alex_ire Posted September 24, 2012 Share Posted September 24, 2012 I am looking for help in the best most efficient way to do the following. I have a web page with a standard HTML table that is populated from data in MySQL using PHP based on the user logged in to the website. The table will show different records per user and will have a small amount of data, say 1-5 rows. What I now want to do is direct the user to a new web page when the user clicks on a row and to pass the ID (from the database) of the row selected to the new page. So a standard master/detail set-up. This I can do with a standard anchor and using $_GET. However, for security concerns with $_GET I would rather not use this method as it is possible for anyone to modify the URL with different IDs and they may then see data I don’t want them to see. I could put some more rigorous authentication in the detail page, but if I were to use the $_POST method there is no need to do that. But how can I use the $_POST method from a table that is dynamically populated with MySQL data? If I assign the unique ID from the data record to the name property of a button in the table, as this is different every time I can’t access this with $_POST in the detail page. I am sure this is a common requirement and I am missing something simple. Any advice on how to build links in a table dynamically populated from MySQL without using the $_GET method would be appreciated. thanks all. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted September 24, 2012 Share Posted September 24, 2012 (edited) they may then see data I don’t want them to see. Each page request must check what the current visitor can see or do on that page. Then there's no security issue with passing the id on the end of the URL or via POST data (which can be manipulated almost as easy as GET data.) For example, if I visit your profile on this forum by putting your userid/username on the end of the URL, I see only those things which I am allowed to see. If I visit my own profile on the forum, since I am the owner of the profile, I can see and change all the information, but which any other non-mod/admin member cannot. It's up to your code on each page to determine what each visitor can do on that page Edit: and using a GET parameter to specify what content a page shows is the preferred method. POST 'should' be used when submitting data to a page that once the submitted data is processed, the page either redisplays or redirects to a different page. Edited September 24, 2012 by PFMaBiSmAd added info Quote Link to comment Share on other sites More sharing options...
krakjoe Posted September 24, 2012 Share Posted September 24, 2012 Proper forms: Using type=hidden on every input, draw the form for each item that's clickable and assign a unique id, draw a normal link around the item but href=#, then attach an event to the normal link element so that link.onclick fires form.submit. Framework only: Of course it may not be desireable for that much markup to be included in the page, in which case store the relational data ( that would be in a form ) by some other means, session, apc etc, and just use a framework and ids to attach an event to a normal link to # that creates an XHR post. Quote Link to comment Share on other sites More sharing options...
Christian F. Posted September 24, 2012 Share Posted September 24, 2012 I must confess that I'm highly confused as to what krakjoe really is replying to, and what he means to achieve with what he wrote. In any case, he is wrong about AJAX being "framework" only. Not that any of what he wrote has any relevance to your question, alex, so I'd focus on what PFMaSi wrote. That's the correct answer. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.