quandry using GET

Re: quandry using GET

swpulitzer@yaho o.com wrote:[color=blue]
> [...] each link
> uses GET to pass the object ID to the scripit that will deal with it.
> For example[...]:
>
> edit: http://www.host.com/edit.php?obj=object1
> delete: http://www.host.com/delete.php?obj=object1
>
> [...] This works alright for
> the edit option, since it's okay (even advantageous) for a user to
> bookmark it. However, it's problematic for the delete option. If a user
> bookmarks it, and then tries to visit the site later, they might
> unintentionally delete something. I can't use POST since this doesn't
> lend itself to a form. I know I could throw some javascript in there to
> handle it, but I'm trying to avoid javascript as much as possible.
>
> Does anyone know a better way to do this? Thanks.[/color]

Can you make delete.php display the object and confirm (with a button)
the deletion?

Re: quandry using GET

swpulitzer@yaho o.com wrote:[color=blue]
> I have a page that lists a bunch of objects, stored in a database, to
> the user. After each object I'd like to do something like:
>
> object1 [edit] [delete]
> object2 [edit] [delete]
>
> and so on, where "edit" and "delete" are links. Right now, each link
> uses GET to pass the object ID to the scripit that will deal with it.
> For example, the urls for the first object links are something like:
>
> edit: http://www.host.com/edit.php?obj=object1
> delete: http://www.host.com/delete.php?obj=object1
>
> and similar for the second...you get the idea. This works alright for
> the edit option, since it's okay (even advantageous) for a user to
> bookmark it. However, it's problematic for the delete option. If a user
> bookmarks it, and then tries to visit the site later, they might
> unintentionally delete something. I can't use POST since this doesn't
> lend itself to a form. I know I could throw some javascript in there to
> handle it, but I'm trying to avoid javascript as much as possible.
>
> Does anyone know a better way to do this? Thanks.
>[/color]

You can use POST, so with a form:
<form name="myform" action="action. php" method="POST">

Have two hidden fields:
<input type="hidden" name="act" value="" />
<input type="hidden" name="obj" value="" />

The delete link can then be:
<a href="#" onclick="docume nt.myform.act.v alue='delete';
document.myform .obj.value='obj ect1'; document.myform .submit(); return
false">Delete</a>

Similarly, the edit link can be:
<a href="#" onclick="docume nt.myform.act.v alue='edit';
document.myform .obj.value='obj ect1'; document.myform .submit(); return
false">Edit</a>

You then only need one PHP page to handle edit and delete which just
checks $_POST['act'].

I'll actually suggest putting all this javascript in a function (e.g.
doact(act,obj) which returns false) so the link can just be:
<a href="#" onclick="return doact('delete', 'object1');">De lete</a>

HTH
Robin

Re: quandry using GET

Following on from swpulitzer@yaho o.com's message. . .[color=blue]
>I have a page that lists a bunch of objects, stored in a database, to
>the user. After each object I'd like to do something like:
>
> object1 [edit] [delete]
> object2 [edit] [delete]
>
>and so on, where "edit" and "delete" are links. Right now, each link
>uses GET to pass the object ID to the scripit that will deal with it.
>For example, the urls for the first object links are something like:
>
> edit: http://www.host.com/edit.php?obj=object1
> delete: http://www.host.com/delete.php?obj=object1
>
>and similar for the second...you get the idea. This works alright for
>the edit option, since it's okay (even advantageous) for a user to
>bookmark it. However, it's problematic for the delete option. If a user
>bookmarks it, and then tries to visit the site later, they might
>unintentionall y delete something. I can't use POST since this doesn't
>lend itself to a form. I know I could throw some javascript in there to
>handle it, but I'm trying to avoid javascript as much as possible.
>
>Does anyone know a better way to do this? Thanks.
>[/color]
So what? If they really _bookmark_ a delete link who cares - what's
going to explode? Obviously delete.php checks lots of things before
doing anything *because it has to trap lots of other abuse anyway*.

ONE of these tests might be to check you've just come from a page where
deleting is 'on the menu'.


# ---------------------------------------------------------------------
function CheckComeFrom($ PossibleWaysToG etHere,$Destina tion='pp000.php '){
# This is a security function which chucks the user out
# if the refering page is not one of those supplied in the list
# Returns TRUE if all is OK
#
# Put near the top of a script in a not-if {exit;}
# (The actual jump to the destination will be done in this script but
the exit
# is to tidy up any stack of script execution.)
#
# eg if(!CheckComeFr om('foo.php')){ exit;}
#
# Multiple come-froms can be specified by splitting names with a + sign
# eg 'foo.php+bar.ph p+fox.php'
#
# Destination can be overridden. Suppose you want the remote address
put
# onto a blacklist you could send them to putonblacklist. php
#
# This uses $_SERVER['HTTP_REFERER'] which the documention notes
# may not be completely trustworthy.
# ---------------------------------------------------------------------
$cfrom = CameFrom();
$m = '';
if(!$cfrom){
$m='Not referred from anywhere';
$comefrom=$Dest ination;
}else{
$pw = strtolower('+'. $PossibleWaysTo GetHere.'+');
$hit = strpos($pw,'+'. $cfrom.'+');
$rv = (!($hit===FALSE ));
if(!$rv){
// test for reloading page etc which is always allowed
$rv=($cfrom==st rtolower(basena me($_SERVER['PHP_SELF'])));
}
if(!$rv){$m="Fr om:$cfrom";}
}

if($m){
$m .= "<br>Allowed:$P ossibleWaysToGe tHere";
MSG('CheckComeF rom failed','',$m,$ cfrom); // Standard error message
screen
exit;
}
return $rv;
}


# ---------------------------------------------------------------------
function CameFrom(){
# Return the calling page without any base bits or argument bits
# Return '' if no referring page found
# ---------------------------------------------------------------------
if(!isset($_SER VER['HTTP_REFERER'])){
$rv='';
}else{
$comefromfull = basename(strtol ower($_SERVER['HTTP_REFERER']));
$comefrom = explode('?',$co mefromfull); // drop any ?foo=bar bits
$rv = $comefrom[0];
}
return $rv;
}


--
PETER FOX Not the same since the bookshop idea was shelved
peterfox@eminen t.demon.co.uk.n ot.this.bit.no. html
2 Tees Close, Witham, Essex.
Gravity beer in Essex <http://www.eminent.dem on.co.uk>

Re: quandry using GET

swpulitzer@yaho o.com wrote:[color=blue]
> I have a page that lists a bunch of objects, stored in a database, to
> the user. After each object I'd like to do something like:
>
> object1 [edit] [delete]
> object2 [edit] [delete]
>
> and so on, where "edit" and "delete" are links. Right now, each link
> uses GET to pass the object ID to the scripit that will deal with it.
> For example, the urls for the first object links are something like:
>
> edit: http://www.host.com/edit.php?obj=object1
> delete: http://www.host.com/delete.php?obj=object1
>
> and similar for the second...you get the idea. This works alright for
> the edit option, since it's okay (even advantageous) for a user to
> bookmark it. However, it's problematic for the delete option. If a user
> bookmarks it, and then tries to visit the site later, they might
> unintentionally delete something.[/color]

If you don't re-use ID values, then as long as delete.php doesn't format
your hard-drive when asked to delete a non-existent ID value, you're OK,
surely?


--
Oli

Re: quandry using GET

Thanks for all your input, guys. To answer Oli and Peter's questions,
you're right. Normally there wouldn't be a problem. I am reusing ID
values, though, so there is the possibility that something could get
accidentally deleted. The input has given me an idea for an approach.
Thanks.