How do I find a record 'by default' when not passing a variable via URL..?

[AliB]

Having created a fairly successful iPhone version of our database, I've duplicated and tweaked one of the PHP pages with the intention of allowing particular clients to access information about their booked events.

I can't post code here (wrong Mac!), so please bear with me.....

To allow multiple 'online' users, I've created a generic account within FM, with PHP access privileges only. My original 'eventslist.php' page requires username and password authentication, but my 'tweaked' page – "clientevents.php" has the generic PHP account authentication embedded in the page (i.e. $userName = 'username' etc.).

I can then send individual clients links like http://mysite.com/clientevents.php?contactID=1234 where the numbers at the end of the URL relate to that field in the FM database.

A search at the start of the page uses $_GET('contactID') to find only this clients record – works a treat, except, when I don't include the ?contactID=1234 bit, all records are returned..... eek!

OK, so not all are displayed, since I'm not looping through all the results and only showing the first, but this does mean the first record is displayed, and well, I'd rather it wasn't!

I tried adding a dummy client with the lowest contactID value (since the database is sorted by contactID), thinking that would force the 'empty' record to load up in the webpage. That doesn't work, so I've temporarily removed the page until I sort this out.....

Help please!

I know I should implement a more 'robust' authentication, and that's on the cards, but all I need to do for now is to either (a) show nothing or (: return the dummy 'empty' first record when somebody smart discovers my long URL and decides to try shortening it...... I'm thinking I need to add an 'if' statement of sorts that checks to see whether or not the URL is passing a 'contactID' variable, but I can't work this out at all.....

What am I missing...?

[jonathanstark]

As you pointed out, you *really* shouldn't have your "authentication" set up this way, but I'm not here to wag my finger ;-)

First, you could add a check to the top of your PHP page that required a contactID like so:

if(empty($_GET['contactID'])) {

    die('Sorry! Contact ID is required.');

}

Next, you could add an exact field match operator to your query, just like you'd do in FileMaker Pro. So, if you are currently doing this:

$request->addFindCriterion('contactID', $_GET['contactID']);

then change it to this:

$request->addFindCriterion('contactID', '=="' . $_GET['contactID'] . '"');

HTH,

j

[AliB]

Sincere thanks for your reply Jonathan.... and feel free to wag your finger!!

That's precisely what I was looking for – a check to see if the variable was 'empty'. Guess I need to learn a bit more PHP....

This works fine for now – I just wanted to close the loophole whereby the first record was being displayed if no variable was passed, and this is the perfect plug for that.

I do plan to rework my entire solution, and will be looking at best practices with regard to integrating authentication for online users – can you recommend any prescribed reading on the subject??

Edited September 9, 2009 by Guest

[jonathanstark]

Glad to hear that that helped. If you want more info about best practices on the web, and general security considerations, I have a bunch of good links left over from my web security session at devcon that you can peruse here:

Devcon 2009

Cheers!