On 5/13/2010 4:41 AM, silly sad wrote: > >>> First u count(*) the rows and select a requested page >>> returning to a client the count result bundled "with a page of rows" >>> >>> (1) client renders the acquired rows >>> (2)__memorize__ what part of the data he just got >>> (3) and stores the count result to calculate "the pager div" >>> >>> all the subsequent clicks on "the pager div" should not immediately >>> generate requests and decides if the request is needed. >> >> Yes, rendering the results throught ajax is a good idea, but one has to >> be careful not to expose one's LIMIT and OFFSET to the client, but only >> the "page" number. Or else the client could query the whole data set. A >> lot of "professional" web site have that hole. >> > > this is not a hole, it is only a matter of aesthetic > Silly Sad is right this is not a hole but a matter of aesthetics. To keep the code simple and limit the amount of things that have to be tracked with client session on the server, I pass the limit and offset to the client normally in a url/link. This also solves the problem if the users sessions expires, the information is lost meaning the user has to restart. Very annoying.
So the urls look something like this www.mywebsit.com/index.php?module=getthedata&limit=10&offset=30&orderby=5 On the server set the these three data types to integer to block sql injection. I really don't care if the user sends a command to get all 10,000 records. If you block that, all that been accomplished is slowing down data harvesting and eating up even more resources, as the client/user will send ever more GETs to harvest data. Nothing has been accomplished. to keep the casual on looker for screwing with the url encode in base64. It keeps honest people honest but the hackers will pull that apart in a second. All legitimate Magwerks Corporation quotations are sent in a .PDF file attachment with a unique ID number generated by our proprietary quotation system. Quotations received via any other form of communication will not be honored. CONFIDENTIALITY NOTICE: This e-mail, including attachments, may contain legally privileged, confidential or other information proprietary to Magwerks Corporation and is intended solely for the use of the individual to whom it addresses. If the reader of this e-mail is not the intended recipient or authorized agent, the reader is hereby notified that any unauthorized viewing, dissemination, distribution or copying of this e-mail is strictly prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and destroy all occurrences of this e-mail immediately. Thank you. -- Sent via pgsql-sql mailing list (pgsql-sql@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-sql
