|
Posted by Peter Fox on 12/22/05 12:30
Following on from swpulitzer@yahoo.com's message. . .
>I have a page that lists a bunch of objects, stored in a database, to
>the user. After each object I'd like to do something like:
>
> object1 [edit] [delete]
> object2 [edit] [delete]
>
>and so on, where "edit" and "delete" are links. Right now, each link
>uses GET to pass the object ID to the scripit that will deal with it.
>For example, the urls for the first object links are something like:
>
> edit: http://www.host.com/edit.php?obj=object1
> delete: http://www.host.com/delete.php?obj=object1
>
>and similar for the second...you get the idea. This works alright for
>the edit option, since it's okay (even advantageous) for a user to
>bookmark it. However, it's problematic for the delete option. If a user
>bookmarks it, and then tries to visit the site later, they might
>unintentionally delete something. I can't use POST since this doesn't
>lend itself to a form. I know I could throw some javascript in there to
>handle it, but I'm trying to avoid javascript as much as possible.
>
>Does anyone know a better way to do this? Thanks.
>
So what? If they really _bookmark_ a delete link who cares - what's
going to explode? Obviously delete.php checks lots of things before
doing anything *because it has to trap lots of other abuse anyway*.
ONE of these tests might be to check you've just come from a page where
deleting is 'on the menu'.
# ---------------------------------------------------------------------
function CheckComeFrom($PossibleWaysToGetHere,$Destination='pp000.php'){
# This is a security function which chucks the user out
# if the refering page is not one of those supplied in the list
# Returns TRUE if all is OK
#
# Put near the top of a script in a not-if {exit;}
# (The actual jump to the destination will be done in this script but
the exit
# is to tidy up any stack of script execution.)
#
# eg if(!CheckComeFrom('foo.php')){exit;}
#
# Multiple come-froms can be specified by splitting names with a + sign
# eg 'foo.php+bar.php+fox.php'
#
# Destination can be overridden. Suppose you want the remote address
put
# onto a blacklist you could send them to putonblacklist.php
#
# This uses $_SERVER['HTTP_REFERER'] which the documention notes
# may not be completely trustworthy.
# ---------------------------------------------------------------------
$cfrom = CameFrom();
$m = '';
if(!$cfrom){
$m='Not referred from anywhere';
$comefrom=$Destination;
}else{
$pw = strtolower('+'.$PossibleWaysToGetHere.'+');
$hit = strpos($pw,'+'.$cfrom.'+');
$rv = (!($hit===FALSE));
if(!$rv){
// test for reloading page etc which is always allowed
$rv=($cfrom==strtolower(basename($_SERVER['PHP_SELF'])));
}
if(!$rv){$m="From:$cfrom";}
}
if($m){
$m .= "<br>Allowed:$PossibleWaysToGetHere";
MSG('CheckComeFrom failed','',$m,$cfrom); // Standard error message
screen
exit;
}
return $rv;
}
# ---------------------------------------------------------------------
function CameFrom(){
# Return the calling page without any base bits or argument bits
# Return '' if no referring page found
# ---------------------------------------------------------------------
if(!isset($_SERVER['HTTP_REFERER'])){
$rv='';
}else{
$comefromfull = basename(strtolower($_SERVER['HTTP_REFERER']));
$comefrom = explode('?',$comefromfull); // drop any ?foo=bar bits
$rv = $comefrom[0];
}
return $rv;
}
--
PETER FOX Not the same since the bookshop idea was shelved
peterfox@eminent.demon.co.uk.not.this.bit.no.html
2 Tees Close, Witham, Essex.
Gravity beer in Essex <http://www.eminent.demon.co.uk>
[Back to original message]
|