[PHP] Using require instead of redirect architecture

2007-12-19 Thread Robert Erbaron 
Maybe I'm too old a dog to teach a new trick to.

I've got the redirect example discussed a couple days ago working
nicely. Back, Refresh, 'wrong username' - all work nicely.

But I like the idea of reducing the load on the server, maybe
alleviating some redirect pinball. So been trying to use require
instead, and all hell has broken loose. Clearly I'm not structuring
these pages correctly, but I've run into a conceptual wall of what I
should be doing.

p1.php:
- display form
- post to p2.php

p2. php
- grab and validate input
- if good, require p3.php (which says congrats!)
- if bad, set error message and require p1.php (which displays error
msg and displays form again)

Problems:
- hitting back on p2.php shows the dreaded The page you are trying to
view contains POST...
-- OK and Cancel both generated unsatisfactory results
- hitting refresh on p2.php runs the validation again, which means the
validation code now has to be that much more complicated to trap for a
second attempt, blah blah blah.

So the architecture needs to look different. Been hitting my head
against a wall - I'll be darned if I can figure out what it is.

-- 
RE, Chicago

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Using require instead of redirect architecture

2007-12-19 Thread Robert Erbaron 
 1.  p1.php would post to itself.  Do data validation.  After data validation
 upon error, include p1.php again with included error messages
 upon success, redirect to p3.php with congrats.

Yeah, I could do this, but it uses a redirect, and like you said, it's gnarly.

 2.  p1.php would post to p2. perform data validation.
 upon error, save data into session variable, redirect back to p1.php,
 display error messages inline
 upon success, redirect to p3.php, display congrats

I've already got this working, per thread of a couple days ago. But it
uses a redirect.

 I personally like the second option.  It is cleaner.  Each page/script has a 
 single purpose in life.
  It just makes better sense to my small little mind.

I agree as well. But I'm trying to get away from multiple trips to the
server for simple page calls, per some pundits on the list. :) So I'm
trying to learn a different architecture, and I'm not getting it yet.

-- 
RE, Chicago

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: [PHP-DB] Credit Card Encryption

2007-12-19 Thread Robert Erbaron 
 When it comes to liability, who is liable, the merchant running the system, 
 the develper that created the system, or both?

 If the develper is included, would that be mitigated in that he created the 
 system to the merchant's specifications?

 Also, in terms of the developer, would this be covered under errors and 
 omissions insurance, or would they take the position that
 the developer should have known better and was negligent in creating a 
 non-compliant system leaving the developer on the hook for
 damages?

Unfortunately, I'd argue that he who has the best lawyers wins.

-- 
RE, Chicago

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] PRG pattern - how to implement a load page using GET

2007-12-17 Thread Robert Erbaron 

 And I basically completely disagree with the author in the first
 place, so...

Well, that's been clear for a year. :)

  (P.S. I'll get to the issue of rearchitecting this via require instead
  of using header() redirects,cough, cough, Richard Lynch, cough, cough
  :) in a future message. One step at a time...)

 ... you can probably just ignore this, as it's diametrically opposed
 to the rules you're following, as I understand them.

'tain't gonna ignore it. Just want to understand the PRG first. Much
better to understand something before dismissing it. Simply saying 'it
sucks' without understanding it is sorta ignorant.

Course, I may end up disagreeing with you, but we won't know that
until next week's exciting episode.
-- 
RE, Chicago

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] PRG pattern - how to implement a load page using GET

2007-12-16 Thread Robert Erbaron 
I've been reading up on login mechanisms using redirects, and have a
basic mechanism down.

a1.php:
?php
$site_title='My Site';
if (isset($_SESSION['errmsg_s']))
  {$errmsg = 'Warning! '.$_SESSION['errmsg_s'].'!';}
else
  {$errmsg = ''; }
if (isset($_SESSION['email_s']))
  { unset($_SESSION['email_s']);}
echo 'h1Welcome to '.$site_title.'/h1br';
echo $errmsg;
?
!-- form goes here and calls a2.php --

a2.php:
?php
$email = $_POST['email'];
if // (test email for goodness against database) {
 $_SESSION['email_s'] = $email;
 unset($_SESSION['errmsg_s']);
 // stuff successful login into database
 session_write_close();
 header('Location: a3.php');
 exit;}
else {
 $_SESSION['errmsg_s']=Re-enter your email;
 unset($_SESSION['email_s']);
 session_write_close();
 header('Location: a1.php');
 exit;}
?

a3.php:
?php
if (empty($_SESSION['email_s'])) {
session_write_close();
header('Location: a1.php');
exit;}
$email = $_SESSION['email_s'];
echo 'Hello there,'.$email.'. We are glad to have you here.br';
?

OK, looks like this handles refresh (resubmit) and back button issues.
Hitting back when on page 3 empties 'email', so resubmitting does a
brand new login. (If I'm missing something, holler.)

However, the seminal article at
http://www.theserverside.com/tt/articles/article.tss?l=RedirectAfterPost
says:
- Never show pages in response to POST
- Navigate from POST to GET using REDIRECT
- Always load pages using GET

I get the first and the second, and understand how to implement them.
The third, though. Sorry, I'm missing something. I simply don't
understand what they mean or how to do it. Can someone translate my
little a3.php page into 'using GET' instead of just grabbing the
session var again? And why is that necessary?

(P.S. I'll get to the issue of rearchitecting this via require instead
of using header() redirects,cough, cough, Richard Lynch, cough, cough
:) in a future message. One step at a time...)
-- 
RE, Chicago

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] PRG pattern - how to implement a load page using GET

2007-12-16 Thread Robert Erbaron 
 a standard HTTP request is a GET request.

I guess I'm just missing some basic definition of terminology. Been
writing desktop systems for too long, 'spose.

 using firefox and one of a number of extensions (firebug springs to mind)
 you can actually view the request headers that are sent.

Firebug shows headers for the c3.php page are:

Response Headers:
DateSun, 16 Dec 2007 20:48:43 GMT
Server  Apache/2.2.6 (Fedora)
X-Powered-ByPHP/5.1.6
Expires Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control   no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma  no-cache
Content-Length  51
Connection  close
Content-Typetext/html; charset=UTF-8

Request Headers:
Hostlocalhost
User-Agent  Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6)
Gecko/20070812 Remi/2.0.0.6-1.fc6.remi Firefox/2.0.0.6
Accept  
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language en-us,en;q=0.5
Accept-Encoding gzip,deflate
Accept-Charset  ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive  300
Connection  keep-alive
Referer http://localhost/hf/c1.php
Cookie  PHPSESSID=spave8i7jc7m0cmmvcdaj3msh7

 
  (P.S. I'll get to the issue of rearchitecting this via require instead
  of using header() redirects,cough, cough, Richard Lynch, cough, cough
  :) in a future message. One step at a time...)

 yes - abusing redirects as described is wasteful. and certainly it's the
 first time I've ever heard the statement 'Never show pages in response to 
 POST'
 sounds like hubris too me.

I've seen the statement in a number of messages in the archives here
and in google searches. Probably a case of Read Once, Repeat Often. I
took it with a grain of salt. They are java guys over there, after
all. :)

OK, now onto ridding the world of these redirects()
-- 
RE, Chicago

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] how to handle inserting special characters into a mysql field

2007-12-16 Thread Robert Erbaron 
 On Saturday 15 December 2007 18:59:12 Richard Lynch wrote:
  On Fri, December 14, 2007 11:03 am, Adam Williams wrote:
   $query = sprintf(SELECT * FROM users WHERE user='%s' AND
   password='%s',
   mysql_real_escape_string($user),
   mysql_real_escape_string($password));
  
   and I understand it uses the %s because of sprintf(), to indicate the
   data is a string.  However, thats not syntax I'm used to seeing.  If I
   rewrite the code to the following below, will it return the same
   results
   or error when queried?
  
   $user = mysql_real_escape_string($user);
   $password = mysql_real_escape_string($password)
   $query = SELECT * FROM users WHERE user='$user' AND
   password='$password';
 
  Yes, you will get the same result.
 
  You could have run both sets of code to try it faster than I typed
  this answer.

If the OP was _thinking_ the same thing I was, the question was
actually, What's the difference and why use one vs the other? Yeah,
I could run both and see the same result (actually, I did), but don't
understand the _wisdom_ of one choice over the other.
-- 
RE, Chicago

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Session call not creating file in session_save_path - perms? (newbie)

2007-12-12 Thread Robert Erbaron 
OK, I've read every message on the list for the last year that contains
'sessions'. I've read through (bleary eyed, admittedly)
http://us2.php.net/session. And I swear, honest, that I had this working on
another box (which is no longer available to me.) I've checked phpinfo -
session support is on, session.use_cookie is On. PHP 5.1.6 or thereabouts.

?php session_start();
session_save_path('/home/rob//Sites/zphpsessions');
echo 'sessionid:'.session_id().':br';
echo 'save path:'.session_save_path().':br';

$ip = ' '.$_SERVER['REMOTE_ADDR'];
echo '$ip is:'.$ip.':br';
$_SESSION['ipx']=$ip;
echo 'ipx (session) is:'.$_SESSION['ipx'].':br';
if (!isset($_SESSION['ipx'])) echo 'whoa nelly';
echo 'This is the main page';
?

Output looks like this:
sessionid:8klvud4o186lme7n6v84lhfjl2:
save path:/home/rob/Sites/zphpsessions:
$ip is: 127.0.0.1:
ipx (session) is: 127.0.0.1:
This is the main page

No data is being dumped into /home/rob/Sites/zphpsessions. The best I can
guess is permissions. If I change save_path to /tmp, no difference - still
nothing being written there. I bet I'm doing something ignorant about apache
users or something, huh?

-- 
RE, Chicago

Re: [PHP] Session call not creating file in session_save_path - perms? (newbie)

2007-12-12 Thread Robert Erbaron 
Aw crap. :)

(session_save_path BEFORE session_start.)

Works fine now... now to clean the egg off face.

Thx,

On Dec 12, 2007 11:31 PM, Casey [EMAIL PROTECTED] wrote:

 Read manual please.

 http://us.php.net/session_save_path


-- 
RE, Chicago