Re: Value in a grid [message #171335 is a reply to message #171321] |
Thu, 30 December 2010 13:15 |
Thomas 'PointedEars'
Messages: 701 Registered: October 2010
Karma:
|
Senior Member |
|
|
Sarah wrote:
> Hi! I've a grid with a button that allow to pass value to another
> page.... My problem is that I don't like to pass these value on the
> page because users could change/modify them... can you help me to find
> a solution?
Yes.
(Never ask yes-or-no questions unless you expect the answer to be "Yes" or
"No." But see below.)
> foreach ($wscalls as $key=>$wscall)
> {
> $iddocumento = $wscall['iddocumento'] ;
>
> $actions = "<a href = \' \' onclick= \' return
> sendemail(\"" . (string)$iddocumento . "\"); \' > <img src= \'" .
> $this->view->baseUrl() . "/css/images/sendemail.png \' /> </a> ";
What about users without client-side script support?
> if ((isset($iddocumento) && !empty($iddocumento))
> && ((int)$value>0 )){
> $actions .= "<a href = \'pay?value=" .
> $value . "&iddocumento=". $iddocumento . "\' $onclick > <img src=
> \'" . $this->view->baseUrl() . "/css/images/". $img_pay ." \' /> </a>
> ";
> }
>
> ..
This should be rewritten at least as
foreach ($wscalls as $key => $wscall)
{
$iddocumento = $wscall['iddocumento'];
$baseURL = $this->view->baseUrl();
$actions = '<a href=""'
. ' onclick="return sendemail(\'' . $iddocumento . '\')">'
. '<img src="' . $baseURL . '/css/images/sendemail.png" />'
. '</a> ';
if (isset($iddocumento) && !empty($iddocumento) && ($value > 0))
{
$actions .= '<a href="pay?value=' . rawurlencode($value)
. '&iddocumento=' . $iddocumento . "\" $onclick>"
. '<img src="' . $baseURL . '/css/images/'
. rawurlencode($img_pay) . "\" /></a>\n";
}
// …
}
Here's why:
1. Use proper indentation, keep your code style consistent and easily
readable. Best is to adopt one of the prevalent code styles (such as
the PEAR Code Style), and adapt it to your needs (unless you want to
write a PEAR module).
2. Remove unnecessary whitespace.
3. Avoid escaping by using different string delimiters, making the code
easier readable.
4. Make markup code easily movable from static to dynamic generation;
i.e. prefer apostrophes to delimit strings of generated markup, so that
you can continue using the customary quotes for attribute delimiters.
5. Do not put spaces around the `=' in markup, this dissolves visually the
connection between attribute name and value and can easily lead to
parse errors.
6. Explicit typecast to string is unnecessary in (*string*) concatenation.
7. Do not put spaces after the start tag or before the end tag of an
(inline) element, see
<http://www.w3.org/TR/html401/struct/text.html#h-9.1>.
8. For generating markup, encode all values that are not already encoded
(here: rawurlencode()).
9. For interoperability, there should not be more than 80 characters in
a line of code; use concatenation as necessary.
10. Explicit typecast to int is unnecessary with the `>' operator.
11. Remove unnecessary parentheses to improve readability.
12. If a method always returns the same value, do not call it more than
once. Store the return value in a variable once and use the variable
value instead.
You might also want to consider using less concatenation and a more
template-based approach (inline references, HereDoc) instead.
> How can I pass value to send page without show user the values??
Store sensitive data in a session, or use a POST form to hide the values
from the more casual (and less programming-savvy) observer.
HTH
PointedEars
--
Danny Goodman's books are out of date and teach practices that are
positively harmful for cross-browser scripting.
-- Richard Cornford, cljs, <cife6q$253$1$8300dec7(at)news(dot)demon(dot)co(dot)uk> (2004)
|
|
|