Shortly before he so sadly passed away at the weekend, Clyde Jones and I were looking at the changes needed for his Links Manager. Clyde was a huge supporter of this community, and I'm sure that he would have been happy for me to use examples from our discussion for general benefit.
The following examples are taken from the links.php file:
Link Deletion
Line 609 uses a form for the delete confirm, but does so with a form action containing all the data needed for the database deletion:
PHP Code:
$contents = array('form' => zen_draw_form('links', FILENAME_LINKS, zen_get_all_get_params(array('lID', 'action')) . 'lID=' . $lInfo->links_id . '&action=deleteconfirm'));
This isn't good enough as that form action could be lifted out of the form and used as a simple URL plus parameters, thus bypassing the security token. Although there is some fallback code to try to prevent this, good practise dictates making at least one of the parameters passed (or in this case the only one), a POST variable:
PHP Code:
$contents = array('form' => zen_draw_form('links', FILENAME_LINKS, zen_get_all_get_params(array('lID', 'action')) . '&action=deleteconfirm') . zen_draw_hidden_field('lID', $lInfo->links_id));
Line 177 reads the now posted ID, so change from:
PHP Code:
$links_id = zen_db_prepare_input($_GET['lID']);
to:
PHP Code:
$links_id = zen_db_prepare_input($_POST['lID']);
Line 183 reconstructs the URL
PHP Code:
zen_redirect(zen_href_link(FILENAME_LINKS, zen_get_all_get_params(array('lID', 'action')));
and so needs to be changed to add the ID from POST for use when constructing the URL
PHP Code:
zen_redirect(zen_href_link(FILENAME_LINKS, zen_get_all_get_params(array('action')).'&lID=' . $_POST['lID'])));
Status Changes
Changing approved/pending flag can also be done on a GET alone. So ...
Lines 564-569, build the links that lead directly to database changes so:
PHP Code:
if ($links->fields['links_status'] == '2') {
echo zen_image(DIR_WS_IMAGES . 'icon_status_green.gif', 'Approved', 10, 10) . ' <a href="' . zen_href_link(FILENAME_LINKS, 'page=' . $_GET['page'] . '&lID=' . $links->fields['links_id'] . '&action=setflag&flag=1') . '">' . zen_image(DIR_WS_IMAGES . 'icon_status_yellow_light.gif', 'Set Pending', 10, 10) . '</a>';
} else {
echo '<a href="' . zen_href_link(FILENAME_LINKS, 'page=' . $_GET['page'] . '&lID=' . $links->fields['links_id'] . '&action=setflag&flag=2') . '">' . zen_image(DIR_WS_IMAGES . 'icon_status_green_light.gif', 'Set Approved', 10, 10) . '</a> ' . zen_image(DIR_WS_IMAGES . 'icon_status_yellow.gif', 'Pending', 10, 10);
}
?>
needs to be converted to forms as follows:
PHP Code:
if ($links->fields['links_status'] == '2') {
echo zen_image(DIR_WS_IMAGES . 'icon_status_green.gif', 'Approved', 10, 10) . ' ';
echo zen_draw_form('links_status', FILENAME_LINKS, 'page=' . $_GET['page'] . '&action=setflag');
echo zen_draw_hidden_field('lID', $links->fields['links_id']);
echo zen_draw_hidden_field('flag',1);
echo '<input type="image" src="' . DIR_WS_IMAGES . 'icon_status_yellow_light.gif" title="Set Pending" />';
echo '</form>';
} else {
echo zen_draw_form('links_status', FILENAME_LINKS, 'page=' . $_GET['page'] . '&action=setflag');
echo zen_draw_hidden_field('lID', $links->fields['links_id']);
echo zen_draw_hidden_field('flag',2);
echo '<input type="image" src="' . DIR_WS_IMAGES . 'icon_status_green_light.gif" title="Set Approved" />';
echo '</form>';
echo ' ' . zen_image(DIR_WS_IMAGES . 'icon_status_yellow.gif', 'Pending', 10, 10);
}
?>
Of particular note is the way that we have converted the linked image into an image type input field to both display the status and act as a submit button for the form.
The monolingual image titles (naughty, naughty) have been not been fixed.
Lines 28-29, receive the now posted request:
PHP Code:
if ( ($_GET['flag'] == '1') || ($_GET['flag'] == '2') ) {
zen_set_links_status($_GET['lID'], $_GET['flag']);
and so change to:
PHP Code:
if ( ($_POST['flag'] == '1') || ($_POST['flag'] == '2') ) {
zen_set_links_status($_POST['lID'], $_POST['flag']);
Line 34 reconstructs the URL:
PHP Code:
zen_redirect(zen_href_link(FILENAME_LINKS, 'page=' . $_GET['page'] . '&lID=' . $_GET['lID']));
and so needs to change to:
PHP Code:
zen_redirect(zen_href_link(FILENAME_LINKS, 'page=' . $_GET['page'] . '&lID=' . $_POST['lID']));
Bookmarks