You are here: Re: Avoid 'GET' method « PHP Programming Language « IT news, forums, messages
Re: Avoid 'GET' method

Posted by Gordon Burditt on 07/18/05 22:54

>Have you tried using hidden fields in a single form?

I don't see how to do that, as the value of the hidden field has to
identify which record is to be affected.

>You can use
>JavaScript's onclick method to set your hidden fields based on the link you
>click, and then to submit the form using formname.submit(); - your form can
>the use the POST method. You can use the onsubmit=return confirm('are you
>sure you want to delete'); to make sure a link checker never gets to delete
>anything... it's also a good idea to have a JavaScript confirmation for your
>users as they may not want to delete.

JavaScript is Turned Off(tm) until someone comes up with a browser
that can have JavaScript selectively enabled by as sophisticated a
filter as Firefox has for cookies (enable for JavaScript from
specific hosts ONLY). And even then I'd have a hard time getting
it accepted by the admins in question. It manages to lock up
browsers too often, and having to remember to turn it off after
"temporarily" enabling it is a problem. Admins sometimes have to
investigate SPAM complaints, and this may lead them to follow links
in SPAM with malicious JavaScript (the most obnoxious that aren't
coupled with viruses are the ones that open two windows when you
close one).

Forms like this are for use by people who are supposed to know what
they are doing. Altering raw DNS records is not for the casual
user. Also, re-entering a single accidentally-deleted DNS record
does not require a lot of typing to re-enter. And there is a history
log of changes.

Other uses of pages like this are for personal applications like a
To Do list, which only one person will be using, me. One click to
mark something done. No confirmation. But the record isn't deleted,
so undoing the change is possible (but not as convenient). I have
yet to need to do that yet.

>Remember, of course, that this does
>not stop anyone from deleting records with malicious intent - they can
>submit a form from any other web site that is identical to yours - so you
>will need an additional verification (login with cookies/session, etc).

There's already .htaccess requiring passwords *AND* a very limited
set of IP addresses that it can be used from on the whole virtualhost.
The malicious intent problem is basically solved by firing anyone
found to be doing anything malicious, and keeping good backups.

Gordon L. Burditt

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация