Jump to content

Archived

This topic is now archived and is closed to further replies.

gbarriosf

Zebra pagination in MVC

Recommended Posts

Regards.

 

I´m trying to use a paginator class in my MVC application The following line of code intent to construct the links to the pages:

 

"<a class=\"paginate\" href=\"$_SERVER[php_SELF]?page=$prev_page&ipp=$this->items_per_page\">« Previous</a> ":"<span class=\"inactive\" href=\"#\">« Previous</span> "

 

The problem is that, perhaps the actual URL is something like this: http://proyectosena.hol.es/Plantilla/vistaPrincipal.php?pg=../vistas/prueba.php, the link constructed appears like this: http://proyectosena.hol.es/Plantilla/&page=2&ipp=25,

 

I've tried with several constructions of links using various of the options of the $_SERVER variable, but ever I get the same result.

 

The application´s main frame is a file with three includes files and this is the code:

 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>empresa ADSI - VIRTUAL</title>
<link rel="stylesheet" type="text/css" href="../css/actividades.css" />
<link rel="stylesheet" type="text/css" href="../css/jtable.css" />
</head>
 
<body>
<div id="divContenedor">
<?php include "../Plantilla/encabezado.php";?>
      <div id="contentwrap">
        <?php include "../Plantilla/".$pg; ?>
      </div>
    <div> <?php include "../Plantilla/piePagina.php";?></div>    
</div>
</body>
</html>

Paginator.php

prueba.php

vistaPrincipal.php

Share this post


Link to post
Share on other sites

your page controller is using a get parameter pg=file. the pagination logic is adding its own page and ipp get parameters. the easiest way of letting each different piece of your code independently manipulate the get parameters when building links is to use http_build_query().

 

if you search this forum for http_build_query, you will find a number of examples.

 

basically, the pagination code will use any existing $_GET parameters (pg, search/filter terms...), set only the 'page' and 'ipp' values that it is responsible for, then build the query string to put onto the end of the links using the resulting set of combined data.

 


 

some security issues in your code -

 

1) you should NOT use extract ($_REQUEST); this will allow hackers to set any of your program variables to anything they want. it also makes more work for you, the programmer, because you must now keep track of which program variables are magically appearing in your code, due to the extract(), to insure you don't overwrite anything, now or when you make changes to the code in the future. use the proper external variables ($_GET, $_POST, $_COOKIE) and forget about magically populating php variables.

 

2) your login check code needs an exit; statement after the header() redirect to prevent the protected code form running. without the exit;, all a hacker needs to do is ignore the redirect and he can still access your pages.

 

3) you MUST validate that the pg=file value is only a permitted, for the current visitor, and valid page. because you are using the value in an include statement, again, a hacker can include ANY file on your server, so he could include an administrative file, even though he isn't an administrator on your site.

 

4) in some versions of php, $_SERVER['PHP_SELF'] also contained the submitted query string, which can contain arbitrary cross site scripting code and should not be used or if used care must be taken when you echo it out on a page to render any html/javascript/css in it, inoperable.

Share this post


Link to post
Share on other sites

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.