Building a Weblog: Part 2 / Page 3 | WebReference

Building a Weblog: Part 2 / Page 3

[previous] [next]

Building a Weblog: Part 2

Viewing Specific Entries

When index.php was created, three distinctive sections were added to the page:

  • Main blog entry
  • Number of comments
  • Previous blog entries

In the main blog entry and previous entry sections, you link to another page called viewentry.php. The viewentry.php page has a number of important features:

  • The page displays the contents of the blog entry.
  • The page uses virtually the same code from index.php.
  • The need to create the anchors that were added to the comment names (and links) in index.php.
  • The page provides a form to post comments about the blog entry.
  • The form is displayed, and when the user fills it in, the comment is added to the database.

This page is an important step in building the blog, so without further ado, it's time to get going and do some coding!

Validating the Request URL

The first step for the viewentry.php page is to ensure it's requested with valid date. Whenever you work on a Web project, it is important to verify that any changeable information (such as the ID of an entry or comment) is legitimate. This verification process is known as validation. In this project, validation is applied to only the variables that are added to the address of the site. These variables are visible, and the user can change them by editing the address in the browser.


Validation, Step by Step

The reason you will validate only GET variables, and not other types of information, is to make validation easier to learn. This application introduces some basic concepts and keeps things simple. Later projects in the book explore validation in more detail, and you can return to earlier projects and apply these skills later.

Although GET variables can be set to letters or numbers, virtually every GET variable in this book is set to a number. When you created index.php and the links to viewentry.php, each of them included a GET variable that contained a numeric id.

To validate a numeric variable, feed it into a block of code that runs some simple tests. Add the following code to the beginning of viewentry.php:

The first line includes config.php. Unlike the previous example, header.php has not been included (yet). If validation fails, you'll redirect users to another page, so there's no need to show the HTML in header.php until these tests have passed.

The next line is the first if condition. The isset() function checks to see if the GET variable exists. If it does, isset() returns TRUE; if not, validentry is set to 0.


Redirection Fun and Games

Redirection is when you automatically jump to another page on the Web site. There are two main methods of redirecting to a page:

As a general rule, use HTTP headers for redirection, because of its availability in all browsers and ease of use.

Assuming a variable is being sent, a check is made to ensure the value is numeric; if someone sets the variable to "bananas," for example, this is obviously incorrect. The is_numeric() function tests the GET variable; if the result is false, error is set to 1.


The Nasty World of SQL Injection

One of the risks of using GET variables is SQL injection. Imagine that you have a SQL statement such as the following:

SELECT * FROM entries WHERE id = <id value>

and where <id value> is, you add the value from the GET variable:

$sql = "SELECT * FROM entries WHERE id = " . $_GET['id'];";

This code assumes that the value of id is numeric. If you don't check for this, a malicious user could try to inject SQL code into the query. Imagine what would happen if the user added 1; DROP DATABASE blogtastic;. The following SQL is now executed:

SELECT * FROM entries WHERE id = 1; DROP DATABASE blogtastic;

This code would result in a lost database (assuming the user had appropriate permissions)! To protect against this risk, always ensure that numeric GET values are actually numeric.

Next, if error is indeed equal to 1 (indicating a non-numeric value), the header() command redirects to the main page. The header() command is passed the Location header and the full location to redirect to (such as Location: http://localhost/blogtastic/). In the code, the "Location:" text is added, and then the location is picked out of the config_basedir variable from config.php.


When using the Location header, you will need to provide a complete URL such as—as opposed to or

If error is not set to 1, the validentry variable is set to the value of the GET variable. With this validation in place, the code below the header() function runs only with a valid GET variable.


Don't Confuse the User with Errors

When an invalid variable is detected, this script redirects to a legitimate page instead of displaying an error message. When considering the usability of your Web application, it generally makes sense to redirect rather than report an error. Error messages are rarely useful to users, and anyone who has the knowledge to adjust the GET variable on the URL is probably fully aware that they are tampering with the application instead of using the application. Automatically redirecting avoids potentially confusing the user with error messages.

[previous] [next]