Posted by Gordon Burditt on 05/19/06 21:32

>I am using values stored an $_POST array to display records from a table before
>asking the user if he is sure he wants to delete them. If the user confirms then
>the records are deleted. Without boring you with all of the code here is the
>rough idea.

You get a new $_POST on each form submission. You do not get
stuff left over from the previous form submission in it.

>Since there are no values for id I can only assume that the original array held
>within $_POST['delete'] is no longer stored when the page is refreshed after the
>user has confirmed that he wants to delete the records. That being the case how

This is the way it's supposed to work. You shouldn't have left-over
crap from previous form submissions. Considering that some of that
data might be credit card numbers or passwords, that would be a horrible
insecurity.

>can I best code the page so that I can use an array in both instances. I'm
>hazarding a guess that I may have to pass the array on by using something like
><input='hidden' etc etc>. That being the case how do I do that or is there a
>better way of achieving my objective?

Two possibilities are (1) store the ID in the session, or (2) put
the ID in a hidden field in the confirmation page form, so it shows
up in the new $_POST. Since it goes through the browser, remember
that this value can be hacked.

Always remember that you need to check whether the user has the
authority to delete the record *AT THE TIME THE CONFIRMATION IS
SUBMITTED*. You checked when generating the confirmation page?
Great, but that alone is not good enough.

Gordon L. Burditt

[Back to original message]