I have a PHP application where I would like to certain objects to persist in the following manner:
- The object must not exist in the $_SESSION. Separate web browser windows must control separate instances of the object.
- The end-user must not be able to modify the object by changing the content of the $_REQUEST variable by hand (if this happens the request should be treated as corrupted).
Is there a best-practices / proper way to do this? With PHP becoming more and more object oriented, I fear that I am reinventing a wheel.
The grand purpose of this code is to allow the creation and manipulation of complex objects without using a database until they are to be committed, then I will use a proper transaction to commit them to the database in full. I want to make it so that my database contains only the complete invoice, or no invoice at all.
My current method is as follows:
<?php
include('encrypt.php');
include('invoice.class.php');
if(isset($_REQUEST['invoice']))
{
$invoice = unserialize(decrypt(base64_decode($_REQUEST['invoice'])));
if(!($invoice instanceOf invoice)) throw new exception('Something bad happened');
}
else
{
// Some pages throw an exception if the $_REQUEST doesn't exist.
$invoice = new invoice();
}
if(isset($_REQUEST['action']) && $_REQUEST['action'] == 'addLine')
{
$invoice->addLine(new invoiceLine($_REQUEST['description'], $_REQUEST['qty'], $_REQUEST['unitprice']);
}
?>
<form action="index.php" method="post">
<input type="text" name="qty" />
...
<input type="hidden" name="invoice" value="<?php echo(base64_encode(encrypt(serialize($invoice)))); ?>" />
</form>
