Following on from
sw********@yahoo.com's message. . .
I have a page that lists a bunch of objects, stored in a database, to
the user. After each object I'd like to do something like:
object1 [edit] [delete]
object2 [edit] [delete]
and so on, where "edit" and "delete" are links. Right now, each link
uses GET to pass the object ID to the scripit that will deal with it.
For example, the urls for the first object links are something like:
edit: http://www.host.com/edit.php?obj=object1
delete: http://www.host.com/delete.php?obj=object1
and similar for the second...you get the idea. This works alright for
the edit option, since it's okay (even advantageous) for a user to
bookmark it. However, it's problematic for the delete option. If a user
bookmarks it, and then tries to visit the site later, they might
unintentionally delete something. I can't use POST since this doesn't
lend itself to a form. I know I could throw some javascript in there to
handle it, but I'm trying to avoid javascript as much as possible.
Does anyone know a better way to do this? Thanks.
So what? If they really _bookmark_ a delete link who cares - what's
going to explode? Obviously delete.php checks lots of things before
doing anything *because it has to trap lots of other abuse anyway*.
ONE of these tests might be to check you've just come from a page where
deleting is 'on the menu'.
# ---------------------------------------------------------------------
function CheckComeFrom($PossibleWaysToGetHere,$Destination= 'pp000.php'){
# This is a security function which chucks the user out
# if the refering page is not one of those supplied in the list
# Returns TRUE if all is OK
#
# Put near the top of a script in a not-if {exit;}
# (The actual jump to the destination will be done in this script but
the exit
# is to tidy up any stack of script execution.)
#
# eg if(!CheckComeFrom('foo.php')){exit;}
#
# Multiple come-froms can be specified by splitting names with a + sign
# eg 'foo.php+bar.php+fox.php'
#
# Destination can be overridden. Suppose you want the remote address
put
# onto a blacklist you could send them to putonblacklist.php
#
# This uses $_SERVER['HTTP_REFERER'] which the documention notes
# may not be completely trustworthy.
# ---------------------------------------------------------------------
$cfrom = CameFrom();
$m = '';
if(!$cfrom){
$m='Not referred from anywhere';
$comefrom=$Destination;
}else{
$pw = strtolower('+'.$PossibleWaysToGetHere.'+');
$hit = strpos($pw,'+'.$cfrom.'+');
$rv = (!($hit===FALSE));
if(!$rv){
// test for reloading page etc which is always allowed
$rv=($cfrom==strtolower(basename($_SERVER['PHP_SELF'])));
}
if(!$rv){$m="From:$cfrom";}
}
if($m){
$m .= "<br>Allowed:$PossibleWaysToGetHere";
MSG('CheckComeFrom failed','',$m,$cfrom); // Standard error message
screen
exit;
}
return $rv;
}
# ---------------------------------------------------------------------
function CameFrom(){
# Return the calling page without any base bits or argument bits
# Return '' if no referring page found
# ---------------------------------------------------------------------
if(!isset($_SERVER['HTTP_REFERER'])){
$rv='';
}else{
$comefromfull = basename(strtolower($_SERVER['HTTP_REFERER']));
$comefrom = explode('?',$comefromfull); // drop any ?foo=bar bits
$rv = $comefrom[0];
}
return $rv;
}
--
PETER FOX Not the same since the bookshop idea was shelved
pe******@eminent.demon.co.uk.not.this.bit.no.html
2 Tees Close, Witham, Essex.
Gravity beer in Essex <http://www.eminent.demon.co.uk>