I have a PHP application where I want certain objects to be saved as follows:
- An object must not exist in $ _SESSION. Separate browser windows must manage individual instances of the object.
- The end user cannot modify the object by changing the contents of the $ _REQUEST variable manually (if this happens, the request should be considered as damaged).
Is there a better way / right way to do this? As PHP becomes more and more object oriented, I am afraid that I am inventing the wheel.
The main purpose of this code is to allow the creation and manipulation of complex objects without using a database until they are committed, then I will use the proper transaction to completely transfer them to the database. I want to make my database only contain a full invoice or no invoice at all.
My current method is as follows:
<?php
include('encrypt.php');
include('invoice.class.php');
if(isset($_REQUEST['invoice']))
{
$invoice = unserialize(decrypt(base64_decode($_REQUEST['invoice'])));
if(!($invoice instanceOf invoice)) throw new exception('Something bad happened');
}
else
{
$invoice = new invoice();
}
if(isset($_REQUEST['action']) && $_REQUEST['action'] == 'addLine')
{
$invoice->addLine(new invoiceLine($_REQUEST['description'], $_REQUEST['qty'], $_REQUEST['unitprice']);
}
?>
<form action="index.php" method="post">
<input type="text" name="qty" />
...
<input type="hidden" name="invoice" value="<?php echo(base64_encode(encrypt(serialize($invoice)))); ?>" />
</form>
source
share