1. 

   ken@pesttrend.com, Member

   I am generating a drill through report. The drill through report is presented on a new page.

   Here is my code

   select 'dbr.url', 'http://localhost/pesttrend/PDF_report.php?reportname=mydbr_station_type_chart&reporttype=onscreen&selectedcompanyid=[Companyid]', '[Companyname]', 'new_window', 'http_method=post';

   I don't want to show the parameters such as "selectedcompanyid" in the url and thought I would use 'http_method=post' but parameters are still showing in the URL.

   Can you please show me an example of how I hide the parameters in the URL.
2. 

   myDBR Team, Key Master

   The file "PDF_report.php" is your own application's code?

   First of all, is it able to handle parameters via POST?

   The 'http_method=post' is meant for myDBR reports which need to send large amount of data (greater than what browser's allow in GET), not really meant to post forms to external code.

   If your application allows use of POST, you can do that with JavaScript, but if you are just trying to hide things from URL for security, note that the POST does not really change things.
   --
   myDBR Team
3. 

   ken@pesttrend.com, Member

   Thanks for the reply. Yes the file PDF_report.php is my application file and yes it can handle parameters via POST (this is how it is done in the old system I am looking to replace with myDBR).

   Looks like Javascript is the way to do this. Can you point me in the direction of an example using Javascript passing parameters via POST ?
4. 

   myDBR Team, Key Master

   You could so something like:

   select 'dbr.colclass', 'Companyname', 'name';
   
   select 'dbr.colclass', 'Companyid', 'id';
   
   select 'dbr.colstyle', 'Companyname', '[cursor:pointer]';
   
   select 1 as Companyid, 'Company 1' as Companyname
   
   union
   
   select 2, 'Company 2';
   
   select 'dbr.javascript', '
   
   $(document).on("click", ".name", function() {
   
     $.post( "http://localhost/pesttrend/PDF_report.php",
   
     {
   
       reportname: "mydbr_station_type_chart",
   
       reporttype: "onscreen",
   
       selectedcompanyid: $(this).closest("tr").find(".id").text()
   
     },
   
     function(data) {
   
       var w = window.open("about:blank");
   
       if (w == null) {
   
         alert("Window opening blocked by browser");
   
       } else {
   
         w.document.open();
   
         w.document.write(data);
   
         w.document.close();
   
       }
   
     }).fail(function() {
   
       alert( "Cannot access the page" );
   
     });
   
   })
   
   ', 'onload';
5. 

   ken@pesttrend.com, Member

   Thank you very much for that, I really appreciate the example. I will give that a go.
6. 

   myDBR Team, Key Master

   Note that you should use POST only when you intend to change things. It is not a "security replacement" of a GET.

   --
   myDBR Team
7. 

   ken@pesttrend.com, Member

   I would use GET but the problem I see is that having the parameter in the URL it is a an easy step to change the number and view someone elses data. i.e if the selectedcompanyid is 45 and it clearly says that in the url you just have to change 45 to 46 and reload the page and now you see the data for company 46.

   By channeling the parameters via POST at least they were not visible.

   If there is a more secure approach then I'm open to suggestions.
8. 

   myDBR Team, Key Master

   Using POST for "security" is not something you should do. Using POST does not make the request any safer (one can also change the POST parameters) and the POST is not replacement for GET. POST is intended for changing things.

   To secure the URL from user changes, you can calculate a hash value from the parameters you wish to protect. Take a look how myDBR does the same thing.

   --
   myDBR Team
9. 

   ken@pesttrend.com, Member

   Perfect. That's what I was missing. Thanks for all your help. So far I'm very impressed with the product and the supporting forum. Keep up the good work.

Reply

You must log in to post.