Member Avatar for Stefano Mtangoo

Hi All,
I have been learning making CMS and you guys have been helpful.
I can now post, and view the posts. I need to edit/delete articles.
I have read somewhere that you can make a link that appends an id of the article and you can retrieve it via $_GET. I cannot understand it and need help. Also another question, is that method safe? I read another place that GET method isn't secure!
Thanks!

Here is the code: view.php

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
  <meta content="text/html; charset=ISO-8859-1" http-equiv="content-type">
  <title>Articles</title>
  <link type="text/css" rel="stylesheet" media="all" href="/site/site.css" />
</head>
<body>
<?php
	require('/includes/inc.database.php');
?>
<table style="text-align: left; width: 100%;" border="1" cellpadding="2" cellspacing="2">
    <tr>
      <td colspan="3" rowspan="1" id="header">
	  
	  </td>
    </tr>
	
    <tr>
        <td style = "width:230px;">
		
		</td>
		
		<td id="contents">
			<?php
				$db = new Connectdb();
				$conn = $db->connect();
				$article = $db->retrievedata($conn, 'articles');
				//loop in the result
				while ($row = mysql_fetch_object($article)) {
				echo ("<center><h2>$row->heading</center></h2>");
				echo("<br />");
				echo("<p style='color:red;'><b style='color:black;'>Posted by </b> $row->creator  <br /> $row->update_date </p>");
				echo("<br />");
				echo ($row->contents);
				echo("<br />");
				echo ("<p style='color:red;'><b style='color:black;'>Posted under: </b><em>$row->description</em> </p>");
				//add link to edit or delete article
				$pagetitle = "Testing the Change";
				//make a break line and space for next article
				echo '<br />';
				echo '<hr style ="color:red;" />';
				echo '<br />';
				}
				
			?>
	  </td>  	  
	  
	  
      <td style = "width:230px;">
	  
	  </td>
	  
    </tr>
	
    <tr>
      <td colspan="3" rowspan="1" id="footer">
	  <?php include("/includes/inc.footer.php"); ?>
	  </td>
    </tr>
</table>
<br>
</body>
</html>
  • 2 Contributors
  • 7 Replies
  • 106 Views
  • 5 Days Discussion Span
  • Latest Post Latest Post by Stefano Mtangoo
Member Avatar for kylegetson

relying on the URL and $_GET variables can leave you vulnerable. It can be safe, when done correctly. The most important thing, is you need to verify the data, before you try to do something with it. Specifically when adding/modifying/deleting things from a database, be sure the person should be able to perform that action.

I would try to keep it to a minimum, but passing an ID or something isnt bad... just make sure its a (valid) number.

Member Avatar for kylegetson

Assuming you use the URL
http://www.mywebsite.com/myfile.php?ID=5

$ID = $_GET['ID']; // this would have 5 as a string, that could actually be anything (like SQL to inject)
$ID = intval($_GET['ID']); // this would have 5 (as a int) you could use this in a query without worry of injection (though the number could be different than you expect)

You could also use encoding, like base64_encode() and base64_decode() to put variables on the URL. Hope that helps.

Member Avatar for Stefano Mtangoo

Yeah, alot!
But one more question, how do I create such url?
Should I append an ID right when I construct a page using returned query?
I have loved that encoding. It add alot to security :)

Member Avatar for kylegetson

yes, just append the ID to the url as your building your links. If your using something like wordpress (and maybe other blog/cms systems) there are functions for this. Wordpress has a function add_query_args() that allows you to easily append/remove things from the URL.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.