• Activating a function in PHP using the ? parameters in URL
    8 replies, posted
Hey everyone. I used to know how to do this, but I haven't done any coding in about 8 years and I'm extremely out of practice. I've tried Googling it, but I don't actually know what you'd call the thing in the URL you do. I'm also thinking that this would be a really stupid way to add to the DB, as then people could presumably just add to the DB by sticking something in the URL? Is there any way to add authentication in an obfuscated fashion? I appreciate any help. Sorry for the nooby question.
You mean the query parameters? You'd check them with isset($_GET['parameter_name']), and if they have any value set with something like !empty($_GET['parameter_name']). Throw a switch or (if living on the edge) a bunch of nested ifs, and inside them call the functions you want. If you mean having something like ?var_print=$GLOBALS , then yeah, it'd be a huge security issue as you'd be leaving everyone to do whatever on the server, as you said. Also I'm not too sure what you mean with adding obfuscated authentication --like in the URL too? It'd be simpler to use sessions Do you have a less abstract example of what you want to do? This is guessing a lot
For submitting data, you should use POST requests, of which you can get data from $_POST['parameter_name']. GET request should generally not change data on the server (obviously things like a view log are exempt of this). If you're planning to use databases, important note: NEVER trust user input. Do not try to sanitize input (because you will fail in one way or another), use prepared statements. I'm rusty myself, but this could be a good starting point: PHP: Prepared statements and stored procedures
You can use either MySQLI or PDO for doing prepared statements. Play around with both, and see which one you prefer
So, I wanted to use AJAX to get results from the database after submission, and the tables I'm using are fairly simplistic. It's just to track a gig, the venue it's in and its duration, etc. I think what you guys have suggested is quite helpful, so I'm going to crack on with it and see what I can do! Thanks.
Isn't PDO preferred these days?
I believe so, I just thought I'd mention both since it's quite a common thing for new developers to see an example online and then thing that's the only way to do it, when there's actually other ways as well.
This is how you active a function via $_GET <?php $parameters = [ "method" ] foreach( $parameters as $parameter ) if( isset( $_GET[ $parameter ] ) ) $parameters[ $parameters ] = strip_tags( $parameter ); else die("Parmeter not found"); if( function_exists( $parameters[ "method"]  ) == false ) die("method not found"); call_user_func( $parameters[ "method"] ) ?> But like its been mentioned on this thread, its better to use PDO and to for instance, load your database config from a json file. There's no real way to store your credentials with out for instance encrypting them but what's the point of that. Suggest looking up composer, and the laravel/database component. Its much better to use laravel in its components than the full thing I find.
Calling a function from user input just sounds like a really bad idea... To me that is a giant code smell, and really it's generally a very uncommon practice. What's wrong with creating publicly accessible API?
Sorry, you need to Log In to post a reply to this thread.