0

Hi All,
I have been learning making CMS and you guys have been helpful.
I can now post, and view the posts. I need to edit/delete articles.
I have read somewhere that you can make a link that appends an id of the article and you can retrieve it via $_GET. I cannot understand it and need help. Also another question, is that method safe? I read another place that GET method isn't secure!
Thanks!

Here is the code: view.php

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
  <meta content="text/html; charset=ISO-8859-1" http-equiv="content-type">
  <title>Articles</title>
  <link type="text/css" rel="stylesheet" media="all" href="/site/site.css" />
</head>
<body>
<?php
	require('/includes/inc.database.php');
?>
<table style="text-align: left; width: 100%;" border="1" cellpadding="2" cellspacing="2">
    <tr>
      <td colspan="3" rowspan="1" id="header">
	  
	  </td>
    </tr>
	
    <tr>
        <td style = "width:230px;">
		
		</td>
		
		<td id="contents">
			<?php
				$db = new Connectdb();
				$conn = $db->connect();
				$article = $db->retrievedata($conn, 'articles');
				//loop in the result
				while ($row = mysql_fetch_object($article)) {
				echo ("<center><h2>$row->heading</center></h2>");
				echo("<br />");
				echo("<p style='color:red;'><b style='color:black;'>Posted by </b> $row->creator  <br /> $row->update_date </p>");
				echo("<br />");
				echo ($row->contents);
				echo("<br />");
				echo ("<p style='color:red;'><b style='color:black;'>Posted under: </b><em>$row->description</em> </p>");
				//add link to edit or delete article
				$pagetitle = "Testing the Change";
				//make a break line and space for next article
				echo '<br />';
				echo '<hr style ="color:red;" />';
				echo '<br />';
				}
				
			?>
	  </td>  	  
	  
	  
      <td style = "width:230px;">
	  
	  </td>
	  
    </tr>
	
    <tr>
      <td colspan="3" rowspan="1" id="footer">
	  <?php include("/includes/inc.footer.php"); ?>
	  </td>
    </tr>
</table>
<br>
</body>
</html>
2
Contributors
7
Replies
11
Views
7 Years
Discussion Span
Last Post by Stefano Mtangoo
0

relying on the URL and $_GET variables can leave you vulnerable. It can be safe, when done correctly. The most important thing, is you need to verify the data, before you try to do something with it. Specifically when adding/modifying/deleting things from a database, be sure the person should be able to perform that action.

I would try to keep it to a minimum, but passing an ID or something isnt bad... just make sure its a (valid) number.

0

Assuming you use the URL
http://www.mywebsite.com/myfile.php?ID=5

$ID = $_GET['ID']; // this would have 5 as a string, that could actually be anything (like SQL to inject)
$ID = intval($_GET['ID']); // this would have 5 (as a int) you could use this in a query without worry of injection (though the number could be different than you expect)

You could also use encoding, like base64_encode() and base64_decode() to put variables on the URL. Hope that helps.

0

Yeah, alot!
But one more question, how do I create such url?
Should I append an ID right when I construct a page using returned query?
I have loved that encoding. It add alot to security :)

0

yes, just append the ID to the url as your building your links. If your using something like wordpress (and maybe other blog/cms systems) there are functions for this. Wordpress has a function add_query_args() that allows you to easily append/remove things from the URL.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.