php coding design question

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
abolzouz
Forum Newbie
Posts: 13
Joined: Fri Mar 26, 2010 5:54 am

php coding design question

Post by abolzouz »

hi everyone...

the situation is the following:
i have a login page that have POST as METHOD and profile.php as ACTION.
in profile.php i check if the user is a regular or admin user and based on his privileges i display a sidebar...
the sidebar code is something similar to this:

Code: Select all

if(isset ($userObject)) {
                        ?>
                            <li>
                                    <?php
                                    if($userObject instanceof User) {
                                        /**
                                         * this if condition checks the privileges of the logged in user and displays a sidebar accordingly.
                                         */
                                        if($userObject->isAdminUser()) {
                                            /**
                                             * this is a sidebar of and administrator.
                                             */
                                            ?>
                                <h2>Links</h2>
                                <ul>
                                    <li><a href="profile.php?action=bla">Home</a></li>
                                    <li><a href="profile.php?action=blabla">News</a></li>
                                    <li><a href="profile.php?action=logout">Logout</a></li>
                                </ul>
                                            <?php
                                        }else {
                                            /**
                                             * this is a sidebar of a regular user.
                                             */
                                            ?>
                                <h2>Links</h2>
                                <ul>
                                    <li><a href="profile.php?action=logout">Logout</a></li>
                                </ul>
                                            <?php
                                        }
                                    }
                                    ?>
                            </li>
                        </ul>
                    </div>
                        <?php
                    }
                    ?>
my question is the following, is it correct what i am doing...i know it works but is this the professional way to do it...
i mean is it professional/secure to pass actions as GET parameters when a user is logged in ?

thanks in advance
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: php coding design question

Post by requinix »

abolzouz wrote:i mean is it professional/secure to pass actions as GET parameters when a user is logged in ?
Sure. Right now I'm at

Code: Select all

http://forums.devnetwork.net/posting.php?mode=quote&f=1&p=600786
As long as you validate the action then you're good.
abolzouz
Forum Newbie
Posts: 13
Joined: Fri Mar 26, 2010 5:54 am

Re: php coding design question

Post by abolzouz »

tasairis wrote:As long as you validate the action then you're good.
im doing the following to validate, am i on the right track ?

Code: Select all

if(isset($_GET['action'])){
$action = htmlentities(addslashes($_GET['action']));
if($action = "logout"){
session_destroy();
header("Location: index.php);
}
}
im a java developer and im new in php/web development so please excuse my silly questions

thanks in advance
User avatar
AbraCadaver
DevNet Master
Posts: 2572
Joined: Mon Feb 24, 2003 10:12 am
Location: The Republic of Texas
Contact:

Re: php coding design question

Post by AbraCadaver »

Number one, if you're not using $action (just comparing to a value) then there's no reason to htmlentities() or addslashes(), and depending upon your magic_quotes settings it may already have slashes added. Number two, you must start a session before calling session_destroy(). You'll probably also want to unset($_SESSION).
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
abolzouz
Forum Newbie
Posts: 13
Joined: Fri Mar 26, 2010 5:54 am

Re: php coding design question

Post by abolzouz »

thanks a lot for yout time and help...that was reallyhelpful
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: php coding design question

Post by flying_circus »

abolzouz wrote:my question is the following, is it correct what i am doing...i know it works but is this the professional way to do it...
i mean is it professional/secure to pass actions as GET parameters when a user is logged in ?
In my opinion, it depends on what those actions do.
RFC2616 - 9.1.1 wrote:In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe". This allows user agents to represent other methods, such as POST, PUT and DELETE, in a special way, so that the user is made aware of the fact that a possibly unsafe action is being requested.
Post Reply