php include, function, ... [message #177733] |
Wed, 18 April 2012 20:03 |
hipa
Messages: 5 Registered: March 2012
Karma: 0
|
Junior Member |
|
|
Hi there
I have a litle page with a form, which inserts an article in a postgres
db with php.
The php code is in the html page. Can someone tell me what the best way
is to exclude the php code from this page. And then just calling it true
a function or something?
<body>
<?php
if(isset($_POST['insertarticle']) && $_POST['insertarticle']){
$dbh = pg_connect("host=..... dbname=..... user=.....
password=.....");
if (!$dbh) {
die("Error in connection: " . pg_last_error());
}
if(isset($_POST['article'])){
$article = pg_escape_string($_POST['article']);
$sql = "INSERT INTO tblarticle values ((select max(idarticle) + 1 from
tblarticle), '{$article}')";
$result = pg_query($dbh, $sql);
}
{die(pg_last_error());}
if (!$result) {
die("Error in SQL query: " . pg_last_error());
}
pg_free_result($result);
pg_close($dbh);
}
?>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<input type="submit" name="insertarticle" value="Insert Article">
<label>Article:</label> <input id="article" name="article" type="text">
</form>
</body>
|
|
|
Re: php include, function, ... [message #177734 is a reply to message #177733] |
Wed, 18 April 2012 20:08 |
Redcat
Messages: 3 Registered: February 2012
Karma: 0
|
Junior Member |
|
|
On Wed, 18 Apr 2012 20:03:40 +0000, hipa wrote:
> Hi there
>
> I have a litle page with a form, which inserts an article in a postgres
> db with php.
> The php code is in the html page. Can someone tell me what the best way
> is to exclude the php code from this page. And then just calling it true
> a function or something?
I'm not sure what you mean by "exclude the php code from the page". The
code needs to be in the HTML file if it's going to execute. If you're
worried about users being able to view your code, you needn't - the code
won't get displayed to them, even if they do a "view source", if your web
server is configured properly. The code will get executed on the server
side when it's loaded, and will display to the user whatever output it's
supposed to spit out.
What are you hoping to accomplish?
Redcat
|
|
|
|
Re: php include, function, ... [message #177737 is a reply to message #177733] |
Thu, 19 April 2012 00:55 |
Thomas 'PointedEars'
Messages: 701 Registered: October 2010
Karma: 0
|
Senior Member |
|
|
hipa wrote:
> I have a litle page with a form, which inserts an article in a postgres
> db with php.
> The php code is in the html page. Can someone tell me what the best way
> is to exclude the php code from this page. And then just calling it true
> a function or something?
Rather obviously you cannot exclude "the php code" from "this page" unless
"this page" should become static. However, you can move parts of the code
into an include (file). You do not have to call a function, but it helps.
Probably the best way to do this is not only to call a function, but
construct an object as defined by a class, so that it can encapsulate data
(like state) and functionality, and call methods of that object that
implement this functionality, which may include the generation of HTML (in
an MVC-based approach that would be the view's methods).
Bottom line: RTFM.
> […]
> <form action="<?php echo $_SERVER['PHP_SELF']; ?>"
If you use $_SERVER['PHP_SELF'] this way your application is vulnerable to
code injection as that element of the $_SERVER superglobal array includes
the *complete* URI (with the query part). Use $_SERVER['SCRIPT_NAME'], or
htmlspecialchars() to escape $_SERVER['PHP_SELF'], instead (in general,
escape all output in HTML unless you are very sure that escaping is
unnecessary). And use the POST method for requests that change data, so
that those cannot be triggered accidentally while navigating back and
forward (or as part of a low-profile attack).
PointedEars
--
Sometimes, what you learn is wrong. If those wrong ideas are close to the
root of the knowledge tree you build on a particular subject, pruning the
bad branches can sometimes cause the whole tree to collapse.
-- Mike Duffy in cljs, <news:Xns9FB6521286DB8invalidcom(at)94(dot)75(dot)214(dot)39>
|
|
|
Re: php include, function, ... [message #177740 is a reply to message #177733] |
Thu, 19 April 2012 10:55 |
IRC
Messages: 6 Registered: April 2012
Karma: 0
|
Junior Member |
|
|
On Apr 18, 9:03 pm, hipa <hipa.inva...@telenet.be> wrote:
> Hi there
>
> I have a litle page with a form, which inserts an article in a postgres
> db with php.
> The php code is in the html page. Can someone tell me what the best way
> is to exclude the php code from this page. And then just calling it true
> a function or something?
>
> <body>
> <?php
> if(isset($_POST['insertarticle']) && $_POST['insertarticle']){
> $dbh = pg_connect("host=..... dbname=..... user=.....
> password=.....");
> if (!$dbh) {
> die("Error in connection: " . pg_last_error());
> }
>
> if(isset($_POST['article'])){
> $article = pg_escape_string($_POST['article']);
> $sql = "INSERT INTO tblarticle values ((select max(idarticle) + 1 from
> tblarticle), '{$article}')";
> $result = pg_query($dbh, $sql);}
>
> {die(pg_last_error());}
>
> if (!$result) {
> die("Error in SQL query: " . pg_last_error());
> }
> pg_free_result($result);
> pg_close($dbh);}
>
> ?>
>
> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
> <input type="submit" name="insertarticle" value="Insert Article">
> <label>Article:</label> <input id="article" name="article" type="text">
> </form>
> </body>
"exclude the php code from this page" didn't make any sense, but, if
you would like to separate the php code from html page, better write
all the php stuff in one page and including it into the required area
or you make create a function and call it wherever you like.
|
|
|
Re: php include, function, ... [message #177741 is a reply to message #177733] |
Thu, 19 April 2012 10:51 |
IRC
Messages: 6 Registered: April 2012
Karma: 0
|
Junior Member |
|
|
On Apr 18, 9:03 pm, hipa <hipa.inva...@telenet.be> wrote:
> Hi there
>
> I have a litle page with a form, which inserts an article in a postgres
> db with php.
> The php code is in the html page. Can someone tell me what the best way
> is to exclude the php code from this page. And then just calling it true
> a function or something?
>
> <body>
> <?php
> if(isset($_POST['insertarticle']) && $_POST['insertarticle']){
> $dbh = pg_connect("host=..... dbname=..... user=.....
> password=.....");
> if (!$dbh) {
> die("Error in connection: " . pg_last_error());
> }
>
> if(isset($_POST['article'])){
> $article = pg_escape_string($_POST['article']);
> $sql = "INSERT INTO tblarticle values ((select max(idarticle) + 1 from
> tblarticle), '{$article}')";
> $result = pg_query($dbh, $sql);}
>
> {die(pg_last_error());}
>
> if (!$result) {
> die("Error in SQL query: " . pg_last_error());
> }
> pg_free_result($result);
> pg_close($dbh);}
>
> ?>
>
> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
> <input type="submit" name="insertarticle" value="Insert Article">
> <label>Article:</label> <input id="article" name="article" type="text">
> </form>
> </body>
Hipa, "exclude the php code from this page" didn't make sense here.
However, you can separate php stuff by building function within the
individual page and then call that function wherever you like.
|
|
|
Re: php include, function, ... [message #177788 is a reply to message #177734] |
Sat, 21 April 2012 06:40 |
hipa
Messages: 5 Registered: March 2012
Karma: 0
|
Junior Member |
|
|
Op Wed, 18 Apr 2012 20:08:51 +0000, schreef Redcat:
> On Wed, 18 Apr 2012 20:03:40 +0000, hipa wrote:
>
>> Hi there
>>
>> I have a litle page with a form, which inserts an article in a postgres
>> db with php.
>> The php code is in the html page. Can someone tell me what the best way
>> is to exclude the php code from this page. And then just calling it
>> true a function or something?
>
> I'm not sure what you mean by "exclude the php code from the page". The
> code needs to be in the HTML file if it's going to execute. If you're
> worried about users being able to view your code, you needn't - the code
> won't get displayed to them, even if they do a "view source", if your
> web server is configured properly. The code will get executed on the
> server side when it's loaded, and will display to the user whatever
> output it's supposed to spit out.
>
> What are you hoping to accomplish?
>
Ok I explained it bad, and yes I'm not a php developer. Maybe just
starting...
I put the code to connect to the db in separate php file.
So I can include it wherever I want.
include 'opendb.php';
Also going to look at classes...
I did not know that the code is nog visible for users, thanks!
|
|
|
Re: php include, function, ... [message #177789 is a reply to message #177737] |
Sat, 21 April 2012 06:46 |
hipa
Messages: 5 Registered: March 2012
Karma: 0
|
Junior Member |
|
|
Op Thu, 19 Apr 2012 02:55:47 +0200, schreef Thomas 'PointedEars' Lahn:
> hipa wrote:
>
>> I have a litle page with a form, which inserts an article in a postgres
>> db with php.
>> The php code is in the html page. Can someone tell me what the best way
>> is to exclude the php code from this page. And then just calling it
>> true a function or something?
>
> Rather obviously you cannot exclude "the php code" from "this page"
> unless "this page" should become static. However, you can move parts of
> the code into an include (file). You do not have to call a function,
> but it helps.
That is what I mean.
> Probably the best way to do this is not only to call a function, but
> construct an object as defined by a class, so that it can encapsulate
> data (like state) and functionality, and call methods of that object
> that implement this functionality, which may include the generation of
> HTML (in an MVC-based approach that would be the view's methods).
This is even more what I'm saying :-)
> Bottom line: RTFM.
Yes, I should more....
|
|
|