Leo505 Leo505 - 2 months ago 5
Ajax Question

Pass PHP object to another page via AJAX post

Anyone can help with this. I think i'm missing something basic and obvious!

I pass object $session from index.php to results.php like so..

index.php

include 'classes/user.php';
$session = new User();
//some object work
$sessionObjectStr = serialize($session);

<script>
var sessionObj = <?php if(isset($session)){echo json_encode($sessionObjectStr);}else{echo json_encode("");}; ?>;
$.post( 'results.php', {'object':sessionObj}, function(data){.....
</script>


results.php

include 'classes/user.php';
if(isset($_POST['object'])){ $session = unserialize(($_POST['object']));}
$session->getName();


The getName method returns nothing. It should return name like it did on index.php page..

var_dump from index.php for serialized $session

string(690) "O:4:"User":7:{s:9:"*userId";s:2:"27";s:7:"*name";s:5:"Admin";s:8:"*email";s:13:"admin@nrt.com";s:9:"*rights";s:5:"Super";s:9:"*cookie";N;s:12:"*lastLogin";s:10:"1475435341";s:5:"*db";O:8:"Database":4:{s:7:"*link";O:6:"mysqli":19:{s:13:"affected_rows";N;s:11:"client_info";N;s:14:"client_version";N;s:13:"connect_errno";N;s:13:"connect_error";N;s:5:"errno";N;s:5:"error";N;s:10:"error_list";N;s:11:"field_count";N;s:9:"host_info";N;s:4:"info";N;s:9:"insert_id";N;s:11:"server_info";N;s:14:"server_version";N;s:4:"stat";N;s:8:"sqlstate";N;s:16:"protocol_version";N;s:9:"thread_id";N;s:13:"warning_count";N;}s:10:"*numRows";i:1;s:13:"*affectRows";i:1;s:9:"*result";b:1;}}"


var_dump from results.php for $_POST['object'] - (serialized)

string(690) "O:4:"User":7:{s:9:"*userId";s:2:"27";s:7:"*name";s:5:"Admin";s:8:"*email";s:13:"admin@nrt.com";s:9:"*rights";s:5:"Super";s:9:"*cookie";N;s:12:"*lastLogin";s:10:"1475435341";s:5:"*db";O:8:"Database":4:{s:7:"*link";O:6:"mysqli":19:{s:13:"affected_rows";N;s:11:"client_info";N;s:14:"client_version";N;s:13:"connect_errno";N;s:13:"connect_error";N;s:5:"errno";N;s:5:"error";N;s:10:"error_list";N;s:11:"field_count";N;s:9:"host_info";N;s:4:"info";N;s:9:"insert_id";N;s:11:"server_info";N;s:14:"server_version";N;s:4:"stat";N;s:8:"sqlstate";N;s:16:"protocol_version";N;s:9:"thread_id";N;s:13:"warning_count";N;}s:10:"*numRows";i:1;s:13:"*affectRows";i:1;s:9:"*result";b:1;}}"


So as you can see the serialized versions are the same.. Once i unserialize on the results.php i should be able to use the object as i did before right?

Edit:
As suggested, and what i tried before posting this question was the decode the variable and then unserialize it. But it returns an error

if(isset($_POST['object'])){ $decodeObjStr = json_decode($_POST['object']); $session = unserialize($decodeObjStr);}


Fatal error: Call to a member function getName() on boolean

var dump for decoded_json.

var_dump($decodeObjStr);


NULL

Answer

Why? This is the first thing that popped into my head when reading your question. Why would you want to do this? It is a huge security risk, which can (and probably will) expose your users' details to a third party.
Not to mention, giving the users a trivial way to increase their own permissions by simply editing the HTML code in their browser's built-in tools..

Most importantly: Why not use the built-in functionality of sessions, and their associated cookie? That way you only need to run session_start(), and use the $_SESSION array to store stuff in. Also, no need to involve AJAX or even JavaScript on this, as this functionality is all server-side. Sending data to the client, for it to just re-send it back to the server unchanged, is a bit unnecessary. Especially when you can just store it on the server in the first place. Don't you agree? :)

In this case I strongly recommend using sessions. Store the userID in the session, and use this to re-create the user object on each load. Querying the database if necessary.
There should be absolutely no need to serialize the object, nor creating your own custom-built "session state engine".

Quick code example:
index.php

session_start ();

$user = new User ();
// Woodoo here, creating new user or logging in.

$_SESSION['userid'] = $user->getID ();

?>

<html>
<a href="results.php">Results</a>
</html>

results.php

session_start ();
$user = new User();

// Read the user's details from the DB, finalizing the object for use.
$user->read ($_SESSION['id']);

// Now we can do whatever we wanted to with the $user object.
Comments