5
Quote:
(1) How would I use a POST method for accomplishing what I'm attempting to do?
It depends on the way you access the page using the "delete" query. Core modules use an intermediary confirmation page for this. i.e: when you
update a module in the admin section, you get a confirmation screen with a confirm button: it's in fact an html form using the
post method. Click the "confirm" button, and the action page gets called using post: bingo
Quote:
(2) What, regarding security, should I be looking at if I decide to use db::queryF instead? As this code is not using any outside variables, is it safe?
Normally yes. And anyway, this "security" feature is not really safer. People will still be able to generate a post request with variables they set by themselves if they really want to. However, doing this during a get request is
easier: you just have to add the values into your browser address bar. For a
post, they'll need to
work a little more.
And for what you should do: there are pages about this on the web. Mostly it's about:
- Always initialize the variables you use. Never assume PHP will have init them as 'empty'
$query = ''; // IMPORTANT !
for ($i = 0; $i != 10; $i++)
$query .= $elts[$i];
- Always check variables validity, specially when their content is to be inserted in queries, or to appear within your site
$val = $_GET['id'];
$sql = "SELECT * FROM table WHERE id=$val"; // UNCOOL !!!
use:
$sql = "SELECT * FROM table WHERE id='" . $xoopsDB->quoteString($val) . "'";
or
$sql = "SELECT * FROM table WHERE id=" . intval($val);
Quote:
(3) I assume using a POST method and db::query is the preferred way of executing a delete query, correct ?
Well, if you can: yes.
But it may be inefficient if your query is to be executed during browsing of the site public part. Yours to see.
Skalpa.>