloper.com
Results 1 to 7 of 7

Thread: Load PHP in iframes and passing variables?

  1. #1
    Join Date
    Jan 2004
    Posts
    18

    Load PHP in iframes and passing variables?

    Problem
    I need to load php in an iframe and pass variables. Below is a simple html working example of an <iframe> definition where "start.php" is the file to load. How do I modify the code to where I can discretely pass the variables $user and $pass and what method would I use to retrieve them in start.php ($HTTP_POST or $HTTP_GET)?


    HTML
    Code:
    <iframe 
    	src="start.php" 
    	scrolling="no" 
    	id="test" 
    	name="test" 
    	height="200" 
    	width="200" 
    	marginwidth="0" 
            marginheight="0" 
    	frameborder="0">
    </iframe>
    Thanks to anyone for their time.

    Robert

  2. #2
    Join Date
    Jan 2004
    Location
    edisto island, SC
    Posts
    21
    are you wanting a viewer of this start.php page to input the vars? or are they values that are preset that you simply need to securely get into your start.php script??

  3. #3
    Join Date
    Jan 2004
    Posts
    18
    I want to pass user and pass variables to start.php. For example:

    Code:
    <iframe 
    	src="start.php$user=someuser&pass=somepass" 
    	scrolling="no" 
    	id="test" 
    	name="test" 
    	height="200" 
    	width="200" 
    	marginwidth="0" 
            marginheight="0" 
    	frameborder="0">
    </iframe>
    But I don't want the variables to appear in the address bar of the web browser. How can I accomplish this?

  4. #4
    Join Date
    Jan 2004
    Location
    edisto island, SC
    Posts
    21
    you need to include a form of some sort in your HTML with it's action attribute set as "start.php"

    your method in the FORM element could be "get" or "post" and this would determine whether you'd need to retrieve the variables using one or the other.

    your variable values would be set as values in "hidden"-type input elements in the form, and then you'd access the variables in your start.php script by simply referring to them as $_POST['input_element_name'] or $HTTP_POST_VARS['input_element_name'] depending on how your PHP server is running.

    when you submit the form, it will reload your start.php code, but then you'll have the variables available through the method above.



    if you want to securely pass some $pass var to the script, you'll need to encrypt that $pass var and store it in a database or something and call it up from there. if you place it in the form is i outlined above, anyone can view your HTML and see the password.

  5. #5
    Join Date
    Jan 2004
    Posts
    18
    Good point. I just checked "view source" and you can see the password. I'm using mysql as the database. What harm would there be in passing the mysql encrypted password as a string for $pass?

  6. #6
    Join Date
    Jan 2004
    Location
    edisto island, SC
    Posts
    21

    harm, i think

    if you post the string that exists in the pw column in your database then if someone gets access to your database, they can just run a query with that string and it will match up with the string that's stored and they can do whatever you're trying to protect with that password.


    the way to do anything useful with the password that's encoded with the MySQL PASSWORD() function and stored in your database, is to encode the password you're looking to check against it and then send a query to the MySQL server that will encode your pw with the same PASSWORD() function and see if it matches what resides on the server. that way the only way anyone can match what's on your database is to encode the correct password.

  7. #7
    Join Date
    Jan 2004
    Location
    edisto island, SC
    Posts
    21

    ok, sort of

    what i said makes a little sense, but may or may not directly apply to what you're trying to do. i don't have enough information.

    basically, the point of the password being encrypted in the first place is so that no one will know what exists on the database as a "password". so if you flaunt the encrypted string you're going to have trouble, because that's what the password really is right?

    but the method i described before of encoding an entered password and checking it to the encoded password in the database is a secure way to validate a password, because no one ever sees the encrypted string. they can only try and enter a password, that once encoded will match the string...

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles