|
Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon. |
|
View previous topic :: View next topic |
Author |
Message |
weblink Smarty Rookie
Joined: 03 Apr 2010 Posts: 12
|
Posted: Wed Jul 07, 2010 5:51 am Post subject: Secure way to pass value from HTML to php |
|
|
Hello ,
I have the solution to solve pass query string in secure way if it calls from html or JavaScript.
My requirement is , if the user selects the values from HTML (div tag), i need to pass the value in encrypted form to new window page.
i should use my own php function for encryption, this is must.
So, i passed the html value to JavaScript function, and do some calculations with the html value.
Then i assigned the calculated value from JS to html hidden variable, then submit the page again from JS,
Now, i can retrieve the value using $_REQUEST and encrypt it.
Then open the new page passing thru' url with this encrypted value.
I gave my template code below, and this is working fine.
current_page.tpl
================
Code: | {php}
if(!empty($_REQUEST['myval']) || ($_REQUEST['myval']!='')){
$myval = $_REQUEST['myval'];
$key = "1234";
$myval_enc = $myobject->myphpencrypt($myval, $key); // call my php encrypt function.
echo '<script> window.open("newwindowpage.php?myidval='.$myval_enc.'", 860,700); </script>'; //open new window
}
{/php}
{literal}
<script language="JavaScript" >
function MM_showHideLayers() {
var i,p,v,obj,args=MM_showHideLayers.arguments;
for (i=0; i<(args.length-2); i+=3) if ((obj=MM_findObj(args[i]))!=null) { v=args[i+2];
if (obj.style) { obj=obj.style; v=(v=='show')?'visible':(v=='hide')?'hidden':v; }
obj.visibility=v; }
}
function myrequest()
{
//...........doing some calculation here
.....................
.....................
.....................
.....................
// After the calculation the result stored in "selectedValue" variable.
var selval = selectedValue.toString();
document.myform.myval.value = selval; // assign to myval hidden field after calculation
document.myform.submit(); // value to pass php - Reload the page
MM_showHideLayers('mydivwindow','','hide');
}
</script>
{/literal}
<html>
<form name='myform' method='POST' action='currentpage.php' >
.....................
.....................
<input type="button" name="btn_print" id="btn_print" value="Print" onclick="MM_showHideLayers('b1','','show')">
<div id="mydivwindow">
.....................
.....................
<input type="button" name="btn_ok" id="btn_ok" value="">onclick="myrequest()">
<input type="hidden" name="myval" id="myval" value="">
.....................
.....................
</div>
.....................
.....................
</html>
|
Regarding this above code, Please confirm my queries mentioned below:
1. Is there any other way to do this solution with out reload the page again (which i submit the form in myrequest JS function)?
2. In my above code, that I'm reloading the page for submit the value to php, will it slow down the application?
3. I am using PHP code in template file, is it possible to use smarty plug-in instead of write php code in template file?
Thanks |
|
Back to top |
|
jothirajan Smarty Pro
Joined: 06 Feb 2009 Posts: 114 Location: India
|
Posted: Wed Jul 07, 2010 6:43 am Post subject: Encryption |
|
|
1. Is there any other way to do this solution with out reload the page again (which i submit the form in myrequest JS function)?
>>> Yes we can, you should make your encryption using the AJAX and you have to assign the values to your hidden inputs.
2. In my above code, that I'm reloading the page for submit the value to php, will it slow down the application?
>>> For some reason, say my KEY is 10 digits and it is looping for a while we may get this problem. 100/ 5% may be
3. I am using PHP code in template file, is it possible to use smarty plug-in instead of write php code in template file?
>>> Yes, we can
But better you can use the .htaccess or frame concept. I too written this much of codes for the encryption, but due to security i wont show anything in the URL in now a days. And onething do not write enourmous codes, avoid javascript. |
|
Back to top |
|
bimal Smarty Elite
Joined: 19 Apr 2007 Posts: 423
|
Posted: Wed Jul 07, 2010 6:49 am Post subject: Use the other ways |
|
|
First, few suggestions:
* Do not use {php}...{/php} tags. Instead, do them within your real php codes.
* New version of Smarty works without needs of having to write {literal} tags.
* window.open will open newwindowpage.php?myidval=??? immediately. The passed myidval is NOT DYNAMIC JAVASCRIPT. It is generated at the time of rendering the template.
Quote: | Is there any other way to do this solution with out reload the page again (which i submit the form in myrequest JS function)? |
Use ajax to post your form and print the output into a particular area of your HTML. Refer to: http://www.w3schools.com/ajax/ajax_example.asp
Quote: | In my above code, that I'm reloading the page for submit the value to php, will it slow down the application? |
Not really. if the code is doing according to your expectations, it is all right. The other ways of dealing this issue are: using ajax, as I just mentioned above, using the single page to show the results here, or using a different page to show the results when a user submits. First, make sure that it is working as your needs. Then, you to test it for speed.
Quote: | I am using PHP code in template file, is it possible to use smarty plug-in instead of write php code in template file? |
You should never use php tags within an ideal template. A possible replacement could be:
Code: | <?php
if(!empty($_REQUEST['myval']) || ($_REQUEST['myval']!=''))
{
$myval = $_REQUEST['myval'];
$key = "1234";
$myval_enc = $myobject->myphpencrypt($myval, $key);
}
else
{
$myval_enc = '';
}
$smarty->assign('myval_enc', $myval_enc);
?> |
Be sure to keep $myval_enc empty when you do not need it.
Template:
Code: | {if $myval_inc!=''}
<script>window.open("newwindowpage.php?myidval={$myval_enc}, 860,700); </script>
{/if} |
or, in fascinating way:
Code: | <script>
//{if $myval_inc!=''}
window.open("newwindowpage.php?myidval={$myval_enc}, 860,700);
//{/if}
</script> |
The comments do not have meanings here, but the code looks good.
The piece of javascript can be placed in the most bottom of the page, to make sure that it will allow to open the parent page first. |
|
Back to top |
|
douglassdavis Smarty Junkie
Joined: 21 Jan 2008 Posts: 541
|
Posted: Wed Jul 07, 2010 11:41 am Post subject: |
|
|
To agree w/ previous post
Don't use {php} tags.
Don't use window.open, just display the page that you are sending the user to.
Also, I don't think you even need a plugin here, just assign $myval_enc to a smarty var in your PHP code, then display it on the page.
And, if you really think your data is worth protecting, use https. Your method is more than likely pretty easy to decrypt if any one really wants to decrypt it. |
|
Back to top |
|
weblink Smarty Rookie
Joined: 03 Apr 2010 Posts: 12
|
Posted: Mon Jul 12, 2010 6:17 pm Post subject: Problem with AJAX |
|
|
Hello All,
Thanks for your suggestions. Bimal, you suggested to use AJAX without reloading my page (for submit the values to server).
I have the problem while this implementation. I think my case is different. Here i am giving the explanation.
Code: |
{literal}
<script language="JavaScript" >
function MM_showHideLayers() {
var i,p,v,obj,args=MM_showHideLayers.arguments;
for (i=0; i<(args.length-2); i+=3) if ((obj=MM_findObj(args[i]))!=null) { v=args[i+2];
if (obj.style) { obj=obj.style; v=(v=='show')?'visible':(v=='hide')?'hidden':v; }
obj.visibility=v; }
}
function myrequest()
{
//...........doing some calculation here
.....................
.....................
.....................
.....................
// After the calculation the result stored in "selectedValue" variable.
var selval = selectedValue.toString();
document.myform.myval.value = selval; // assign to myval hidden field after calculation
get(selval); // Call AJAX funtion
MM_showHideLayers('mydivwindow','','hide');
}
var http_request = false;
function makePOSTRequest(url, parameters) {
http_request = false;
if (window.XMLHttpRequest) { // Mozilla, Safari,...
http_request = new XMLHttpRequest();
if (http_request.overrideMimeType) {
// set type accordingly to anticipated content type
//http_request.overrideMimeType('text/xml');
http_request.overrideMimeType('text/html');
}
} else if (window.ActiveXObject) { // IE
try {
http_request = new ActiveXObject("Msxml2.XMLHTTP");
} catch (e) {
try {
http_request = new ActiveXObject("Microsoft.XMLHTTP");
} catch (e) {}
}
}
if (!http_request) {
alert('Cannot create XMLHTTP instance');
return false;
}
http_request.onreadystatechange = alertContents;
http_request.open('GET', url+parameters, true);
http_request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http_request.setRequestHeader("Content-length", parameters.length);
http_request.setRequestHeader("Connection", "close");
http_request.send(parameters);
}
function alertContents() {
if (http_request.readyState == 4) {
if (http_request.status == 200) {
//alert(http_request.responseText);
result = http_request.responseText;
document.getElementById('mydiv').innerHTML = result;
} else {
alert('There was a problem with the request.');
}
}
}
function get(selval) {
var poststr = "?myval=" + selval;
makePOSTRequest('mypost.php', poststr);
}
</script>
{/literal}
<html>
<form name='myform' method='POST' action='currentpage.php' >
.....................
.....................
<input type="button" name="btn_print" id="btn_print" value="Print" onclick="MM_showHideLayers('b1','','show')">
<div id="mydivwindow">
.....................
.....................
<input type="button" name="btn_ok" id="btn_ok" value="">onclick="myrequest()">
<input type="hidden" name="myval" id="myval" value="">
.....................
.....................
</div>
<div id="mydiv"></div>
.....................
.....................
</html>
|
mypost.php
Code: |
<?php echo $_REQUEST['myval']; ?>
|
The php file "mypost.php" output prints in my current php file, I need to store the output of mypost.php to some varaible in my current php file. How to do this?
What changes i have to do for get the value from server without refresh the page?
sorry for this long post...
thanks |
|
Back to top |
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
|