Re: Shhh, very quiet.

This WebDNA talk-list message is from

2006


It keeps the original formatting.
numero = 66902
interpreted = N
texte = Ken, How do you guard against a formhack so someone cannot insert arbitrary data into a record? Bill -----Original Message----- From: Kenneth Grome Sent: Fri, 21 Apr 2006 10:45:50 +0800 To: "WebDNA Talk" Subject: Re: Shhh, very quiet. Hi Donovan, I used to do this a long time ago too, but then I found an easier way ... or at least it's easier for me. When it's time for a visitor to add a new record to a database, I use an append context at the top of my append page -- to create a new blank record. Then I do a search for that new blank record further on down the page, and my form [include] tag goes inside the [founditems] context of that search. In other words, my forms are always used to replace -- never to append -- and now I no longer have to try to make a single form work properly in both append and replace contexts ... which is basically what your code does, and what mine used to do before I came up with this new technique. The new "blank" record I create in my append context is not completely blank of course. I pre-set two values in these newly created records. One is the uniqueID value (created by the [cart] tag) and the other is the current [date] which goes into the createDate field. For those of you who anticipate that my technique of appending new blank records might fill the db with lots of blank records, one for each person who clicks the "create a new record" link but never submits the form, I have a simple solution that looks like this: [delete db=xxx.db &eqeditDatedatarq=[blank] &lecreateDatedatarq=[math date]{[date]}-{00/02/0000}[/math] &createDatetype=date] This delete tag (without the line breaks of course) goes at the top of the append page and/or at the top of the replace page. It automatically deletes all records in the db that have a blank editDate field *and* a createDate value that's two days ago or earlier. I use two days instead of one as the cutoff for auto-deletion because it's possible that someone will click the link to register just before midnight (server time) but not submit the form until after midnight. So by waiting for two days instead of one, I always give the visitor 24-48 hours to complete the form before I auto-delete the blank forms. Not to diminish the value of your new discovery Donovan, because that's the first method I developed years ago when [text] variables first became available, and it's still a very good one. But after dealing with the hassles that method creates for far too long, I finally sat down and developed my new method -- which as it turns out is a whole lot faster and easier. At least it is for me ... :) Sincerely, Kenneth Grome owner@kengrome.com kengrome@gmail.com www.kengrome.com On Thu, 20 Apr 2006 11:23:39 -0500, Donovan Brooke wrote: > Hello, > > Its been purty quiet lately so I thought I'd post something. > > Now some/many? of you probably do this already.. so this is for people > who haven't tried this yet. > > When interacting with a database, there is almost always > an ADD, EDIT and DELETE system to build right? Concentrating > on just the ADD and EDIT... I use to create two lengthy > forms. The edit form auto filled in the form, the > add form didn't. > > For quite some time now, I've been using only one form combined > with a append=T in a replace. > > Here is how it works: > > 1.) If you are adding. Just link to the page. > 2.) if You are editing.. link to the page with the ID of the record > to be edited using "theID". > > ** this assumes that a database will have a unique fieldname (in this > case "ID") ** > > > 3.) Put this code in the top of the page: > [if ("[raw][theID][/raw]"="[theID]") | ("[raw][theID][/raw]"="")] > [then] > [ListFields db=thedb.db][text][name]=[/text][/listfields] > [/then] > [else] > [search db=thedb.db&eqIDdatarq=[theID]] > [founditems] > [ListFields > db=thedb.db][text][fieldname]=[interpret][[fieldname]][/interpret][/text][/listfields] > [/founditems] > [/search] > [/else] > [/if] > > > > 4.) This is your add or edit form (I like to have it in an .inc file) > >
> > > > > > ETC. > > >
> > > > 5. ) Put your edit code at the top of the page even above the "IF > Then else". > > [showif [url][action][/url]=addedit] > [showif ||[raw]|theID][/raw]|^|[theID]|] > [!] > **globalid.db is a database with only one field name called "ID" > **It is the best way I've found to asign a unique ID safely to > allow growth. > [/!] > [exclusivelock db=globalid.db] > [append db=globalID.db&autonumber=ID][/append] > [/exclusivelock] > [/showif] > > [exclusivelock db=thedb.db] > [replace db=thedb.db&eqIDdatarq=[theID]&append=T][!] > [/!]ID=[lastautonumber]&[!] > [/!][formvariables name=__&exact=F][!] > [/!][getchars start=3][name][/getchars]=[url][value][/ur]&[!] > [/!][/formvariables][!] > [/!][/replace] > [/exclusivelock] > > [commitdatabase db=thedb.db] > [/showif] > > > 6.) I wrote this quickly and spontaneously for this email so there > could very well be syntax and spelling problems! > > > This will save you much time in only having to edit one > form when there are changes to a database... not only that, > but you don't have to edit the replace and search contexts! > > Cheers, > Donovan > > > > -- > =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o > DONOVAN D. BROOKE EUCA Design Center > > <- Web Development (specializing in eCommerce),-> > <- Custom Paint, Labels, and Specialty Signage. -> > <- Home and Business Embellishment/Fabrication, -> > <- Glass Blowing, and Art Glass -> > > PH/FAX:> 1 (608) 835-2476 > Web:> http://www.egg.bz | http://www.euca.us > =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o > > ------------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > > Web Archive of this list is at: http://webdna.smithmicro.com/ > > ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: Shhh, very quiet. ( Kenneth Grome 2006)
  2. Re: Shhh, very quiet. ( Donovan Brooke 2006)
  3. Re: Shhh, very quiet. ( Kenneth Grome 2006)
  4. Re: Shhh, very quiet. ( devaulw@onebox.com 2006)
  5. Re: Shhh, very quiet. ( Kenneth Grome 2006)
  6. Shhh, very quiet. ( Donovan Brooke 2006)
Ken, How do you guard against a formhack so someone cannot insert arbitrary data into a record? Bill -----Original Message----- From: Kenneth Grome Sent: Fri, 21 Apr 2006 10:45:50 +0800 To: "WebDNA Talk" Subject: Re: Shhh, very quiet. Hi Donovan, I used to do this a long time ago too, but then I found an easier way ... or at least it's easier for me. When it's time for a visitor to add a new record to a database, I use an append context at the top of my append page -- to create a new blank record. Then I do a search for that new blank record further on down the page, and my form [include] tag goes inside the [founditems] context of that search. In other words, my forms are always used to replace -- never to append -- and now I no longer have to try to make a single form work properly in both append and replace contexts ... which is basically what your code does, and what mine used to do before I came up with this new technique. The new "blank" record I create in my append context is not completely blank of course. I pre-set two values in these newly created records. One is the uniqueID value (created by the [cart] tag) and the other is the current [date] which goes into the createDate field. For those of you who anticipate that my technique of appending new blank records might fill the db with lots of blank records, one for each person who clicks the "create a new record" link but never submits the form, I have a simple solution that looks like this: [delete db=xxx.db &eqeditDatedatarq=[blank] &lecreateDatedatarq=[math date]{[date]}-{00/02/0000}[/math] &createDatetype=date] This delete tag (without the line breaks of course) goes at the top of the append page and/or at the top of the replace page. It automatically deletes all records in the db that have a blank editDate field *and* a createDate value that's two days ago or earlier. I use two days instead of one as the cutoff for auto-deletion because it's possible that someone will click the link to register just before midnight (server time) but not submit the form until after midnight. So by waiting for two days instead of one, I always give the visitor 24-48 hours to complete the form before I auto-delete the blank forms. Not to diminish the value of your new discovery Donovan, because that's the first method I developed years ago when [text] variables first became available, and it's still a very good one. But after dealing with the hassles that method creates for far too long, I finally sat down and developed my new method -- which as it turns out is a whole lot faster and easier. At least it is for me ... :) Sincerely, Kenneth Grome owner@kengrome.com kengrome@gmail.com www.kengrome.com On Thu, 20 Apr 2006 11:23:39 -0500, Donovan Brooke wrote: > Hello, > > Its been purty quiet lately so I thought I'd post something. > > Now some/many? of you probably do this already.. so this is for people > who haven't tried this yet. > > When interacting with a database, there is almost always > an ADD, EDIT and DELETE system to build right? Concentrating > on just the ADD and EDIT... I use to create two lengthy > forms. The edit form auto filled in the form, the > add form didn't. > > For quite some time now, I've been using only one form combined > with a append=T in a replace. > > Here is how it works: > > 1.) If you are adding. Just link to the page. > 2.) if You are editing.. link to the page with the ID of the record > to be edited using "theID". > > ** this assumes that a database will have a unique fieldname (in this > case "ID") ** > > > 3.) Put this code in the top of the page: > [if ("[raw][theID][/raw]"="[theID]") | ("[raw][theID][/raw]"="")] > [then] > [ListFields db=thedb.db][text][name]=[/text][/listfields] > [/then] > [else] > [search db=thedb.db&eqIDdatarq=[theID]] > [founditems] > [ListFields > db=thedb.db][text][fieldname]=[interpret][[fieldname]][/interpret][/text][/listfields] > [/founditems] > [/search] > [/else] > [/if] > > > > 4.) This is your add or edit form (I like to have it in an .inc file) > >
> > > > > > ETC. > > >
> > > > 5. ) Put your edit code at the top of the page even above the "IF > Then else". > > [showif [url][action][/url]=addedit] > [showif ||[raw]|theID][/raw]|^|[theID]|] > [!] > **globalid.db is a database with only one field name called "ID" > **It is the best way I've found to asign a unique ID safely to > allow growth. > [/!] > [exclusivelock db=globalid.db] > [append db=globalID.db&autonumber=ID][/append] > [/exclusivelock] > [/showif] > > [exclusivelock db=thedb.db] > [replace db=thedb.db&eqIDdatarq=[theID]&append=T][!] > [/!]ID=[lastautonumber]&[!] > [/!][formvariables name=__&exact=F][!] > [/!][getchars start=3][name][/getchars]=[url][value][/ur]&[!] > [/!][/formvariables][!] > [/!][/replace] > [/exclusivelock] > > [commitdatabase db=thedb.db] > [/showif] > > > 6.) I wrote this quickly and spontaneously for this email so there > could very well be syntax and spelling problems! > > > This will save you much time in only having to edit one > form when there are changes to a database... not only that, > but you don't have to edit the replace and search contexts! > > Cheers, > Donovan > > > > -- > =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o > DONOVAN D. BROOKE EUCA Design Center > > <- Web Development (specializing in eCommerce),-> > <- Custom Paint, Labels, and Specialty Signage. -> > <- Home and Business Embellishment/Fabrication, -> > <- Glass Blowing, and Art Glass -> > > PH/FAX:> 1 (608) 835-2476 > Web:> http://www.egg.bz | http://www.euca.us > =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o > > ------------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > > Web Archive of this list is at: http://webdna.smithmicro.com/ > > ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ devaulw@onebox.com

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Add a field to the error log? (1997) Just Testing (1997) encrypt but with normal characters for result? (2005) LookUp Tag (1997) [searchString] (1997) Add to Cart & List of Products (1997) The BUG is BACK -- leading < character (1998) Re2: frames & carts (1997) Login Page & [Protect] (2001) Quit revisited (1997) Re:listfiles-looking for slick solution (1997) Emailer file formats (1998) wc 2 pro users - sites, quotes wanted (1997) Can he do that? (1998) I found a bug ... (1997) 'does not contain' operator needed ... (1997) bug in [SendMail] (1997) Correlating the record found with the fieldname (2000) Problem with webcat install (1998) Re:no [search] with NT (1997)