quandry using GET

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I have a page that lists a bunch of objects, stored in a database, to
the user. After each object I'd like to do something like:

   object1   [edit]  [delete]
   object2   [edit]  [delete]

and so on, where "edit" and "delete" are links. Right now, each link
uses GET to pass the object ID to the scripit that will deal with it.
For example, the urls for the first object links are something like:

   edit:  http://www.host.com/edit.php?obj=object1
   delete:  http://www.host.com/delete.php?obj=object1

and similar for the second...you get the idea. This works alright for
the edit option, since it's okay (even advantageous) for a user to
bookmark it. However, it's problematic for the delete option. If a user
bookmarks it, and then tries to visit the site later, they might
unintentionally delete something. I can't use POST since this doesn't
lend itself to a form. I know I could throw some javascript in there to
handle it, but I'm trying to avoid javascript as much as possible.

Does anyone know a better way to do this? Thanks.

Re: quandry using GET

swpulitzer@yahoo.com wrote:
Quoted text here. Click to load it

Can you make delete.php display the object and confirm (with a button)
the deletion?

Re: quandry using GET

swpulitzer@yahoo.com wrote:
Quoted text here. Click to load it

You can use POST, so with a form:
<form name="myform" action="action.php" method="POST">

Have two hidden fields:
<input type="hidden" name="act" value="" />
<input type="hidden" name="obj" value="" />

The delete link can then be:
<a href="#" onclick="document.myform.act.value='delete';  
document.myform.obj.value='object1'; document.myform.submit(); return  

Similarly, the edit link can be:
<a href="#" onclick="document.myform.act.value='edit';  
document.myform.obj.value='object1'; document.myform.submit(); return  

You then only need one PHP page to handle edit and delete which just  
checks $_POST['act'].

I'll actually suggest putting all this javascript in a function (e.g.  
doact(act,obj) which returns false) so the link can just be:
<a href="#" onclick="return doact('delete','object1');">Delete</a>


Re: quandry using GET

Following on from swpulitzer@yahoo.com's message. . .
Quoted text here. Click to load it
So what?  If they really _bookmark_ a delete link who cares - what's  
going to explode?  Obviously delete.php checks lots of things before  
doing anything *because it has to trap lots of other abuse anyway*.

ONE of these tests might be to check you've just come from a page where  
deleting is 'on the menu'.

# ---------------------------------------------------------------------
function CheckComeFrom($PossibleWaysToGetHere,$Destination='pp000.php'){
# This is a security function which chucks the user out
# if the refering page is not one of those supplied in the list
# Returns TRUE if all is OK
# Put near the top of a script in a not-if
# (The actual jump to the destination will be done in this script but  
the exit
#  is to tidy up any stack of script execution.)
#     eg    if(!CheckComeFrom('foo.php'))
# Multiple come-froms can be specified by splitting names with a + sign
#     eg    'foo.php+bar.php+fox.php'
# Destination can be overridden.  Suppose you want the remote address  
# onto a blacklist you could send them to putonblacklist.php
# This uses $_SERVER['HTTP_REFERER'] which the documention notes
# may not be completely trustworthy.
# ---------------------------------------------------------------------
   $cfrom = CameFrom();
   $m = '';
     $m='Not referred from anywhere';
     $pw = strtolower('+'.$PossibleWaysToGetHere.'+');
     $hit = strpos($pw,'+'.$cfrom.'+');
     $rv = (!($hit===FALSE));
       // test for reloading page etc which is always allowed

     $m .= "<br>Allowed:$PossibleWaysToGetHere";
     MSG('CheckComeFrom failed','',$m,$cfrom);  // Standard error message  
   return $rv;

# ---------------------------------------------------------------------
function CameFrom(){
# Return the calling page without any base bits or argument bits
# Return '' if no referring page found
# ---------------------------------------------------------------------
     $comefromfull = basename(strtolower($_SERVER['HTTP_REFERER']));
     $comefrom = explode('?',$comefromfull);   // drop any ?foo=bar bits
     $rv = $comefrom[0];
   return $rv;

PETER FOX Not the same since the bookshop idea was shelved
2 Tees Close, Witham, Essex.
Gravity beer in Essex  <http://www.eminent.demon.co.uk

Re: quandry using GET

swpulitzer@yahoo.com wrote:
Quoted text here. Click to load it

If you don't re-use ID values, then as long as delete.php doesn't format  
your hard-drive when asked to delete a non-existent ID value, you're OK,  


Re: quandry using GET

Thanks for all your input, guys. To answer Oli and Peter's questions,
you're right. Normally there wouldn't be a problem. I am reusing ID
values, though, so there is the possibility that something could get
accidentally deleted. The input has given me an idea for an approach.

Site Timeline