Re: [PHP-DB] onClick
On Wed, 02 Mar 2005 09:52:00 +, mel list_php <[EMAIL PROTECTED]> wrote: > Hi, > > No you're wrong I'm working with register_global at OFF. > What I tried to explain is what you retrieve after your form submission is a > $_POST array. > I just do a foreach loop in it to retrieve the values. > I do additional check to avoid problems with other variables, but then at > the end I had $_POST['cloningView'] which was in the array that is extracted > and its value is put in the $cloningView variable. > > Let's say the form hasn't been submitted, $_POST is empty, my check if > ($cloningView) returns false (cloningView is not set, its value== false). u shouldn't be checking $cloningView. if $_POST['cloningView'] is not set, then $cloningView = $_POST['cloningView'] ; //should issue a warning. more importantly, it shouldn't be done. $cloningView's true/false-ness shouldn't be checked until u know it's set. if $_POST is empty, then $cloningView probably shouldn't exist. as per how u use it, u can just assume it's false. otoh, this is fine: $cloningView = isset($_POST['cloningView']) ? $_POST['cloningView'] : false ; and u could safely put that outside the ' if (isset($_POST['submit_var'])) { ... } ' block. > If I understand I should test that to avoid a warning. But I have a error > report level without warnings, so should I care about that? Is it just a > "best practice"? even if ur error level (during production) doesn't show warnings, u could write cleaner code. yeah it is more of a best practice. it also makes it easier to read/understand if u or someone else reads it later. and it probably won't make a difference if u don't do all that...coz like u said, if it's not set, it returns false and that's what u want. in all probability, this behaviour won't change, but if it does, ur code would need to be modified (behaviour = how vars which are not set are handled when used). > You say it is to have safer code, but I don't see in which > way? if u're not using .htaccess for ur site (on a per dir basis) and the server admin just happens to have set register_globals ON coz some rich client's old site requires it or his/her assistant is new, someone could use 'urpage.php?cloningView=1'. ur check (if it's outside the $_POST check block) would pass when it should actually fail. i know it's a "what if" situation. just my $0.02. another one: if u use import_request_vars in ur code with no or an empty prefix (string), with ur error level, u wouldn't see the notice and ur script would be succeptable to the use above. > Sorry if it's really obvious, but I really don't get it. For me as long as > my test returns false when it has to it's ok, I don't see the security > breach. considering that register_globals is off in ur case, it won't make a difference. imho, it is illogical to use the value of a non-existent variable (or assign it to another). -- ]# Anirudh Dutt ...pilot of the storm who leaves no trace like thoughts inside a dream -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] onClick
Hi, No you're wrong I'm working with register_global at OFF. What I tried to explain is what you retrieve after your form submission is a $_POST array. I just do a foreach loop in it to retrieve the values. I do additional check to avoid problems with other variables, but then at the end I had $_POST['cloningView'] which was in the array that is extracted and its value is put in the $cloningView variable. Let's say the form hasn't been submitted, $_POST is empty, my check if ($cloningView) returns false (cloningView is not set, its value== false). If I understand I should test that to avoid a warning. But I have a error report level without warnings, so should I care about that? Is it just a "best practice"? You say it is to have safer code, but I don't see in which way? Sorry if it's really obvious, but I really don't get it. For me as long as my test returns false when it has to it's ok, I don't see the security breach. From: anirudh dutt <[EMAIL PROTECTED]> Reply-To: anirudh dutt <[EMAIL PROTECTED]> To: mel list_php <[EMAIL PROTECTED]> CC: [EMAIL PROTECTED], php-db@lists.php.net Subject: Re: [PHP-DB] onClick Date: Tue, 1 Mar 2005 21:12:38 +0530 On Tue, 01 Mar 2005 14:11:22 +, mel list_php <[EMAIL PROTECTED]> wrote: > Why do you think that checking the value ($cloningView=="View") is better? no, i didn't say it was better but it does make a lil difference. i also said, test the POST var. ur example makes it appear as though u keep register_gloabals on. $_POST['cloningView'] == 'View' would be the right way. i put an extra '' in my previous mail. ofcourse, if(isset($_POST['cloningView'])) should be before that. also, as far as "has the form been submitted" test goes, check with isset/is_null/etc. before comparing values, if u do that at all. this is to avoid warnings/notices and generally write safer code. > I just put something for it to be true but never paid attention to the exact > string. I don't see the difference, if that POST variable exists it comes > from my posted form so had that value. that's fine too. except, when u know u're expecting POST vars, use $_POST['cloningView'] in ur tests, not just $cloningView. in PHP 4 >= 4.2.10, PHP 5 - register_globals is OFF by default. import_request_vars: Although the prefix parameter is optional, you will get an E_NOTICE level error if you specify no prefix, or specify an empty string as a prefix. (from the manual). > I just want my user to display > something else when clicking on a button, so I don't care about the value > itself. > I suppose it's a security thing but I don't see it? u've got the idea. and no, the value isn't important. it's only a minor check which can be circumvented even if u had it in place. as far as the onClick code is concerned, it doesn't really matter what u put there, the page generation occurs at the server side so onClick isn't in any position to offer u security or to make sure that ur form's submit was used to generate the page. well, not unless u come up with some really intricate algo. -- ]# Anirudh Dutt ...pilot of the storm who leaves no trace like thoughts inside a dream -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php _ Use MSN Messenger to send music and pics to your friends http://www.msn.co.uk/messenger -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] onClick
On Tue, 01 Mar 2005 14:11:22 +, mel list_php <[EMAIL PROTECTED]> wrote: > Why do you think that checking the value ($cloningView=="View") is better? no, i didn't say it was better but it does make a lil difference. i also said, test the POST var. ur example makes it appear as though u keep register_gloabals on. $_POST['cloningView'] == 'View' would be the right way. i put an extra ')' in my previous mail. ofcourse, if(isset($_POST['cloningView'])) should be before that. also, as far as "has the form been submitted" test goes, check with isset/is_null/etc. before comparing values, if u do that at all. this is to avoid warnings/notices and generally write safer code. > I just put something for it to be true but never paid attention to the exact > string. I don't see the difference, if that POST variable exists it comes > from my posted form so had that value. that's fine too. except, when u know u're expecting POST vars, use $_POST['cloningView'] in ur tests, not just $cloningView. in PHP 4 >= 4.2.10, PHP 5 - register_globals is OFF by default. import_request_vars: Although the prefix parameter is optional, you will get an E_NOTICE level error if you specify no prefix, or specify an empty string as a prefix. (from the manual). > I just want my user to display > something else when clicking on a button, so I don't care about the value > itself. > I suppose it's a security thing but I don't see it? u've got the idea. and no, the value isn't important. it's only a minor check which can be circumvented even if u had it in place. as far as the onClick code is concerned, it doesn't really matter what u put there, the page generation occurs at the server side so onClick isn't in any position to offer u security or to make sure that ur form's submit was used to generate the page. well, not unless u come up with some really intricate algo. -- ]# Anirudh Dutt ...pilot of the storm who leaves no trace like thoughts inside a dream -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] onClick
What I actually do is I retrieve the POST array and then extract the variables at the beginning of my script. That's also why I forgot to add the quotes because I initialize my variable at the beginning, and I'm dealing with $cloningView directly. I just added it manually to make it clear that it was coming from the form. Why do you think that checking the value ($cloningView=="View") is better? I just put something for it to be true but never paid attention to the exact string. I don't see the difference, if that POST variable exists it comes from my posted form so had that value. I just want my user to display something else when clicking on a button, so I don't care about the value itself. I suppose it's a security thing but I don't see it? Thanks! From: anirudh dutt <[EMAIL PROTECTED]> Reply-To: anirudh dutt <[EMAIL PROTECTED]> To: Ron Piggott <[EMAIL PROTECTED]> CC: PHP DB Subject: Re: [PHP-DB] onClick Date: Tue, 1 Mar 2005 17:49:23 +0530 On Mon, 28 Feb 2005 21:41:45 -0500, Ron Piggott <[EMAIL PROTECTED]> wrote: > Another question: Is there a way that I may set up an IF command with the > onClick function so that my_web_page.php3 will not be displayed unless a web > form was used to generate it? Ron > if ur page was generated by a non-form-submit (anything else), the click wouldn't matter since ur page/form wasn't being used in the first place. so any client side javascript validation u wanna use won't even be called. On Tue, 01 Mar 2005 09:37:09 +, mel list_php <[EMAIL PROTECTED]> wrote: > I use a submit button with a name: > > > and then I can test on that name: > if($_POST[cloningView]) > { > ...display new web page .. > } > (i think) he means if(isset($_POST['cloningView'])) //add single/double quotes to avoid a warning. or if(isset($_POST['cloningView']) && $_POST['cloningView']) == 'View') depending on paranoia level, not that it'll help but i bet it makes u feel better ;-) but that can be faked quite easily. just make sure u check all GPC variables before using them. at the minimum, check if they exist. -- ]# Anirudh Dutt ...pilot of the storm who leaves no trace like thoughts inside a dream -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php _ Express yourself with cool new emoticons http://www.msn.co.uk/specials/myemo -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] onClick
On Mon, 28 Feb 2005 21:41:45 -0500, Ron Piggott <[EMAIL PROTECTED]> wrote: > Another question: Is there a way that I may set up an IF command with the > onClick function so that my_web_page.php3 will not be displayed unless a web > form was used to generate it? Ron > if ur page was generated by a non-form-submit (anything else), the click wouldn't matter since ur page/form wasn't being used in the first place. so any client side javascript validation u wanna use won't even be called. On Tue, 01 Mar 2005 09:37:09 +, mel list_php <[EMAIL PROTECTED]> wrote: > I use a submit button with a name: > > > and then I can test on that name: > if($_POST[cloningView]) > { > ...display new web page .. > } > (i think) he means if(isset($_POST['cloningView'])) //add single/double quotes to avoid a warning. or if(isset($_POST['cloningView']) && $_POST['cloningView']) == 'View') depending on paranoia level, not that it'll help but i bet it makes u feel better ;-) but that can be faked quite easily. just make sure u check all GPC variables before using them. at the minimum, check if they exist. -- ]# Anirudh Dutt ...pilot of the storm who leaves no trace like thoughts inside a dream -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] onClick
I use a submit button with a name: and then I can test on that name: if($_POST[cloningView]) { ...display new web page .. } From: "Ron Piggott" <[EMAIL PROTECTED]> To: "PHP DB" Subject: [PHP-DB] onClick Date: Mon, 28 Feb 2005 21:41:45 -0500 Another question: Is there a way that I may set up an IF command with the onClick function so that my_web_page.php3 will not be displayed unless a web form was used to generate it? Ron -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php _ It's fast, it's easy and it's free. Get MSN Messenger today! http://www.msn.co.uk/messenger -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] onClick
Hi Jonathan Duncan, >Is it possible to call a PHP function using the "onclick" parameter? If this should be a javascript-mouseevent you have to use onmouseup instead. Regards, Ruprecht -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DB] onClick
Richard That is good information. Thank you very much for your help. Jonathan "Richard Crawford" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Not directly, no. You can call a JavaScript function with the onClick > command, but not a PHP function. > > But here's what I've done when I needed to do something like that. > > Create a separate page for the function, like function.php. Then in the > anchor tag in your main page (call it index.php), call that page... > e.g., < a href="function.php >click me for a function< /a >, passing > parameters either in the URL or by cookies. > > Your function page might look something like this: > > {insert data into db here} > header("Location: index.php"); > ?> > > In other words, in function.php, the code does the function and then > immediately issues a redirect command to send the user back to the page > where they started. > > You could also include the function in the code for index.php, and > simply have the anchor tag link back to index.php, passing parameters > via your favorite parameter passing technique. > > Jonathan Duncan wrote: > > > Is it possible to call a PHP function using the "onclick" parameter? > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DB] onClick
Not directly, no. You can call a JavaScript function with the onClick command, but not a PHP function. But here's what I've done when I needed to do something like that. Create a separate page for the function, like function.php. Then in the anchor tag in your main page (call it index.php), call that page... e.g., < a href="function.php >click me for a function< /a >, passing parameters either in the URL or by cookies. Your function page might look something like this: In other words, in function.php, the code does the function and then immediately issues a redirect command to send the user back to the page where they started. You could also include the function in the code for index.php, and simply have the anchor tag link back to index.php, passing parameters via your favorite parameter passing technique. Jonathan Duncan wrote: > Is it possible to call a PHP function using the "onclick" parameter? -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]