iwato Posted September 25, 2017 Share Posted September 25, 2017 I recently stumbled on still another piece of code to which I am not accustomed <a href="?edit=<?php echo $row['obs']; ?>" onclick="return confirm('sure to edit !'); " >edit</a> How does one read the phrase ?edit= in plain English? Roddy Link to comment Share on other sites More sharing options...
dsonesuk Posted September 25, 2017 Share Posted September 25, 2017 it will reload the page with querystring '?edit=whatever' then php will read this using $_GET['edit'] 1 Link to comment Share on other sites More sharing options...
Gabrielphp Posted September 25, 2017 Share Posted September 25, 2017 It doesn't have a plain reading. You use that question mark because it is a query string. From https://www.freeformatter.com/url-parser-query-string-splitter.html What's the 'query string' in a URL? The query contains extra information that is usually in the key-pair format. Each pair is usually separated by an ampersand & character. It follows the ? character. Examples: http://www.foo.bar/image.jpg?height=150&width=100 https://www.secured.com:443/resource.html?id=6e8bc430-9c3a-11d9-9669-0800200c9a66#some-heade 1 Link to comment Share on other sites More sharing options...
justsomeguy Posted September 25, 2017 Share Posted September 25, 2017 Just to clarify, if the link is a query string only and does not contain the rest of the URL, it uses the current URL of the page with the new query string. 1 Link to comment Share on other sites More sharing options...
dsonesuk Posted September 25, 2017 Share Posted September 25, 2017 Yes! because the chances of it plucking any url or actually landing on a page called ?edit=whatever is pretty substantial. 1 Link to comment Share on other sites More sharing options...
iwato Posted September 26, 2017 Author Share Posted September 26, 2017 (edited) Based on the aforesaid, it appears appears to be a dangerous short-cut. Would it be better to write the query, say with a PHP magical constant? Edited September 26, 2017 by iwato Link to comment Share on other sites More sharing options...
justsomeguy Posted September 26, 2017 Share Posted September 26, 2017 It's fine to use that style to refer to the current page. PHP's magic constants wouldn't help though, there's not one that refers to the current URL. You can build the URL from the $_SERVER array, but it's not necessary if you're just linking to the current page. 1 Link to comment Share on other sites More sharing options...
iwato Posted September 26, 2017 Author Share Posted September 26, 2017 JSG: What do you think was meant by the words, Quote the chances of it plucking any url or actually landing on a page called ?edit=whatever is pretty substantial There appears to be a degree of uncertainty in this method. How do you respond to Dsonesuk on this matter? Link to comment Share on other sites More sharing options...
dsonesuk Posted September 26, 2017 Share Posted September 26, 2017 There is only one URL it could use, the current pages. So the querystring can only be added to the end of THAT url when the page reload after clicking the link, it didn't need clarifying. Link to comment Share on other sites More sharing options...
justsomeguy Posted September 26, 2017 Share Posted September 26, 2017 There's no uncertainty. When you click on a link like that and the browser is building the URL to request, if the link only contains a querystring then the browser will use the current page, add the querystring to it (or replace an existing one), and use that as the URL for the request. There's honestly not a lot to say on this topic, it's pretty basic. It's just a link to the current page with a new querystring. It wouldn't matter whether or not someone managed to actually create a file with that name on the server because the browser wouldn't request that file anyway, it's going to request the current page again. 1 Link to comment Share on other sites More sharing options...
iwato Posted September 26, 2017 Author Share Posted September 26, 2017 (edited) Dsonesuk and JSG: QUESTION ONE: The first time that the page is requested there is no HTTP Request. If I have understood correctly, when the link in question is clicked, the page is reloaded and a $_GET variable is generated. Because the page opens to itself is there a need for sanitization? QUESTION TWO: Is it necessary to reload the page in order to generate an HTTP request. Or, is it enough that the statement that receives the request be included from another file? Roddy Edited September 26, 2017 by iwato Link to comment Share on other sites More sharing options...
dsonesuk Posted September 26, 2017 Share Posted September 26, 2017 The page is reloaded because you are clicking a link which will call itself because no other url is requested, but! the current page url will have the querystring attached to it as well. When the page reloads if this page has php code that will check and read the name and value transferred with the querystring using $_GET[], this value can be passed onto a php variable. Yes! you should sanitize, as it is a querystring viewable and editable from address bar. You could prevent page reloading by using JavaScript, then by using AJAX, process the data from external php page and return result. 1 Link to comment Share on other sites More sharing options...
justsomeguy Posted September 26, 2017 Share Posted September 26, 2017 The first time that the page is requested there is no HTTP Request. What does that mean? How are you opening it? Are you just double-clicking on a file on your computer or something? If so, the PHP code won't run at all. Or, if it's actually on a web server, then there's always a request. The server responds to requests, that's its job. 1 Link to comment Share on other sites More sharing options...
iwato Posted September 27, 2017 Author Share Posted September 27, 2017 Donesuk: So, if I have understood correctly, always sanitize when using $_GET requests. JSG: I get your point. When I think of HTTP requests, I rarely think in terms of the $_SERVER variable, as the request and response are performed automatically and are rarely visible except for the realized webpage. I should probably have written "The first time that the page is requested there is no QUERY_STRING", for this would cover both $_GET and $_POST requests as was my original intention. Roddy Link to comment Share on other sites More sharing options...
dsonesuk Posted September 27, 2017 Share Posted September 27, 2017 You should sanitize for any request $_GET, $_POST (data from forms) or $_REQUEST, any of these can be used to insert code. Check out exploits section of https://www.w3schools.com/PhP/php_form_validation.asp 1 Link to comment Share on other sites More sharing options...
dsonesuk Posted September 27, 2017 Share Posted September 27, 2017 Only 'get' request uses querystring, the passing of 'post' data is hidden and not shown in the address bar. 1 Link to comment Share on other sites More sharing options...
iwato Posted September 27, 2017 Author Share Posted September 27, 2017 (edited) In this same context. BACKGROUND: I have two pages: one called index.php and another called crud.php. The latter page is included into the index.php page when the index.php is requested. Inside the index.php file is a form that produces several post variables that are transferred via a $_POST superglobal when the form data is submitted. The resulting $_POST superglobal is examined for content via an isset( ) functions that is part of the condition of an if-statement found in crud.php. The data contained in the $_POST is then processed and sent to a MySQL database within the body of the if-statement. At no point in this procedure is the $_SERVER superglobal invoked. The form element's method attribute is simply set to post. The action attribute is omitted. QUESTION: From the point of view of the browser is the transfer of data from the form to the if-statement and eventually to the database all conducted on the same page? Edited September 27, 2017 by iwato Link to comment Share on other sites More sharing options...
dsonesuk Posted September 27, 2017 Share Posted September 27, 2017 No 'action' attribute means it will default to action="", which means it will submit to itself. As the page is loaded, it is read from top to bottom and any include are read top to bottom, at the end of include it will continue reading through the main page again. While going through crud.php include, it will process any specific $_POST request targeted that is present at that time, if none exist, it will proceed with else condition or move on to rest of main page. Link to comment Share on other sites More sharing options...
iwato Posted September 27, 2017 Author Share Posted September 27, 2017 In short, there is no page reload. Is this correct? Link to comment Share on other sites More sharing options...
justsomeguy Posted September 27, 2017 Share Posted September 27, 2017 Only 'get' request uses querystring, the passing of 'post' data is hidden and not shown in the address bar. That's not technically true, it's fine to do this: <form method="post" action="process.php?submit=true"> In short, there is no page reload. Is this correct? If you're submitting the form then the page is reloading. Maybe not technically a reload, but the browser is sending a new request to the server. You can open your browser's developer tools and go to the Network tab to see the requests and responses. Link to comment Share on other sites More sharing options...
iwato Posted September 27, 2017 Author Share Posted September 27, 2017 Quote You can open your browser's developer tools and go to the Network tab to see the requests and responses. So, if upon clicking on the submit button with the console turned on, the same page appears under Network, then the page has reloaded. Is this correct? Link to comment Share on other sites More sharing options...
justsomeguy Posted September 27, 2017 Share Posted September 27, 2017 When I use the term "reload" or "refresh" I usually refer to the actual refresh button, and in that sense no, it doesn't reload. It sends a new request, not the same one as before. Not all requests result in the entire page being redrawn though, you can use ajax to send requests and then only change part of the page. If you're not using ajax and you submit a form, then yes the browser will send a request and redraw the entire page. Link to comment Share on other sites More sharing options...
iwato Posted September 27, 2017 Author Share Posted September 27, 2017 Yes, I am preparing AJAX now. First, I had to discover a good CRUD model. There are several on the net, and always they are filled with new code that takes a while to wade through. The discovery is interesting and has nearly always proven beneficial, but the process is long and arduous. Back to my question: I assume that most browser network consoles operate similarly. If the page appears in the console as previously described what is being evidence -- any and all HTTP requests? Quote Link to comment Share on other sites More sharing options...
justsomeguy Posted September 27, 2017 Share Posted September 27, 2017 The network tab shows all requests sent by the browser. For images, CSS files, Javascript files, whatever, every request. If you click on the request you can also see the request and response headers, and the response from the server. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now