Hello Everyone-
I am working on a site where users can create an account, log in, and store various information about their friends and contacts (phone numbers, names, etc). This is a small example. The site stores lots of information and there are currently 50+ php files that I've created to make it all work.
My question is, I've seen some sites that call the same file to do multiple phases of a process. Example. You are directed to addcontact.php to add a contact. It prints out "Step 1 - Enter the contact's name". They click ok. It takes them to addcontact.php AGAIN (using a form POST) and the page says "Step 2 - Enter phone number", etc. etc, until you've reached the "Save" phase.
The way that I always used to code was to actually build different php files for each step. addcontact.php, addcontact_step2.php, addcontact_step3.php, addcontact_addtodatabase.php, etc.
I saw some websites that basically have one php file that "does it all". It knows what step you are on and formats the page accordingly. I am wondering how this is accomplished? (Like what is the best way). I played around with it, and I got it to work, but it just feels like I did it long handed or wrong. I test for isset for some POST variables at the beginning of the PHP file. If I find certain ones, I set a variable named $step to an appropriate value, and then based on that value print out the proper page. I'm using input type=hidden in order to keep posting the information from the previous step(s) to the form, over and over.
Can anyone point me in the right direction here. I do not even know what I am trying to do is called so my searches have lead me no where. I'm really wanting to reuse code for adding/editing, and there are a couple of spots where there is a bit of information that is important and relevant to the rest of the page, so I want to take them through a Step 1, Step 2, Save type process ... All using the same php file.
Thanks for any suggestions in advance!!
Proper way to write one PHP file to do many "steps" for mmbr
Moderator: General Moderators
Re: Proper way to write one PHP file to do many "steps" for mmbr
A useful approach is to use a Front Controller pattern. A front controller is a single entry point to your web application which can determine by the request (ie URL and query parameters) which script to include. This can be achieved relatively easily in PHP using some minor help from Apache (module Rewrite). You can then determine the structure of your URLs at leisure (making for prettier URLs). This technique is also known as bootstrapping.
A front controller works nicely with the Model-View-Controller pattern, which helps further to structure and normalize the distribution of logic in your scripts. This is a very broad subject, and you'll do well to google it up a bit (or read on it in past forum threads, which there are plenty of).
A front controller works nicely with the Model-View-Controller pattern, which helps further to structure and normalize the distribution of logic in your scripts. This is a very broad subject, and you'll do well to google it up a bit (or read on it in past forum threads, which there are plenty of).
Re: Proper way to write one PHP file to do many "steps" for mmbr
pytrin beat me to the bunch on that one. I would like to add, however, that using that technique you need to take steps to ensure that people can't request pages that they aren't supposed to see.
You could also have all of the functionality in one PHP script and just use isset to check which step they're on and use it again at the end to make sure they haven't skipped anything. That's a perfectly acceptable way to do it. I'd avoid hidden fields if I were you though, that's just asking for tampering.
You could also have all of the functionality in one PHP script and just use isset to check which step they're on and use it again at the end to make sure they haven't skipped anything. That's a perfectly acceptable way to do it. I'd avoid hidden fields if I were you though, that's just asking for tampering.
Re: Proper way to write one PHP file to do many "steps" for mmbr
You know what, that is exactly what I was looking for! I am one who will read for hours and hours on end before posting in the forums, but on this topic, I simply couldn't come up with the proper "keywords" to even achieve what I was looking for. Now, I have them!
Thank you both very, very much, I really do appreciate the quick response. I've been trying to figure out the search term for over two hours now!
On to reading!
Cheers!
Thank you both very, very much, I really do appreciate the quick response. I've been trying to figure out the search term for over two hours now!
On to reading!
Cheers!
Re: Proper way to write one PHP file to do many "steps" for mmbr
I am curious, since I do have many, many pages right now that are using this method and it is going to take me quite a while to get my head wrapped around what I am going to update, and how.Randwulf wrote:pytrin beat me to the bunch on that one. I would like to add, however, that using that technique you need to take steps to ensure that people can't request pages that they aren't supposed to see.
You could also have all of the functionality in one PHP script and just use isset to check which step they're on and use it again at the end to make sure they haven't skipped anything. That's a perfectly acceptable way to do it. I'd avoid hidden fields if I were you though, that's just asking for tampering.
For my reference, I would like to know about the tampering aspect a little bit more with hidden fields. Here is what I have done on my pages, I'm curious if you could let me know if you think my methods are "safe".
Visitor logs into site - [short version] Session is created, users member id is stored. Each user also has a random id which is generated using MD5 on their login (big long string of gobbly gook). Tables in the database are linked. For example, I have a contact table, and one of the fields is the member_id, which is related to the members table.
Go to the edit contact page. It is the same page as create contact, with the "Step" process I referred to. So, if you are editing a contact, information is stored in hidden fields. The contact id, the email address of your contact, and the name (so I can print it as input value= ...)
Now on all of my pages, when I interact with the database, I always interact with more than just the member id. For instance, when I am pulling the contact's information from the table, I will check for contacts who's contact id matches, as well as the member id matches. I did this hoping that I could basically prevent someone from going through and selecting every contact id and updating it. The script makes sure that the contact id that was passed via POST/GET or HIDDEN belongs to the member who is requesting the change. If it doesn't, the page generates an error and kindly tells them to go back!
On pages where I modify account information for a member, such as they changed their mailing address for their account, the member ID will be pulled from the session, and I also use their random identification code (the MD5 random character thing) when passing back to the script with the "connect to and modify information" part. A select statement is prepared such as - select whatever from wherever where member_id = $session_member_id and random_id = '$randomidentificationcode'. I figured that if I always am using the member session id variable, as well as the random 30 character code, no one will be able to just come and simply "guess" a random code + member id pair and get it right.
Am I missing anything here? I have read my butt off and really want to make sure that each step of every process of every page is protected from someone who may want to hack, or simply delete or mangle data.
Thanks for the time!!! It's well appreciated!
Re: Proper way to write one PHP file to do many "steps" for mmbr
Bear in mind that those are completely separate concerns - filtering and validating user input, and dispatching requests to the right script. I'd suggest you'd tackle them once at a time and open separate threads on them, there are plenty people here that will skip this thread but will take a look at a security oriented thread for instance.
About security - never trust user input. It doesn't matter if you stored the previous page of a form in a session or in hidden inputs - that information came from the user, and should be filtered and validated to prevent malicious or improper use of your application. PHP has a diverse set of filtering functions and you can set up custom validation to fit your application needs (for example, validating Email addresses and so forth).
About security - never trust user input. It doesn't matter if you stored the previous page of a form in a session or in hidden inputs - that information came from the user, and should be filtered and validated to prevent malicious or improper use of your application. PHP has a diverse set of filtering functions and you can set up custom validation to fit your application needs (for example, validating Email addresses and so forth).
Re: Proper way to write one PHP file to do many "steps" for mmbr
This rocks! Thanks so much for the responses! By day I write C# Applications, by night, PHP, lol. I got started on a project for a friend that was just our pet project. We started building a site and as we built it, the idea behind it became bigger and bigger. It's at a point now where there are over 50 files and it's just getting humongous! I basically created a template, then for each new page copy and pasted that template. It became a royal pain to change simple things across all of the pages, so I'm sitting down thinking, there's got to be a better way. This is unbelievably cool, I've learned more tonight in a couple of hours and a handful of grey goose martinis that I have in months on end!pytrin wrote:Bear in mind that those are completely separate concerns - filtering and validating user input, and dispatching requests to the right script. I'd suggest you'd tackle them once at a time and open separate threads on them, there are plenty people here that will skip this thread but will take a look at a security oriented thread for instance.
About security - never trust user input. It doesn't matter if you stored the previous page of a form in a session or in hidden inputs - that information came from the user, and should be filtered and validated to prevent malicious or improper use of your application. PHP has a diverse set of filtering functions and you can set up custom validation to fit your application needs (for example, validating Email addresses and so forth).
Again, thanks for the input, it's back to reading and figuring this all out so that when I rework it, I do it in such a manner that if some other PHP coder looked at it s/he wouldn't want to slap me in the face!