Within any PHP (or other web...) script, there exists a pool of so-called "session variables" (by any other name) which can be stored by PHP on the server. The session-cookie handling logic enables PHP to locate that pool of variables for you. Each variable is, in fact, an arbitrary data-structure ... lists, arrays, structs, what have you ... and it is stored in the pool under some name (known to you).
So... when you need to "pass" information from one area of the program to another, do so by passing a meaningless, randomly-generated short string ... which is a key into some session-variable (which is an "array[string] of some structure"). (Yes, I am speaking in non-PHP-specific terms here; catch the idea and you can find your way to the PHP implementation.)
This approach is not only much more secure, but it is also much easier. For instance, your generated HTML might include a tag that looks vaguely like this:
<input name="input_xyzzyQz39foobar">Confirm this order</input>
Your code detects this string in the POST data, then looks for:
If that key exists in $$SESSION('post_keys'), then there's all the information that you are looking for. If not, the user is feeding you a bogus-or-stale string.
In any case: the user does not have anything on his computer that means anything at all to him. He can't forge a new one. He can't change any information that you have associated with the utterly random key that you have provided. And, you don't have to write messy code to store and retrieve whatever information it is. (PHP's implementors have already done that bit for you.) All of the modules in the system have access to the session pool.
It is a very good idea to write one class or object which encapsulates all of this logic in convenient terms within your application so that the code only occurs once.
HTH. (Please, don't ask me to write the code.)
Last edited by sundialsvcs; 12-22-2011 at 05:04 AM.