Site Review/Feedback

Status
Not open for further replies.
grandad

grandad

Member
ziycon said:
So maybe if i take the onclick event out and just used a standard 'a href' tag within the <td> tags, but this will only make the text clickable, will an image map work to make the whole link clickable?
Click to expand...

Use both. That way, if JS is enabled, the site works as you want. If JS is disabled, they can still click on the text. Site works either way.....
 
Z

ziycon

New Member
daviddoran said:
By the way your pages are quite open to SQL injection because there is no input-checking on the ID, so you can make it spit out error messages or manipulate the query by going to a url such as /v/cl_desc.php?id=0+OR+ID>0
Click to expand...

I have some validation now to check it the club exists, but im unsure how to go about checking to make sure the id is a num?? I was thinking of using something like is_int() or is_numeric() any ideas which is better or worse?
 
daviddoran

daviddoran

New Member
Well, what I'd do is the following
Code: 
$id = ( (isset($_GET['id']))?(trim($_GET['id'])):(False) );
if( $id===false || $id=='' )
{
  //No id, very bad
}
if( !is_numeric($id) )
{
  //Not numeric, bad
}

This way you can catch No Input, Empty Input and non-numeric input.
 
gary.b

gary.b

New Member
err.. you might not want to use ?id=0... in your URLs - google has a problem with those - and won't cache your pages.
 
Z

ziycon

New Member
gary.b said:
err.. you might not want to use ?id=0... in your URLs - google has a problem with those - and won't cache your pages.
Click to expand...

I have it setup that before any pages loads now, it will check and see if the 'id' is a valid number and if it is then it will check to see if its in the DB, if its a number and exists in the DB then the page will load with the relevate data otherwise it will load an error page.

Also i dont use '0' for any records.
 
Z

ziycon

New Member
daviddoran said:
I think his point is that you should switch to using clean urls such as dublinnites.com/clubs/barcode
Click to expand...

I want to, i figured out how to use mod_rewrite but my problem is that when a user rates a venue it expects an ?id=1 to be passed to the next page and then depending on the id number once the entry is added to the DB then the user is redirected back to the venue they just rated. If im using mod_rewrite i cant pass the id variable to the next page and i get a DB error!
 
daviddoran

daviddoran

New Member
Can't you use a rewrite for that page aswell or POST the variable.
If you have access to modify the redirection then you can definitely do it.
 
Z

ziycon

New Member
The rating value is currently being passed to the next page through a <form> and then requested using $_REQUEST['rating']; is there any way i can pass a variable on the 1st screen to the 2nd screen with out using the ?id=0 ????
 
Z

ziycon

New Member
When im using the mod_rewrite, say i enter the fake url does the real url still work in the background or what is really happening?
 
daviddoran

daviddoran

New Member
Yes, unless your rewrite rule tries to redirect the real page aswell.

So, for instance if you use a rewrite like:
Code: 
RewriteRule ^clubs/([a-zA-Z0-9_]+)$ venue_view.php?id=$1

You should still be able to access venue_view.php?id=1 or /clubs/1
 
Z

ziycon

New Member
daviddoran said:
Yes, unless your rewrite rule tries to redirect the real page aswell.

So, for instance if you use a rewrite like:
Code: 
RewriteRule ^clubs/([a-zA-Z0-9_]+)$ venue_view.php?id=$1
You should still be able to access venue_view.php?id=1 or /clubs/1
Click to expand...

Sorry trying to get my head round this, if i type in clubs/1.php, can i still access id from clubs/venue_view.php?id=1 on that page?
 
daviddoran

daviddoran

New Member
Ah, here's the thing.

Because we have a Rewrite set up, the rewrite will attempt to redirect to venue_view.php?id=venue_view because it matches.

However, by adding a Rewrite Condition that will not match real files you can use both the real path venue_view.php and rewritten paths clubs/1

Code: 
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^clubs/([a-zA-Z0-9_]+)$ venue_view.php?id=$1
 
Status
Not open for further replies.
Top