Jump to content
Larry Ullman's Book Forums

Recommended Posts

On the view_users.php page, when you click on the "Edit" link you are redirected to another page using the user_id being passed to next page within the URL. On page 260 we are told of the first method in which uses the hidden input type for forms, how can we apply this method to the "Edit" link hyperlink and what adjustments would need to be made to the view_users.php script to allow this ?

Link to comment
Share on other sites

I don't have this book so I'm responding from memory and I apologise if I've misunderstood the question.


The edit link is linking to a new page without the use of a form so you can't use the hidden input approach. If you wanted to use that approach you would need to create a form on the view_users page. You would then need to decide how that form would be populated and you could end up with an unnecessarily complicated approach either via from the user or the programming point of view.


An alternative approach would be to use cookies or sessions to pass the variable. I think the $_GET approach used here is efficient and secure as long as the receiving script applies proper validation. Someone please correct me if I'm wrong.

Link to comment
Share on other sites

Yes, margaux, you are essentially right.

The one way you could use hidden inputs properly is to create a separate form for each row, each with their own unique hidden input value.

With that said though, simply using the GET method and then validating on the edit_profile script side is the best solution, I agree.

Link to comment
Share on other sites

A degree of 'over-caution' is not a bad thing. I think with the proper security measures  - such as the use of mod_rewrites and filters as well as securing both the database and what is sent to the database - using $_GET is fine in certain instances.

Link to comment
Share on other sites

Paul, GET can be less secure in the sense that all the parameters are viewable in the URL, but that's preferable in cases where you want to make the resulting page linkable/bookmarkable. The perfect example is a search feature on a site. Next time you do a search on Google, Amazon, etc., take a look at the URL, and you'll see what I mean.


As margaux mentioned though, when you use GET, because the URL can be easily modified to contain any parameters, you need to be extra* careful to properly validate everything.

So long as you do that, you should be fine.


*: Truth be told, regardless of the submit method, you should always go for the maximum level of validation (within reason).

Link to comment
Share on other sites

I was also afraid of using GET for a while, Paul. However, GET is a basic HTTP request, and is designed to get information. Save you some trouble and just pass the ID in the URL, but wrap the call in some permission checks. You should be using GET on all the "U"s in CRUD, with few exceptions. The rule is to never send sensitive info in GET. Passing primary keys is no problem.


I even use GET on delete operations. That's not really "correct", but I get lazy. Short and simple code leads to fewer bugs and fewer security holes, so there's always trade-offs to consider. When I do this, I usually include a stricter check such a making sure other values exist too.


Here's an example of how I do this in CodeIgniter:


The method below is ran when i visit:



It can be translated to something like:


 * Deletes an attachment
 * @param int        The ID of an attachment

public function delete()
    // Load needed model
    $this->load->model('profile/files'); // Creates $this->files

    // Get identifiers
    $offer_id = (int) $this->uri->segment(4, 0);
    $file_id = (int) $this->uri->segment(5, 0);
    $company_id = (int) $this->user->company_id; // I know this exist
    // Delete record form DB
    $file = $this->files->delete($file_id, $company_id);
    // Make sure operation was successfull
    if ( $file !== null )
        $image = self::$UPLOAD_DIRECTORY . $file->file_path;
        $thumb = self::$THUMBNAIL_DIRECTORY . $file->file_path;
        // Delete the files if found
    // Redirect


CodeIgniter is segment based, so the call to $this->uri->segment() simply returns the GET param OR the second parameter. In this situation, it will always pass Integer 0 if the GET params does not exist.


The trick is that $this->user is an object set by an authentication component I trust. I know that the user is logged in before this method is called. Because I trust that, I simply pass the Company ID and File ID to a model. If the combination does not exist, the Database model will simply ignore the operation and return false. If the record is deleted, I delete the actual files on the server too.


This principle of delegation lets you write very simple and easy to understand code.

  • Upvote 1
Link to comment
Share on other sites


  • Create New...