Page 1 of 1
$_POST Security?
Posted: Sat Aug 19, 2006 2:46 pm
by tomisina
Hi I'm building a digg-like forum where people rate comments and I'm wondering what's the best way for people viewing the page to vote up or down? Say there's an image for up and one for down... should I just handle someone clicking on the image by assigning a name to the input and processing the $_POST? I've heard $_POST is actually no more secure than $_GET. That sorta leads me to another question I have... is there any easy way to assign a php function to a button and have it execute on click?
Any thoughts will be helpful.
Thanks,
Tommy
Posted: Sat Aug 19, 2006 2:53 pm
by Oren
Well, the first question is a little bit foggy, but if I'm right, it's the same as the second one. Anyways, yes, it is possible.
Posted: Sat Aug 19, 2006 2:59 pm
by feyd
$_POST has a few advantages over $_GET:
- You can't POST with a URL alone
- You can POST far more data than possible with GET.
That being said, bad code will allow bad submission, POST or GET, no matter what. Provided you validate and verify
always, you're in a better place than one who doesn't.
For your particular end goal, it doesn't seem either method is "bad." You may want to consider an Ajax'd submission (as an unobtrusive upgrade) so that in browsers with Javascript and XML transport support, you can perform the vote in that fashion.
tomisina wrote:is there any easy way to assign a php function to a button and have it execute on click?
There is no direct way. It requires a submission to the server in some fashion, be it basic link (GET), form (POST) or Ajax.
Posted: Sat Aug 19, 2006 3:37 pm
by Oren
feyd wrote:tomisina wrote:is there any easy way to assign a php function to a button and have it execute on click?
There is no direct way. It requires a submission to the server in some fashion, be it basic link (GET), form (POST) or Ajax.
I'm not sure, but I don't think she meant like in JavaScript (onClick), not sure though.
Posted: Sat Aug 19, 2006 3:41 pm
by feyd
Oren wrote:I'm not sure, but I don't think she meant like in JavaScript (onClick), not sure though.
The answer would be the same if it were an anchor, an image or Bishop Tutu.
Posted: Sat Aug 19, 2006 5:39 pm
by tomisina
feyd | Please use Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
Ok so based upon what you said about Post I've written the following code. It gets the job done but the only thing is the value that is begin passed from page to page is the value that is displayed within the submit button... any idea how i can get around that?
Code: Select all
//in the header
if($_POST['up']){
bumpSuggestion(sanitize_int($_POST['up']),1);
}
else if($_POST['down']){
bumpSuggestion(sanitize_int($_POST['down']),-1);
}
Code: Select all
<?php foreach($suggestions as $key => $value){ ?>
<form action="index.php?page=<?php echo $page; ?>" method="post">
<div class="sugg">
<div class="top">
<div class="title">
<?php echo $value['title']; ?>
</div>
<div class="date">
<?php echo formatDate($value['created_on']); ?>
</div>
</div>
<div class="bottom">
<div align="center" class="ranking">
<?php echo '<input type="submit" value="'.$value['id'].'" name="up"/>';?>
/* ^^ HERE ^^ */
<div class="element">
<?php
echo $value['rating'];
?>
</div>
<?php echo '<input type="submit" value="'.$value['id'].'" name="down"/>';?>
/* ^^ and HERE ^^ */
</div>
<div class="body">
<p>
<?php echo $value['body']; ?>
</p>
</div>
</div>
<?php if($_SESSION['admin'] == 1){ ?>
<div class="admin">
</div>
<?php } ?>
</div>
</form>
you guys are being really helpful... is there an ad i can click on to help you?
-tommy
feyd | Please use Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
Posted: Sat Aug 19, 2006 6:34 pm
by feyd
tomisina wrote:any idea how i can get around that?
I don't quite understand. What's wrong with the submit buttons?
tomisina wrote:is there an ad i can click on to help you?
We don't have ads.

Posted: Sat Aug 19, 2006 6:50 pm
by tomisina
the submit buttons function exactly as i would like them to, but they display the value that they are passing... i wish the first button displayed something like ++ and the second button displayed something like --... so the user wouldn't see the suggestion id that is being worked with... i think this can be done with a hidden input with the suggestion id as a value and a different submit button with the ++ or -- value but that requires a seperate form for each suggestion instead of the all encompasing one....
once again thanks.
-t
Posted: Sat Aug 19, 2006 7:15 pm
by feyd
You've written the page such that there are multiple forms. You could name the buttons differently with their values being the "++" and "--" you've expressed. For instance, if you named them "up[$id]" and "down[$id]" respectively, the submission will have an array in it, either up or down, where the key is the id to change, and the value will be the "++" or "--" that they pressed.