Re: [PHP-DB] onClick
Hi, No you're wrong I'm working with register_global at OFF. What I tried to explain is what you retrieve after your form submission is a $_POST array. I just do a foreach loop in it to retrieve the values. I do additional check to avoid problems with other variables, but then at the end I had $_POST['cloningView'] which was in the array that is extracted and its value is put in the $cloningView variable. Let's say the form hasn't been submitted, $_POST is empty, my check if ($cloningView) returns false (cloningView is not set, its value== false). If I understand I should test that to avoid a warning. But I have a error report level without warnings, so should I care about that? Is it just a best practice? You say it is to have safer code, but I don't see in which way? Sorry if it's really obvious, but I really don't get it. For me as long as my test returns false when it has to it's ok, I don't see the security breach. From: anirudh dutt [EMAIL PROTECTED] Reply-To: anirudh dutt [EMAIL PROTECTED] To: mel list_php [EMAIL PROTECTED] CC: [EMAIL PROTECTED], php-db@lists.php.net Subject: Re: [PHP-DB] onClick Date: Tue, 1 Mar 2005 21:12:38 +0530 On Tue, 01 Mar 2005 14:11:22 +, mel list_php [EMAIL PROTECTED] wrote: Why do you think that checking the value ($cloningView==View) is better? no, i didn't say it was better but it does make a lil difference. i also said, test the POST var. ur example makes it appear as though u keep register_gloabals on. $_POST['cloningView'] == 'View' would be the right way. i put an extra '' in my previous mail. ofcourse, if(isset($_POST['cloningView'])) should be before that. also, as far as has the form been submitted test goes, check with isset/is_null/etc. before comparing values, if u do that at all. this is to avoid warnings/notices and generally write safer code. I just put something for it to be true but never paid attention to the exact string. I don't see the difference, if that POST variable exists it comes from my posted form so had that value. that's fine too. except, when u know u're expecting POST vars, use $_POST['cloningView'] in ur tests, not just $cloningView. in PHP 4 = 4.2.10, PHP 5 - register_globals is OFF by default. import_request_vars: Although the prefix parameter is optional, you will get an E_NOTICE level error if you specify no prefix, or specify an empty string as a prefix. (from the manual). I just want my user to display something else when clicking on a button, so I don't care about the value itself. I suppose it's a security thing but I don't see it? u've got the idea. and no, the value isn't important. it's only a minor check which can be circumvented even if u had it in place. as far as the onClick code is concerned, it doesn't really matter what u put there, the page generation occurs at the server side so onClick isn't in any position to offer u security or to make sure that ur form's submit was used to generate the page. well, not unless u come up with some really intricate algo. -- ]# Anirudh Dutt ...pilot of the storm who leaves no trace like thoughts inside a dream -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php _ Use MSN Messenger to send music and pics to your friends http://www.msn.co.uk/messenger -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] onClick
On Wed, 02 Mar 2005 09:52:00 +, mel list_php [EMAIL PROTECTED] wrote: Hi, No you're wrong I'm working with register_global at OFF. What I tried to explain is what you retrieve after your form submission is a $_POST array. I just do a foreach loop in it to retrieve the values. I do additional check to avoid problems with other variables, but then at the end I had $_POST['cloningView'] which was in the array that is extracted and its value is put in the $cloningView variable. Let's say the form hasn't been submitted, $_POST is empty, my check if ($cloningView) returns false (cloningView is not set, its value== false). u shouldn't be checking $cloningView. if $_POST['cloningView'] is not set, then $cloningView = $_POST['cloningView'] ; //should issue a warning. more importantly, it shouldn't be done. $cloningView's true/false-ness shouldn't be checked until u know it's set. if $_POST is empty, then $cloningView probably shouldn't exist. as per how u use it, u can just assume it's false. otoh, this is fine: $cloningView = isset($_POST['cloningView']) ? $_POST['cloningView'] : false ; and u could safely put that outside the ' if (isset($_POST['submit_var'])) { ... } ' block. If I understand I should test that to avoid a warning. But I have a error report level without warnings, so should I care about that? Is it just a best practice? even if ur error level (during production) doesn't show warnings, u could write cleaner code. yeah it is more of a best practice. it also makes it easier to read/understand if u or someone else reads it later. and it probably won't make a difference if u don't do all that...coz like u said, if it's not set, it returns false and that's what u want. in all probability, this behaviour won't change, but if it does, ur code would need to be modified (behaviour = how vars which are not set are handled when used). You say it is to have safer code, but I don't see in which way? if u're not using .htaccess for ur site (on a per dir basis) and the server admin just happens to have set register_globals ON coz some rich client's old site requires it or his/her assistant is new, someone could use 'urpage.php?cloningView=1'. ur check (if it's outside the $_POST check block) would pass when it should actually fail. i know it's a what if situation. just my $0.02. another one: if u use import_request_vars in ur code with no or an empty prefix (string), with ur error level, u wouldn't see the notice and ur script would be succeptable to the use above. Sorry if it's really obvious, but I really don't get it. For me as long as my test returns false when it has to it's ok, I don't see the security breach. considering that register_globals is off in ur case, it won't make a difference. imho, style=spockit is illogical/style to use the value of a non-existent variable (or assign it to another). -- ]# Anirudh Dutt ...pilot of the storm who leaves no trace like thoughts inside a dream -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] onClick
I use a submit button with a name: input type='submit' name='cloningView' value='View' and then I can test on that name: if($_POST[cloningView]) { ...display new web page .. } From: Ron Piggott [EMAIL PROTECTED] To: PHP DB php-db@lists.php.net Subject: [PHP-DB] onClick Date: Mon, 28 Feb 2005 21:41:45 -0500 Another question: Is there a way that I may set up an IF command with the onClick function so that my_web_page.php3 will not be displayed unless a web form was used to generate it? Ron -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php _ It's fast, it's easy and it's free. Get MSN Messenger today! http://www.msn.co.uk/messenger -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] onClick
On Mon, 28 Feb 2005 21:41:45 -0500, Ron Piggott [EMAIL PROTECTED] wrote: Another question: Is there a way that I may set up an IF command with the onClick function so that my_web_page.php3 will not be displayed unless a web form was used to generate it? Ron if ur page was generated by a non-form-submit (anything else), the click wouldn't matter since ur page/form wasn't being used in the first place. so any client side javascript validation u wanna use won't even be called. On Tue, 01 Mar 2005 09:37:09 +, mel list_php [EMAIL PROTECTED] wrote: I use a submit button with a name: input type='submit' name='cloningView' value='View' and then I can test on that name: if($_POST[cloningView]) { ...display new web page .. } (i think) he means if(isset($_POST['cloningView'])) //add single/double quotes to avoid a warning. or if(isset($_POST['cloningView']) $_POST['cloningView']) == 'View') depending on paranoia level, not that it'll help but i bet it makes u feel better ;-) but that can be faked quite easily. just make sure u check all GPC variables before using them. at the minimum, check if they exist. -- ]# Anirudh Dutt ...pilot of the storm who leaves no trace like thoughts inside a dream -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] onClick
What I actually do is I retrieve the POST array and then extract the variables at the beginning of my script. That's also why I forgot to add the quotes because I initialize my variable at the beginning, and I'm dealing with $cloningView directly. I just added it manually to make it clear that it was coming from the form. Why do you think that checking the value ($cloningView==View) is better? I just put something for it to be true but never paid attention to the exact string. I don't see the difference, if that POST variable exists it comes from my posted form so had that value. I just want my user to display something else when clicking on a button, so I don't care about the value itself. I suppose it's a security thing but I don't see it? Thanks! From: anirudh dutt [EMAIL PROTECTED] Reply-To: anirudh dutt [EMAIL PROTECTED] To: Ron Piggott [EMAIL PROTECTED] CC: PHP DB php-db@lists.php.net Subject: Re: [PHP-DB] onClick Date: Tue, 1 Mar 2005 17:49:23 +0530 On Mon, 28 Feb 2005 21:41:45 -0500, Ron Piggott [EMAIL PROTECTED] wrote: Another question: Is there a way that I may set up an IF command with the onClick function so that my_web_page.php3 will not be displayed unless a web form was used to generate it? Ron if ur page was generated by a non-form-submit (anything else), the click wouldn't matter since ur page/form wasn't being used in the first place. so any client side javascript validation u wanna use won't even be called. On Tue, 01 Mar 2005 09:37:09 +, mel list_php [EMAIL PROTECTED] wrote: I use a submit button with a name: input type='submit' name='cloningView' value='View' and then I can test on that name: if($_POST[cloningView]) { ...display new web page .. } (i think) he means if(isset($_POST['cloningView'])) //add single/double quotes to avoid a warning. or if(isset($_POST['cloningView']) $_POST['cloningView']) == 'View') depending on paranoia level, not that it'll help but i bet it makes u feel better ;-) but that can be faked quite easily. just make sure u check all GPC variables before using them. at the minimum, check if they exist. -- ]# Anirudh Dutt ...pilot of the storm who leaves no trace like thoughts inside a dream -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php _ Express yourself with cool new emoticons http://www.msn.co.uk/specials/myemo -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] onClick
On Tue, 01 Mar 2005 14:11:22 +, mel list_php [EMAIL PROTECTED] wrote: Why do you think that checking the value ($cloningView==View) is better? no, i didn't say it was better but it does make a lil difference. i also said, test the POST var. ur example makes it appear as though u keep register_gloabals on. $_POST['cloningView'] == 'View' would be the right way. i put an extra ')' in my previous mail. ofcourse, if(isset($_POST['cloningView'])) should be before that. also, as far as has the form been submitted test goes, check with isset/is_null/etc. before comparing values, if u do that at all. this is to avoid warnings/notices and generally write safer code. I just put something for it to be true but never paid attention to the exact string. I don't see the difference, if that POST variable exists it comes from my posted form so had that value. that's fine too. except, when u know u're expecting POST vars, use $_POST['cloningView'] in ur tests, not just $cloningView. in PHP 4 = 4.2.10, PHP 5 - register_globals is OFF by default. import_request_vars: Although the prefix parameter is optional, you will get an E_NOTICE level error if you specify no prefix, or specify an empty string as a prefix. (from the manual). I just want my user to display something else when clicking on a button, so I don't care about the value itself. I suppose it's a security thing but I don't see it? u've got the idea. and no, the value isn't important. it's only a minor check which can be circumvented even if u had it in place. as far as the onClick code is concerned, it doesn't really matter what u put there, the page generation occurs at the server side so onClick isn't in any position to offer u security or to make sure that ur form's submit was used to generate the page. well, not unless u come up with some really intricate algo. -- ]# Anirudh Dutt ...pilot of the storm who leaves no trace like thoughts inside a dream -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] onClick
Another question: Is there a way that I may set up an IF command with the onClick function so that my_web_page.php3 will not be displayed unless a web form was used to generate it? Ron -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] onClick
Hi Jonathan Duncan, Is it possible to call a PHP function using the onclick parameter? If this should be a javascript-mouseevent you have to use onmouseup instead. Regards, Ruprecht -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]