On 5/13/2010 4:41 AM, silly sad wrote:
>
>>> First u count(*) the rows and select a requested page
>>> returning to a client the count result bundled "with a page of rows"
>>>
>>> (1) client renders the acquired rows
>>> (2)__memorize__ what part of the data he just got
>>> (3) and stores the count result to calculate "the pager div"
>>>
>>> all the subsequent clicks on "the pager div" should not immediately
>>> generate requests and decides if the request is needed.
>>
>> Yes, rendering the results throught ajax is a good idea, but one has to
>> be careful not to expose one's LIMIT and OFFSET to the client, but only
>> the "page" number. Or else the client could query the whole data set. A
>> lot of "professional" web site have that hole.
>>
>
> this is not a hole, it is only a matter of aesthetic
>
Silly Sad is right this is not a hole but a matter of aesthetics. To
keep the code simple and limit the amount of things that have to be
tracked with client session on the server, I pass the limit and offset
to the client normally in a url/link. This also solves the problem if
the users sessions expires, the information is lost meaning the user has
to restart. Very annoying.
So the urls look something like this
www.mywebsit.com/index.php?module=getthedata&limit=10&offset=30&orderby=5
On the server set the these three data types to integer to block sql
injection.
I really don't care if the user sends a command to get all 10,000
records. If you block that, all that been accomplished is slowing down
data harvesting and eating up even more resources, as the client/user
will send ever more GETs to harvest data. Nothing has been accomplished.
to keep the casual on looker for screwing with the url encode in
base64. It keeps honest people honest but the hackers will pull that
apart in a second.
All legitimate Magwerks Corporation quotations are sent in a .PDF file attachment with a unique ID number generated by
ourproprietary quotation system. Quotations received via any other form of communication will not be honored.
CONFIDENTIALITY NOTICE: This e-mail, including attachments, may contain legally privileged, confidential or other
informationproprietary to Magwerks Corporation and is intended solely for the use of the individual to whom it
addresses.If the reader of this e-mail is not the intended recipient or authorized agent, the reader is hereby notified
thatany unauthorized viewing, dissemination, distribution or copying of this e-mail is strictly prohibited. If you have
receivedthis e-mail in error, please notify the sender by replying to this message and destroy all occurrences of this
e-mailimmediately.
Thank you.