Page 1 of 1

php coding design question

Posted: Tue Mar 30, 2010 1:53 am
by abolzouz
hi everyone...

the situation is the following:
i have a login page that have POST as METHOD and profile.php as ACTION.
in profile.php i check if the user is a regular or admin user and based on his privileges i display a sidebar...
the sidebar code is something similar to this:

Code: Select all

if(isset ($userObject)) {
                        ?>
                            <li>
                                    <?php
                                    if($userObject instanceof User) {
                                        /**
                                         * this if condition checks the privileges of the logged in user and displays a sidebar accordingly.
                                         */
                                        if($userObject->isAdminUser()) {
                                            /**
                                             * this is a sidebar of and administrator.
                                             */
                                            ?>
                                <h2>Links</h2>
                                <ul>
                                    <li><a href="profile.php?action=bla">Home</a></li>
                                    <li><a href="profile.php?action=blabla">News</a></li>
                                    <li><a href="profile.php?action=logout">Logout</a></li>
                                </ul>
                                            <?php
                                        }else {
                                            /**
                                             * this is a sidebar of a regular user.
                                             */
                                            ?>
                                <h2>Links</h2>
                                <ul>
                                    <li><a href="profile.php?action=logout">Logout</a></li>
                                </ul>
                                            <?php
                                        }
                                    }
                                    ?>
                            </li>
                        </ul>
                    </div>
                        <?php
                    }
                    ?>
my question is the following, is it correct what i am doing...i know it works but is this the professional way to do it...
i mean is it professional/secure to pass actions as GET parameters when a user is logged in ?

thanks in advance

Re: php coding design question

Posted: Tue Mar 30, 2010 3:37 am
by requinix
abolzouz wrote:i mean is it professional/secure to pass actions as GET parameters when a user is logged in ?
Sure. Right now I'm at

Code: Select all

http://forums.devnetwork.net/posting.php?mode=quote&f=1&p=600786
As long as you validate the action then you're good.

Re: php coding design question

Posted: Tue Mar 30, 2010 3:45 am
by abolzouz
tasairis wrote:As long as you validate the action then you're good.
im doing the following to validate, am i on the right track ?

Code: Select all

if(isset($_GET['action'])){
$action = htmlentities(addslashes($_GET['action']));
if($action = "logout"){
session_destroy();
header("Location: index.php);
}
}
im a java developer and im new in php/web development so please excuse my silly questions

thanks in advance

Re: php coding design question

Posted: Tue Mar 30, 2010 8:50 am
by AbraCadaver
Number one, if you're not using $action (just comparing to a value) then there's no reason to htmlentities() or addslashes(), and depending upon your magic_quotes settings it may already have slashes added. Number two, you must start a session before calling session_destroy(). You'll probably also want to unset($_SESSION).

Re: php coding design question

Posted: Tue Mar 30, 2010 9:27 am
by abolzouz
thanks a lot for yout time and help...that was reallyhelpful

Re: php coding design question

Posted: Tue Mar 30, 2010 11:32 am
by flying_circus
abolzouz wrote:my question is the following, is it correct what i am doing...i know it works but is this the professional way to do it...
i mean is it professional/secure to pass actions as GET parameters when a user is logged in ?
In my opinion, it depends on what those actions do.
RFC2616 - 9.1.1 wrote:In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe". This allows user agents to represent other methods, such as POST, PUT and DELETE, in a special way, so that the user is made aware of the fact that a possibly unsafe action is being requested.