Building the View Details Page in a PEAR CMS - Displaying the Article

(Page 4 of 4 )

Because the purpose of this script is to display the full body of the article, which includes the title date of submission and other actual text, the script requires a story ID to actually extract the article from the database. Two query string numbers are sent to it. The two numbers are IDs of the author and the article, respectively. This means that the script has to judge which of the two it has received and then construct an appropriate SQL query.

But first we have to filter the data that we receive across the Internet. We need to filter the data because malicious users can easily tamper with the query string number that is sent to the application by, for example, changing the number into a string. To get more specific, if you’ve clicked on the first story that is listed on the main page of the application, it will send a query string that looks like this over the browser:

http://localhost/pear/view.php?sid=1

A malicious user can change that number into a letter, like so:

http://localhost/pear/view.php?sid=y

which will produce unpredictable results that can expose security vulnerabilities. So we have to take basic steps to prevent this from happening. The code below uses the is_numeric() function to see if the query string passed a number or a letter. It will evaluate to false if the parameter that is passed is not a number. First the code checks to see if an author id has been sent:

if(isset($_GET['aid'])){

If so, it checks to see if the id is a number using the is_numeric() function:

if(is_numeric($_GET['aid'])){

If the id is a number then we filter it further by using the mysql_real_escape_string() function which “cleans” the variable and readies it for use in a query:

$aid=mysql_real_escape_string($_GET['aid']);

$sql = "SELECT * FROM stories WHERE aid='".$aid."'";

}else{

If the ID is not a number, then an error message is displayed:

echo "Error invalid format";

}

}

The second part of the code does exactly the same thing that the code above does. The only difference is that the ID that it works with is not an author ID but a story id, or sid:

if(isset($_GET['sid'])){

if(is_numeric($_GET['sid'])){

$sid=mysql_real_escape_string($_GET['sid']);

$sql = "SELECT * FROM stories WHERE sid='".$sid."'";

}else{

echo "Invalid Format";

}

}

Since the SQL queries are defined in the code blocks above, the code continues to run, using the $db->query function to execute the query:

$res = $db->query($sql);

We test the results by checking to see if the $res variable contains any records, if it does we run a while loop to retrieve them. It should actually only contain one record since the whole point of the script is to show only one article in full:

if($res){

while ($row = $res->fetchRow(DB_FETCHMODE_OBJECT)) {

?>

The code then continues to build the static table that will host the article that the user wants to read. The table will be filled with dynamic data that is retrieved from the database. The table will show the title, date of publication and the story itself:

<tr class="title">

<td colspan="2" class="title"><?php print $row->title ?></a></td>

</tr>

<tr>

<td width="18%">&nbsp;</td>

<td width="82%" class="auth"> published on: <?php print $row->s_date ?></td>

</tr>

<tr>

<td colspan="2" class="maintxt"><p><?php print $row->story ?></p></td>

</tr>

If the $res variable does not contain any records, the code displays a message stating exactly that:

}else{

?>

 

<tr>

<td colspan="2" class="maintxt"><p>No article found</p></td>

</tr>

<?php } ?>

The HTML table is then closed and the HTML for the page is also closed.

</table>

<!-- InstanceEndEditable --></td>

</tr>

 

<tr class="copy">

<td colspan="2">&copy;2008</td>

</tr>

</table>

</body>

<!-- InstanceEnd --></html>

DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.

Comments On: Building the View Details Page in a PEAR CMS

>>> Be the FIRST to comment on this article!