Re: [PHP-DB] onClick
Hi, No you're wrong I'm working with register_global at OFF. What I tried to explain is what you retrieve after your form submission is a $_POST array. I just do a foreach loop in it to retrieve the values. I do additional check to avoid problems with other variables, but then at the end I had $_POST['cloningView'] which was in the array that is extracted and its value is put in the $cloningView variable. Let's say the form hasn't been submitted, $_POST is empty, my check if ($cloningView) returns false (cloningView is not set, its value== false). If I understand I should test that to avoid a warning. But I have a error report level without warnings, so should I care about that? Is it just a best practice? You say it is to have safer code, but I don't see in which way? Sorry if it's really obvious, but I really don't get it. For me as long as my test returns false when it has to it's ok, I don't see the security breach. From: anirudh dutt [EMAIL PROTECTED] Reply-To: anirudh dutt [EMAIL PROTECTED] To: mel list_php [EMAIL PROTECTED] CC: [EMAIL PROTECTED], php-db@lists.php.net Subject: Re: [PHP-DB] onClick Date: Tue, 1 Mar 2005 21:12:38 +0530 On Tue, 01 Mar 2005 14:11:22 +, mel list_php [EMAIL PROTECTED] wrote: Why do you think that checking the value ($cloningView==View) is better? no, i didn't say it was better but it does make a lil difference. i also said, test the POST var. ur example makes it appear as though u keep register_gloabals on. $_POST['cloningView'] == 'View' would be the right way. i put an extra '' in my previous mail. ofcourse, if(isset($_POST['cloningView'])) should be before that. also, as far as has the form been submitted test goes, check with isset/is_null/etc. before comparing values, if u do that at all. this is to avoid warnings/notices and generally write safer code. I just put something for it to be true but never paid attention to the exact string. I don't see the difference, if that POST variable exists it comes from my posted form so had that value. that's fine too. except, when u know u're expecting POST vars, use $_POST['cloningView'] in ur tests, not just $cloningView. in PHP 4 = 4.2.10, PHP 5 - register_globals is OFF by default. import_request_vars: Although the prefix parameter is optional, you will get an E_NOTICE level error if you specify no prefix, or specify an empty string as a prefix. (from the manual). I just want my user to display something else when clicking on a button, so I don't care about the value itself. I suppose it's a security thing but I don't see it? u've got the idea. and no, the value isn't important. it's only a minor check which can be circumvented even if u had it in place. as far as the onClick code is concerned, it doesn't really matter what u put there, the page generation occurs at the server side so onClick isn't in any position to offer u security or to make sure that ur form's submit was used to generate the page. well, not unless u come up with some really intricate algo. -- ]# Anirudh Dutt ...pilot of the storm who leaves no trace like thoughts inside a dream -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php _ Use MSN Messenger to send music and pics to your friends http://www.msn.co.uk/messenger -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] onClick
On Wed, 02 Mar 2005 09:52:00 +, mel list_php [EMAIL PROTECTED] wrote:
Hi,
No you're wrong I'm working with register_global at OFF.
What I tried to explain is what you retrieve after your form submission is a
$_POST array.
I just do a foreach loop in it to retrieve the values.
I do additional check to avoid problems with other variables, but then at
the end I had $_POST['cloningView'] which was in the array that is extracted
and its value is put in the $cloningView variable.
Let's say the form hasn't been submitted, $_POST is empty, my check if
($cloningView) returns false (cloningView is not set, its value== false).
u shouldn't be checking $cloningView. if $_POST['cloningView'] is not set, then
$cloningView = $_POST['cloningView'] ; //should issue a warning. more
importantly, it shouldn't be done.
$cloningView's true/false-ness shouldn't be checked until u know it's
set. if $_POST is empty, then $cloningView probably shouldn't exist.
as per how u use it, u can just assume it's false.
otoh, this is fine:
$cloningView = isset($_POST['cloningView']) ? $_POST['cloningView'] : false ;
and u could safely put that outside the ' if
(isset($_POST['submit_var'])) { ... } ' block.
If I understand I should test that to avoid a warning. But I have a error
report level without warnings, so should I care about that? Is it just a
best practice?
even if ur error level (during production) doesn't show warnings, u
could write cleaner code. yeah it is more of a best practice. it also
makes it easier to read/understand if u or someone else reads it
later. and it probably won't make a difference if u don't do all
that...coz like u said, if it's not set, it returns false and that's
what u want.
in all probability, this behaviour won't change, but if it does, ur
code would need to be modified (behaviour = how vars which are not set
are handled when used).
You say it is to have safer code, but I don't see in which
way?
if u're not using .htaccess for ur site (on a per dir basis) and the
server admin just happens to have set register_globals ON coz some
rich client's old site requires it or his/her assistant is new,
someone could use 'urpage.php?cloningView=1'. ur check (if it's
outside the $_POST check block) would pass when it should actually
fail. i know it's a what if situation. just my $0.02.
another one: if u use import_request_vars in ur code with no or an
empty prefix (string), with ur error level, u wouldn't see the notice
and ur script would be succeptable to the use above.
Sorry if it's really obvious, but I really don't get it. For me as long as
my test returns false when it has to it's ok, I don't see the security
breach.
considering that register_globals is off in ur case, it won't make a difference.
imho, style=spockit is illogical/style to use the value of a
non-existent variable (or assign it to another).
--
]#
Anirudh Dutt
...pilot of the storm who leaves no trace
like thoughts inside a dream
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] onClick
I use a submit button with a name:
input type='submit' name='cloningView' value='View'
and then I can test on that name:
if($_POST[cloningView])
{
...display new web page ..
}
From: Ron Piggott [EMAIL PROTECTED]
To: PHP DB php-db@lists.php.net
Subject: [PHP-DB] onClick
Date: Mon, 28 Feb 2005 21:41:45 -0500
Another question: Is there a way that I may set up an IF command with the
onClick function so that my_web_page.php3 will not be displayed unless a
web
form was used to generate it? Ron
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
_
It's fast, it's easy and it's free. Get MSN Messenger today!
http://www.msn.co.uk/messenger
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] onClick
On Mon, 28 Feb 2005 21:41:45 -0500, Ron Piggott
[EMAIL PROTECTED] wrote:
Another question: Is there a way that I may set up an IF command with the
onClick function so that my_web_page.php3 will not be displayed unless a web
form was used to generate it? Ron
if ur page was generated by a non-form-submit (anything else), the
click wouldn't matter since ur page/form wasn't being used in the
first place. so any client side javascript validation u wanna use
won't even be called.
On Tue, 01 Mar 2005 09:37:09 +, mel list_php [EMAIL PROTECTED] wrote:
I use a submit button with a name:
input type='submit' name='cloningView' value='View'
and then I can test on that name:
if($_POST[cloningView])
{
...display new web page ..
}
(i think) he means
if(isset($_POST['cloningView'])) //add single/double quotes to avoid a warning.
or
if(isset($_POST['cloningView']) $_POST['cloningView']) == 'View')
depending on paranoia level, not that it'll help but i bet it makes u
feel better ;-)
but that can be faked quite easily. just make sure u check all GPC
variables before using them. at the minimum, check if they exist.
--
]#
Anirudh Dutt
...pilot of the storm who leaves no trace
like thoughts inside a dream
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] onClick
What I actually do is I retrieve the POST array and then extract the
variables at the beginning of my script.
That's also why I forgot to add the quotes because I initialize my variable
at the beginning, and I'm dealing with $cloningView directly.
I just added it manually to make it clear that it was coming from the form.
Why do you think that checking the value ($cloningView==View) is better?
I just put something for it to be true but never paid attention to the exact
string. I don't see the difference, if that POST variable exists it comes
from my posted form so had that value. I just want my user to display
something else when clicking on a button, so I don't care about the value
itself.
I suppose it's a security thing but I don't see it?
Thanks!
From: anirudh dutt [EMAIL PROTECTED]
Reply-To: anirudh dutt [EMAIL PROTECTED]
To: Ron Piggott [EMAIL PROTECTED]
CC: PHP DB php-db@lists.php.net
Subject: Re: [PHP-DB] onClick
Date: Tue, 1 Mar 2005 17:49:23 +0530
On Mon, 28 Feb 2005 21:41:45 -0500, Ron Piggott
[EMAIL PROTECTED] wrote:
Another question: Is there a way that I may set up an IF command with
the
onClick function so that my_web_page.php3 will not be displayed unless a
web
form was used to generate it? Ron
if ur page was generated by a non-form-submit (anything else), the
click wouldn't matter since ur page/form wasn't being used in the
first place. so any client side javascript validation u wanna use
won't even be called.
On Tue, 01 Mar 2005 09:37:09 +, mel list_php [EMAIL PROTECTED]
wrote:
I use a submit button with a name:
input type='submit' name='cloningView' value='View'
and then I can test on that name:
if($_POST[cloningView])
{
...display new web page ..
}
(i think) he means
if(isset($_POST['cloningView'])) //add single/double quotes to avoid a
warning.
or
if(isset($_POST['cloningView']) $_POST['cloningView']) == 'View')
depending on paranoia level, not that it'll help but i bet it makes u
feel better ;-)
but that can be faked quite easily. just make sure u check all GPC
variables before using them. at the minimum, check if they exist.
--
]#
Anirudh Dutt
...pilot of the storm who leaves no trace
like thoughts inside a dream
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
_
Express yourself with cool new emoticons http://www.msn.co.uk/specials/myemo
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] onClick
On Tue, 01 Mar 2005 14:11:22 +, mel list_php [EMAIL PROTECTED] wrote: Why do you think that checking the value ($cloningView==View) is better? no, i didn't say it was better but it does make a lil difference. i also said, test the POST var. ur example makes it appear as though u keep register_gloabals on. $_POST['cloningView'] == 'View' would be the right way. i put an extra ')' in my previous mail. ofcourse, if(isset($_POST['cloningView'])) should be before that. also, as far as has the form been submitted test goes, check with isset/is_null/etc. before comparing values, if u do that at all. this is to avoid warnings/notices and generally write safer code. I just put something for it to be true but never paid attention to the exact string. I don't see the difference, if that POST variable exists it comes from my posted form so had that value. that's fine too. except, when u know u're expecting POST vars, use $_POST['cloningView'] in ur tests, not just $cloningView. in PHP 4 = 4.2.10, PHP 5 - register_globals is OFF by default. import_request_vars: Although the prefix parameter is optional, you will get an E_NOTICE level error if you specify no prefix, or specify an empty string as a prefix. (from the manual). I just want my user to display something else when clicking on a button, so I don't care about the value itself. I suppose it's a security thing but I don't see it? u've got the idea. and no, the value isn't important. it's only a minor check which can be circumvented even if u had it in place. as far as the onClick code is concerned, it doesn't really matter what u put there, the page generation occurs at the server side so onClick isn't in any position to offer u security or to make sure that ur form's submit was used to generate the page. well, not unless u come up with some really intricate algo. -- ]# Anirudh Dutt ...pilot of the storm who leaves no trace like thoughts inside a dream -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] onClick
Another question: Is there a way that I may set up an IF command with the onClick function so that my_web_page.php3 will not be displayed unless a web form was used to generate it? Ron -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] onClick
Hi Jonathan Duncan, Is it possible to call a PHP function using the onclick parameter? If this should be a javascript-mouseevent you have to use onmouseup instead. Regards, Ruprecht -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
