From A to B via XT

Current Projects: PHP on XP Guide — NFO Viewer — Easy Reflections — Photon Storm — HotWire — FileGlider

Thursday, November 3. 2005

From A to B via XT

Using Transfer Files in PHP, their purpose, implementation and why they might just save your sanity.

At some point, virtually all PHP developers will find themselves in a situation where they are passing values from one PHP script to another. This article focuses on the benefit of using a Transfer File to handle the data exchange and separation of the logic from the display and core processing scripts. Before we jump right into what Transfer Files are, let’s first consider a familiar example that most of us will have come across at some point or other: a user registration page. This page collects information about the user and then submits it for validation and processing.

Here is where the first issues arise: which script is responsible for the validation of the form data and what happens should this validation fail? How can we return the user back to where they started, with the original form re-filled with their data even if they just click the “Back” button in their browser? More importantly, what do we do if the result of the data has multiple potential destinations?

As programmers we are also, whether we like it or not, responsible for creating user friendly applications. This means not relying on browser specifics to achieve tasks and hand-holding the user through our systems as much as possible. A good example of a badly designed user experience follows:

Joe Bloggs enters his username and password into a web site login page and submits the form.

The script checks his data and sees that something doesn’t quite match, so it sends him to an error page that simply says “Username/Password invalid” and urges him to click “Back” in his browser and try again.

This is more common than you might think and several high-profile web sites adopt this principal of “let the user fend for themselves”. But poor Joe is sat there thinking “Well which was it? My username or my password that failed?” and when he clicks “Back” in his browser he finds the form is now blank and he has to try again.

This might not sound like such a big deal, but what if the form had been part of a registration process or a shopping cart purchase page? Often the forms in use are both far more complex than our example and have multiple outcomes based on the user data. As we all know, the more data you loose for someone, the bigger their frustration factor. Using an XT (Transfer) script is one way to allow you to keep track of this information flow and to separate the logic of your site from the display and core functions.

So what is an XT script and how does it work?

Pages: 1 | 2 | 3 | 4 | 5 | 6 | All

Posted by Richard Davey in Articles at 17:41 | Comments (6) | Trackbacks (25)

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

what i feel is if we let the user know that whether his userid or password is wrong then an unauthorised user can try a combination of things .... if we display the message "Username/Password invalid", then the unauthorised user will not be able to guess that whether the userid is incorrect or the password ....

what you say, please let me know

#1 vishwa vivek (Homepage) on 2005-11-08 10:40 (Reply)

I will have to disagree with this one - I feel that sites should be built for the user first, and a 'hacker' second. Most of the time a hacker could determine if the username was valid by using one of those 'send me my password' features - often all they do is take the username and then send out an email. The hacker can use this to determine if the username is valid. Ilia's book on security has a great chapter on tar pits, something you should use to trap your hackers rather than annoy your visitors.

#1.1 Richard Davey (Homepage) on 2005-11-08 15:41 (Reply)

thanks richard,
you are right that the user name can be known by other ways also .. i agree

#1.1.1 vishwa vivek (Homepage) on 2005-11-09 08:23 (Reply)

Watch out for those redirects...last time I checked Header("Location: $xyz"); always gave a 302 response which it shouldn't - most browsers do not implement HTTP properly in this regard both for HTTP 1.0 and 1.1 - indeed the behaviour is deeply ingrained into many development toolkits (and not just PHP ones) the result is that it *works* but its not correct.

If the protocol is 1.1 (or later) you should really issue a 303 redirect. See http://ppewww.ph.gla.ac.uk/~flavell/www/post-redirect.html

This may seem like nit picking, but given the exploitation of redirection for phishing attacks, this is an area which may see changes (or 'bolt-ons' claining to improve security).

C.

#2 Colin McKinnon (Homepage) on 2005-12-15 21:14 (Reply)

Add Comment

Name
Email
Homepage
In reply to
Comment	HTML-Tags will be converted to Entities. Standard emoticons like :-) and ;-) are converted to images. To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above:
	Remember Information? Subscribe to this entry