Welcome Guest, Not a member yet? Register   Sign In
segments vs $_POST variables
#1

[eluser]noland[/eluser]
Hi there!:

I've searched for this particular subject, but I could not find anything which clarifies the best way to do the things.

In my 3 initial applications with CI I used to use the segment-easy to send to the somebody urls:

http://www.mydomain.com/W/segment1/segment2/segmentN

But i'm finished tired of that... I have all the time to check if the segments are ok... eventually, somebody could change the segment2 in my url to....

http://www.mydomain.com/W/segment1/xzczxczdedsr324234234/segmentN

that segment2 is incorrect, so everything crashes if I don't check it.

I think that they expose, as well, some "inner workings" of the database. Sad

So I finished comunicating the page parameters using $POST variables (that are somehow 'hidden') all the time.

I suppose that my question is really 2 questions:

What's the best system?? $POST, segments or other that I don't know??? and
Is there a better way to check all the segments (if their format is right and if their contents match againts the database???
#2

[eluser]danoph[/eluser]
It depends on the application. On my most recent application, I used both segments and POST variables equally which both interact with a database, sometimes on the same page.

It just depends on what you are trying to accomplish.
#3

[eluser]nmweb[/eluser]
Always check your input, even if you don't expect it can be changed. Security through obscurity doesn't work. You should be able to publish the 'inner workings' of your database without compromising the security of your site.

POST variables should be used for forms or basically anything that changes data anywhere in your database or elsewhere. Segments, more like GET variables anyway, should be used only for actions that don't change data i.e. SELECT statements and stuff. This as a general rule, it doesn't change that you should always check input. Take a look at CURL in the php.net manual and it'll show you POST variables as well as GET and segments can be changed without much effort.

Always check against what you expect, throw an error if it doesn't match.
#4

[eluser]noland[/eluser]
thanks for your answers.

so... as I see, I've to check everything. I was doing that... but I thought that surely, i would find an easy way to do that, instead of:

* Check that all the segments are ok
* Check that the segments correspond in datatype to whose are supposed to be
* Check that the segment values match with the database
* Check that there's not a security problem with them

Are I missing any check that is an standard about that?

Could you guide me, please, to a good reference about this particular subject? (validation rules, advices, etc)

Thanks so much!!!
#5

[eluser]danoph[/eluser]
is your project open source, or could you post some of the code here in the forums? that would help narrow down the questions.

no matter what kind of website you are building, you are posing a security threat using either segments or post variables. I've heard many times, when building a site, you should always assume the data is tainted. CodeIgniter reduces the time spent trying to filter invalid data, automatically filtering POST data and removing invalid characters from the URI. At least your at a head start using CI!!
#6

[eluser]Neovive[/eluser]
I agree with danoph that it depends on the application. I prefer segments for applications that involve search queries and selects, since it makes the resulting pages easier for users to bookmark. However, there is typically no benefit to using segments when inserting data, since there little need to bookmark such a page -- beyond the form itself.




Theme © iAndrew 2016 - Forum software by © MyBB