$_POST Security?

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
tomisina
Forum Newbie
Posts: 9
Joined: Tue Aug 15, 2006 9:53 pm

$_POST Security?

Post by tomisina »

Hi I'm building a digg-like forum where people rate comments and I'm wondering what's the best way for people viewing the page to vote up or down? Say there's an image for up and one for down... should I just handle someone clicking on the image by assigning a name to the input and processing the $_POST? I've heard $_POST is actually no more secure than $_GET. That sorta leads me to another question I have... is there any easy way to assign a php function to a button and have it execute on click?

Any thoughts will be helpful.
Thanks,
Tommy
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

Well, the first question is a little bit foggy, but if I'm right, it's the same as the second one. Anyways, yes, it is possible.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

$_POST has a few advantages over $_GET:
  • You can't POST with a URL alone
  • You can POST far more data than possible with GET.
That being said, bad code will allow bad submission, POST or GET, no matter what. Provided you validate and verify always, you're in a better place than one who doesn't.

For your particular end goal, it doesn't seem either method is "bad." You may want to consider an Ajax'd submission (as an unobtrusive upgrade) so that in browsers with Javascript and XML transport support, you can perform the vote in that fashion.
tomisina wrote:is there any easy way to assign a php function to a button and have it execute on click?
There is no direct way. It requires a submission to the server in some fashion, be it basic link (GET), form (POST) or Ajax.
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

feyd wrote:
tomisina wrote:is there any easy way to assign a php function to a button and have it execute on click?
There is no direct way. It requires a submission to the server in some fashion, be it basic link (GET), form (POST) or Ajax.
I'm not sure, but I don't think she meant like in JavaScript (onClick), not sure though.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Oren wrote:I'm not sure, but I don't think she meant like in JavaScript (onClick), not sure though.
The answer would be the same if it were an anchor, an image or Bishop Tutu.
tomisina
Forum Newbie
Posts: 9
Joined: Tue Aug 15, 2006 9:53 pm

Post by tomisina »

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


Ok so based upon what you said about Post I've written the following code.  It gets the job done but the only thing is the value that is begin passed from page to page is the value that is displayed within the submit button... any idea how i can get around that?

Code: Select all

//in the header
if($_POST['up']){
	bumpSuggestion(sanitize_int($_POST['up']),1);
}
else if($_POST['down']){
	bumpSuggestion(sanitize_int($_POST['down']),-1);
}

Code: Select all

<?php foreach($suggestions as $key => $value){ ?>
	<form action="index.php?page=<?php echo $page; ?>" method="post">
	<div class="sugg">
		<div class="top">
			<div class="title">
				<?php echo $value['title']; ?>
			</div>
			<div class="date">
				<?php echo formatDate($value['created_on']); ?>
			</div>
		</div>
		<div class="bottom">
			<div align="center" class="ranking">
				<?php echo '<input type="submit" value="'.$value['id'].'" name="up"/>';?>
                            /* ^^ HERE ^^ */
				<div class="element">
				<?php
					echo $value['rating'];
				?>
				</div>
				<?php echo '<input type="submit" value="'.$value['id'].'" name="down"/>';?>
                             /* ^^ and HERE ^^ */
		  	</div>
			<div class="body">
				<p>
				<?php echo $value['body']; ?>
				</p>
			</div>
		</div>
		<?php if($_SESSION['admin'] == 1){ ?>
		<div class="admin">
	
		</div>
		<?php } ?>
	</div>
	</form>
you guys are being really helpful... is there an ad i can click on to help you?
-tommy


feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

tomisina wrote:any idea how i can get around that?
I don't quite understand. What's wrong with the submit buttons?
tomisina wrote:is there an ad i can click on to help you?
We don't have ads. :)
tomisina
Forum Newbie
Posts: 9
Joined: Tue Aug 15, 2006 9:53 pm

Post by tomisina »

the submit buttons function exactly as i would like them to, but they display the value that they are passing... i wish the first button displayed something like ++ and the second button displayed something like --... so the user wouldn't see the suggestion id that is being worked with... i think this can be done with a hidden input with the suggestion id as a value and a different submit button with the ++ or -- value but that requires a seperate form for each suggestion instead of the all encompasing one....
once again thanks.
-t
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

You've written the page such that there are multiple forms. You could name the buttons differently with their values being the "++" and "--" you've expressed. For instance, if you named them "up[$id]" and "down[$id]" respectively, the submission will have an array in it, either up or down, where the key is the id to change, and the value will be the "++" or "--" that they pressed.
Post Reply