Building a Weblog: Part 2 / Page 3
Building a Weblog: Part 2
Viewing Specific Entries
When index.php was created, three distinctive sections were added to the page:
In the main blog entry and previous entry sections, you link to another page called viewentry.php. The viewentry.php page has a number of important features:
This page is an important step in building the blog, so without further ado, it's time to get going and do some coding!
Validating the Request URL
The first step for the viewentry.php page is to ensure it's requested with valid date. Whenever you work on a Web project, it is important to verify that any changeable information (such as the ID of an entry or comment) is legitimate. This verification process is known as validation. In this project, validation is applied to only the variables that are added to the address of the site. These variables are visible, and the user can change them by editing the address in the browser.
Validation, Step by Step
The reason you will validate only
GET variables, and not other types of information, is to make validation easier to learn. This application introduces some basic concepts and keeps things simple. Later projects in the book explore validation in more detail, and you can return to earlier projects and apply these skills later.
GET variables can be set to letters or numbers, virtually every
GET variable in this book is set to a number. When you created index.php and the links to viewentry.php, each of them included a
GET variable that contained a numeric
To validate a numeric variable, feed it into a block of code that runs some simple tests. Add the following code to the beginning of viewentry.php:
The first line includes config.php. Unlike the previous example, header.php has not been included (yet). If validation fails, you'll redirect users to another page, so there's no need to show the HTML in header.php until these tests have passed.
The next line is the first
if condition. The
isset() function checks to see if the
GET variable exists. If it does,
TRUE; if not, validentry is set to
Redirection Fun and Games
Redirection is when you automatically jump to another page on the Web site. There are two main methods of redirecting to a page:
- Use HTTP headers. Use the HTTP headers that are present in every Web page to change the current page. This technique is supported by every browser, but it can occur only before any data is sent to the client. This same restriction applies to sessions when you use
session_start()at the beginning of a page.
As a general rule, use HTTP headers for redirection, because of its availability in all browsers and ease of use.
Assuming a variable is being sent, a check is made to ensure the value is numeric; if someone sets the variable to "bananas," for example, this is obviously incorrect. The
is_numeric() function tests the
GET variable; if the result is
false, error is set to
The Nasty World of SQL Injection
One of the risks of using
GET variables is SQL injection. Imagine that you have a SQL statement such as the following:
SELECT * FROM entries WHERE id = <id value>
and where <id value> is, you add the value from the
$sql = "SELECT * FROM entries WHERE id = " . $_GET['id'];";
This code assumes that the value of
id is numeric. If you don't check for this, a malicious user could try to inject SQL code into the query. Imagine what would happen if the user added
1; DROP DATABASE blogtastic;. The following SQL is now executed:
SELECT * FROM entries WHERE id = 1; DROP DATABASE blogtastic;
This code would result in a lost database (assuming the user had appropriate permissions)! To protect against this risk, always ensure that numeric
GET values are actually numeric.
error is indeed equal to
1 (indicating a non-numeric value), the
header() command redirects to the main page. The
header() command is passed the
Location header and the full location to redirect to (such as
Location: http://localhost/blogtastic/). In the code, the "Location:" text is added, and then the location is picked out of the
config_basedir variable from config.php.
When using the Location header, you will need to provide a complete URL such as
http://www.foo.com/—as opposed to
error is not set to
validentry variable is set to the value of the
GET variable. With this validation in place, the code below the
header() function runs only with a valid
Don't Confuse the User with Errors
When an invalid variable is detected, this script redirects to a legitimate page instead of displaying an error message. When considering the usability of your Web application, it generally makes sense to redirect rather than report an error. Error messages are rarely useful to users, and anyone who has the knowledge to adjust the
GET variable on the URL is probably fully aware that they are tampering with the application instead of using the application. Automatically redirecting avoids potentially confusing the user with error messages.