Building a Weblog: Part 2 / Page 3
[previous] [next]
Building a Weblog: Part 2
Viewing Specific Entries
When index.php was created, three distinctive sections were added to the page:
|
In the main blog entry and previous entry sections, you link to another page called viewentry.php. The viewentry.php page has a number of important features:
|
This page is an important step in building the blog, so without further ado, it's time to get going and do some coding!
Validating the Request URL
The first step for the viewentry.php page is to ensure it's requested with valid date. Whenever you work on a Web project, it is important to verify that any changeable information (such as the ID of an entry or comment) is legitimate. This verification process is known as validation. In this project, validation is applied to only the variables that are added to the address of the site. These variables are visible, and the user can change them by editing the address in the browser.
Validation, Step by Step
The reason you will validate only GET
variables, and not other types of information, is to make validation easier to learn. This application introduces some basic concepts and keeps things simple. Later projects in the book explore validation in more detail, and you can return to earlier projects and apply these skills later.
Although GET
variables can be set to letters or numbers, virtually every GET
variable in this book is set to a number. When you created index.php and the links to viewentry.php, each of them included a GET
variable that contained a numeric id
.
To validate a numeric variable, feed it into a block of code that runs some simple tests. Add the following code to the beginning of viewentry.php:
The first line includes config.php. Unlike the previous example, header.php has not been included (yet). If validation fails, you'll redirect users to another page, so there's no need to show the HTML in header.php until these tests have passed.
The next line is the first if
condition. The isset()
function checks to see if the GET
variable exists. If it does, isset()
returns TRUE
; if not, validentry is set to 0
.
Redirection Fun and Games
Redirection is when you automatically jump to another page on the Web site. There are two main methods of redirecting to a page:
- Use JavaScript. The problems with this technique are that not all browsers fully support JavaScript, and users and network managers can also turn off JavaScript.
- Use HTTP headers. Use the HTTP headers that are present in every Web page to change the current page. This technique is supported by every browser, but it can occur only before any data is sent to the client. This same restriction applies to sessions when you use
session_start()
at the beginning of a page.
As a general rule, use HTTP headers for redirection, because of its availability in all browsers and ease of use.
Assuming a variable is being sent, a check is made to ensure the value is numeric; if someone sets the variable to "bananas," for example, this is obviously incorrect. The is_numeric()
function tests the GET
variable; if the result is false
, error is set to 1
.
The Nasty World of SQL Injection
One of the risks of using GET
variables is SQL injection. Imagine that you have a SQL statement such as the following:
SELECT * FROM entries WHERE id = <id value>
and where <id value> is, you add the value from the GET
variable:
$sql = "SELECT * FROM entries WHERE id = " . $_GET['id'];";
This code assumes that the value of id
is numeric. If you don't check for this, a malicious user could try to inject SQL code into the query. Imagine what would happen if the user added 1; DROP DATABASE blogtastic;
. The following SQL is now executed:
SELECT * FROM entries WHERE id = 1; DROP DATABASE blogtastic;
This code would result in a lost database (assuming the user had appropriate permissions)! To protect against this risk, always ensure that numeric GET
values are actually numeric.
Next, if error
is indeed equal to 1
(indicating a non-numeric value), the header()
command redirects to the main page. The header()
command is passed the Location
header and the full location to redirect to (such as Location: https://localhost/blogtastic/
). In the code, the "Location:" text is added, and then the location is picked out of the config_basedir
variable from config.php.
When using the Location header, you will need to provide a complete URL such as https://www.foo.com/—as
opposed to www.foo.com
or foo.com
.
If error
is not set to 1
, the validentry
variable is set to the value of the GET
variable. With this validation in place, the code below the header()
function runs only with a valid GET
variable.
Don't Confuse the User with Errors
When an invalid variable is detected, this script redirects to a legitimate page instead of displaying an error message. When considering the usability of your Web application, it generally makes sense to redirect rather than report an error. Error messages are rarely useful to users, and anyone who has the knowledge to adjust the GET
variable on the URL is probably fully aware that they are tampering with the application instead of using the application. Automatically redirecting avoids potentially confusing the user with error messages.
[previous] [next]
URL: