Ashley Posted April 6, 2013 Share Posted April 6, 2013 On the view_users.php page, when you click on the "Edit" link you are redirected to another page using the user_id being passed to next page within the URL. On page 260 we are told of the first method in which uses the hidden input type for forms, how can we apply this method to the "Edit" link hyperlink and what adjustments would need to be made to the view_users.php script to allow this ? Link to comment Share on other sites More sharing options...
margaux Posted April 6, 2013 Share Posted April 6, 2013 I don't have this book so I'm responding from memory and I apologise if I've misunderstood the question. The edit link is linking to a new page without the use of a form so you can't use the hidden input approach. If you wanted to use that approach you would need to create a form on the view_users page. You would then need to decide how that form would be populated and you could end up with an unnecessarily complicated approach either via from the user or the programming point of view. An alternative approach would be to use cookies or sessions to pass the variable. I think the $_GET approach used here is efficient and secure as long as the receiving script applies proper validation. Someone please correct me if I'm wrong. Link to comment Share on other sites More sharing options...
HartleySan Posted April 7, 2013 Share Posted April 7, 2013 Yes, margaux, you are essentially right. The one way you could use hidden inputs properly is to create a separate form for each row, each with their own unique hidden input value. With that said though, simply using the GET method and then validating on the edit_profile script side is the best solution, I agree. Link to comment Share on other sites More sharing options...
Paul Posted April 7, 2013 Share Posted April 7, 2013 Hiya, At the risk of being overly cautious I've made myself a rule never to put any form of user info in a GET. I would always use a session. But, as I say, I may be being over cautious. Link to comment Share on other sites More sharing options...
margaux Posted April 7, 2013 Share Posted April 7, 2013 A degree of 'over-caution' is not a bad thing. I think with the proper security measures - such as the use of mod_rewrites and filters as well as securing both the database and what is sent to the database - using $_GET is fine in certain instances. Link to comment Share on other sites More sharing options...
HartleySan Posted April 7, 2013 Share Posted April 7, 2013 Paul, GET can be less secure in the sense that all the parameters are viewable in the URL, but that's preferable in cases where you want to make the resulting page linkable/bookmarkable. The perfect example is a search feature on a site. Next time you do a search on Google, Amazon, etc., take a look at the URL, and you'll see what I mean. As margaux mentioned though, when you use GET, because the URL can be easily modified to contain any parameters, you need to be extra* careful to properly validate everything. So long as you do that, you should be fine. *: Truth be told, regardless of the submit method, you should always go for the maximum level of validation (within reason). Link to comment Share on other sites More sharing options...
Antonio Conte Posted April 7, 2013 Share Posted April 7, 2013 I was also afraid of using GET for a while, Paul. However, GET is a basic HTTP request, and is designed to get information. Save you some trouble and just pass the ID in the URL, but wrap the call in some permission checks. You should be using GET on all the "U"s in CRUD, with few exceptions. The rule is to never send sensitive info in GET. Passing primary keys is no problem. I even use GET on delete operations. That's not really "correct", but I get lazy. Short and simple code leads to fewer bugs and fewer security holes, so there's always trade-offs to consider. When I do this, I usually include a stricter check such a making sure other values exist too. Here's an example of how I do this in CodeIgniter: The method below is ran when i visit: http://domain.com/profile/attachment/delete/1/1 It can be translated to something like: http://domain.com/attachment.php?offer_id=1&file_id=1 /** * Deletes an attachment * * @param int The ID of an attachment */ public function delete() { // Load needed model $this->load->model('profile/files'); // Creates $this->files // Get identifiers $offer_id = (int) $this->uri->segment(4, 0); $file_id = (int) $this->uri->segment(5, 0); $company_id = (int) $this->user->company_id; // I know this exist // Delete record form DB $file = $this->files->delete($file_id, $company_id); // Make sure operation was successfull if ( $file !== null ) { $image = self::$UPLOAD_DIRECTORY . $file->file_path; $thumb = self::$THUMBNAIL_DIRECTORY . $file->file_path; // Delete the files if found $this->_deleteFile($image); $this->_deleteFile($thumb); } // Redirect $this->_redirect_to_attachments_list($offer_id); } CodeIgniter is segment based, so the call to $this->uri->segment() simply returns the GET param OR the second parameter. In this situation, it will always pass Integer 0 if the GET params does not exist. The trick is that $this->user is an object set by an authentication component I trust. I know that the user is logged in before this method is called. Because I trust that, I simply pass the Company ID and File ID to a model. If the combination does not exist, the Database model will simply ignore the operation and return false. If the record is deleted, I delete the actual files on the server too. This principle of delegation lets you write very simple and easy to understand code. 1 Link to comment Share on other sites More sharing options...
Ashley Posted April 7, 2013 Author Share Posted April 7, 2013 Thank you for your answers I have managed to get it to work using a form but can't get post method to work on fetch-array data Link to comment Share on other sites More sharing options...
Recommended Posts