In my CI application, I have used fake URLs for my form submit action attributes. CI router will take care to map those virtual URls to actual physical URLs. Does this really a good practice in security wise?
In the same manner, I 'm hiding my .json data store file path.
Please, let me know about if you have any suggestions. Thank You
This won't really make any difference as it is easy enough to see the "fake url" and Codeigniter is always going to redirect to the correct one. The easiest way to think of routes is as a nicknames and nothing more.
The security comes with the validation of the data, and possible user permissions depending on your application.
Related
Okay, so I know about middleware hence the "From Controller" specification in the title but basically, the issue I have is this, I have a SaaS app that I'm adding a gifting feature i.e give someone a plan as a gift and so I need to force login on a regular user while allowing either way on one gifting the plan to make it easier. Makes sense? Anyway, for that reason, I cannot use the auth middleware since I have, and want, only 1 checkout page.
So, how can I force login from my Checkout Controller like the way the auth middleware does it on routes?
Since I haven't gotten a suggestion, I'll post the workaround I came up with and the potential solution I simply have no time to study up on at present:
Likely solution:
Use Auth::guard('guard name here') and you can learn more about this here.
My workaround:
I created another route pointing to the same controller function but one is going through middleware('auth') while the other isn't. Practical example below.
Route::get('checkout/summary', [CheckoutController::class, 'summary'])->middleware('auth')->name('summary');
Route::get('checkout/gift-a-sub', [CheckoutController::class, 'summary'])->name('gift-a-sub');
With this, I only require one page to prevent complications while forcing authentication for regular users while those just opting to gift a plan aren't required to do so and all I have to do then is save the data based on a flag created at the Pricing page.
If I have two routes:
Route::get('/setup', 'SetupController#index')
Route::post('/setup' 'SetupController#store')
In the SetupController#index I do some checks, for example I check if the user is authentificated. But there are some more rules there that I check.
Should I perform the same checks on the post route too?
Is there any way someone could hit that post route without hitting the get route first? (for example posting in url http://domain/setup?password=1234)
So I guess what I am asking is :
Do I need to wrap the two routes in a middleware and do checks on each of them or is enough to check on the get route?
yes you need to wrap both routes in the middleware.
someone can open anypage (login for example) and edit the html to make a form that point to /setup and put whatever he wants in it.
sure, that someone need to know the architecture of the form to do this, but it's a risk nonetheless.
Normally, you need to add corresponding middlewares for different urls, for the get route, you can use ReplayAttackMiddleware for unnecessary attacks; and for the post route, I think you need to add different roles for different users, and JWT is a really good tool for authentication.
I'm setting up some transactional email fun in our Codeigniter app via integrating with Sendgrid.
I've got things setup and ready to move forward with creating all of the specific transactions/emails, but I was wondering about the most efficient and/or elegant way of doing so.
It seems a bit convoluted to include the appropriate email code in each of the functions. To call a specific function from a clean and separated email controller would require me to use AJAX (so as to not cause a redirect).
Is there some way that I'm not considering currently that would help balance things, namely cleanliness and separation along with coherency and ease?
Thanks for any thoughts-
Not sure about the specifics of your application structure. But you could always create a model function and call that from the functions in your controller.
CodeIgniter also comes with some built in functionality to help you send emails, specifically setting some of your email settings in a config file so you don't have to rewrite that. http://ellislab.com/codeigniter/user-guide/libraries/email.html
I actually wrote a blog post about this not too terribly long ago. Have a look at this:
http://blog.sendgrid.com/using-sendgrid-with-php-codeigniter/
Essentially, codeigniter comes with an awesome email library that makes it easy to send stuff over SMTP, so I just show you how to hook into that.
I'm trying to comprehend the concept behind MVC and URL routing. I understand that it's good to seperate your code, hence MVC, but fail to understand the idea behind the URL router!
Instead of having a lot of rewrite rules in htaccess, I send all traffic to router.php, and in this page I have an array with page urls, and its corresponding PHP controller.
To keep it simple, I just include the controller, where the output finally is generated, however having seen lots of other practices, I'm afraid that im doing something wrong, or bad in some way..
Can someone please enlighten me, how to do a good, but simple URL router? Is it okay just to include the controller, which then generates the output? Perhaps someone has some information that describes the subject in details (something understandable for a beginner)
Thanks in advance
There are lots of ways to do URL routing. Some are client side like with backbone.js, others are server side. Doing it with .htaccess is one way, another is th way you are doing it by having a prerequisite path that is is either a hard path, or a regular expression that you parse and figure out where to send it. None of them are 100% right or 100% wrong, it's all preference, and it sounds like you are doing just fine with a route file.
For more information on how different frameworks do routing you should read over the docs on routing for CodeIgniter, and Symfony frameworks to see 2 different styles of server side routing, and then maybe look at the backbone.js framework for client side routing just to see the similarities and differences.
The router in the MVC concept decides which controller it has to load when a user requests a page. E.g. a user requests example.com/something/very/important, the router would now look for an action which is mapped to this route and execute it. There are different methods how you can accomplish that (simple include, instantiating a class and running a method etc.) but the most simple and still powerful solution I came up with is creating a separate class for every action. I've written a little article on that matter, since I've been asked this question several times, you can have a look at it here: Writing a simple and fast mvc router with PHP
The ASP.NET Routing module is responsible for mapping incoming browser requests to particular MVC controller actions.
Routing is a pattern matching system that monitor the incoming request and figure out what to do with that request. At runtime, Routing engine use the Route table for matching the incoming request's URL pattern against the URL patterns defined in the Route table. You can register one or more URL patterns to the Route table at Application_Start event.
I am moving our current ASP.net website to a MVC3 project and am very new to MVC. Currently we have a 2 level authorization for a superadmin and a admin. Both these levels of authorization get directed to a menu where there are some common and some different pages which they each access. I was wondering how I could structure it such that there will be minimum duplication of controller logic with URLs like -
myURL/SuperAdmin
myURL/SuperAdmin/Users
myURL/SuperAdmin/Users/UserId
Similarly for Admin.
For the above kind of URL I may have to duplicate the controller code (for the Users view) in the SuperAdmin as well as the Admin controllers. As both these access the Users View. I would like to avoid this, but have the same URL. We are making use of the existing business layer entity framework (stored procedures) and not using any LinqToSql. Can I use named routing for this? If so, how? I hope I am making myself clear.
Can someone please help? Any ideas and suggestions will be greatly appreciated.
Thanks,
sdd
I'm not entirely clear on this. If you think you will have code duplication then remove that code into common classes that multiple controllers will access. Sure you can have multiple routes point you to the same controller/action methods (if thats what you meant) but I recommend you don't have multiple URI's (excluding varying parameters) that go into the same controller method. It makes your app a bit hard to follow.