gerhard
(gerhard@ecolar.co.za)
July 3, 2013, 9:03pm
1
Hi
I have been using the POST button described in this wiki.
At the top of my controller, I have the following
public function filters()
{
return array(
'accessControl',
'postOnly + email', // access 'actionEmail' action via POST request only
);
}
‘actionEmail’ is executed without error, which means that the button must be creating a POST request, which is correct. But the following code - in the action - sets the value of $test to 1 instead of 2.
if(isset($_GET['id']))
{
$test=1;
}
if(isset($_POST['id']))
{
$test=2;
}
Any ideas why?
konapaz
(Konapaz)
July 3, 2013, 10:33pm
2
Hi,
Check in your firebug on section "Network" what happens.
what is the value of url:$(this).attr(‘href’) ? please write in your javascript alert($(this).attr(‘href’))
Post the results.
gerhard
(gerhard@ecolar.co.za)
July 3, 2013, 11:14pm
3
Hi KonApaz
This is what the alert is showing: /iccap/frontend/www/aut6_mct/email/?id=2
I will check firebug tomorrow.
Thanx
konapaz
(Konapaz)
July 3, 2013, 11:29pm
4
That’s why!
Although your method is POST the url contains the id, so isset($_GET[‘id’]) returns true
If you want to take the id only from the $_POST you have to change the view file to send as input with name ‘id’ or something similar
for more help please post your form-view code.
gerhard
(gerhard@ecolar.co.za)
July 4, 2013, 10:11am
5
KonApaz
Here is a link to my CGridView buttons in another post where I discuss a different problem. Do you need more code from the form-view?
konapaz
(Konapaz)
July 4, 2013, 10:34am
6
Hi again
You haven’t any problem using $_GET[‘id’] instead $_POST[‘id’] in this case!
‘postOnly + email’ prevent access by get method and you can still use $_GET[‘id’]
So, have any problem with that?
gerhard
(gerhard@ecolar.co.za)
July 4, 2013, 10:47am
7
No, I don’t have much problems using $_GET[] in a POST request.
But it sounds crazy. Why does it work like that? Is it safe?
konapaz
(Konapaz)
July 4, 2013, 9:17pm
8
No, I don’t have much problems using $_GET[] in a POST request.
But it sounds crazy. Why does it work like that? Is it safe?
If you check with native php code it works with same way
for example
if I submit a form with username and password from below url
localhost/test/index.php?a=1 then the resulr of GET and POST variable
$_GET['a'] = '1'
$_POST['username'] = 'user1'
$_POST['password'] = 'pass1'
check also
php
if you use validators yes it is secured!
gerhard
(gerhard@ecolar.co.za)
July 5, 2013, 6:24am
9
Hi again
Thank you for the info.
I have read at various sites that both GET and POST is only really safe when it is used with https.
Regards
konapaz
(Konapaz)
July 5, 2013, 11:09pm
10
Nothing is absolute safe on the web, also GET and POST
But what do you want to do and what kind of validation or purification of variables you want to applied?
gerhard
(gerhard@ecolar.co.za)
July 6, 2013, 10:45pm
11
Its a business application. So I need to make as sure as possible that data entered by users are safe and that hackers can not corrupt the database.
Besides normal password salting and record validation, I also have a record-level-access-control system that is linked to the user’s roles (access-permissions).
I can also restrict controller-actions to specific user roles.
I will use https and I have the server managed by expensive people.
konapaz
(Konapaz)
July 7, 2013, 1:19am
12
Its a business application. So I need to make as sure as possible that data entered by users are safe and that hackers can not corrupt the database.
Besides normal password salting and record validation, I also have a record-level-access-control system that is linked to the user’s roles (access-permissions).
I can also restrict controller-actions to specific user roles.
I will use https and I have the server managed by expensive people.
even using https remember to validate the user inputs especially those one that will be stored in database
check also these wiki(s)
http://www.yiiframework.com/wiki/56/
http://www.yiiframework.com/wiki/168/create-your-own-validation-rule/