accessing editor.php to add a variable to the WHERE clause

accessing editor.php to add a variable to the WHERE clause

fapworx_gmailfapworx_gmail Posts: 7Questions: 0Answers: 0
edited November 2012 in Editor
Hi All
Ok, I now mastered the WHERE statement in the Datatables server_processing.php
I can open a new table, in a new page or new browser window with something like this:
[code]filter_server_side_f.php?field=$_GET["field"][/code]

To do this, I changed the html extention to php so I can pass whatever values I want to this page using:
Hi All
Ok, I now mastered the WHERE statement in the Datatables server_processing.php
I can open a new table, in a new page or new browser window with something like this:
[code]filter_server_side_f.php?field=$_GET["field"][/code]

To do this, I changed the html extention to php so I can pass whatever values I want to this page using:
[code].../serverpage.php?field=$value[/code]
so on the html(now php) page, I wouls have
[code]"ajaxUrl": "php/browsers3t.php?stage=\"$stage\"",[/code]

on the server side page, it looks like this:
[code]
$sQuery = "
SELECT SQL_CALC_FOUND_ROWS id, ".str_replace(" , ", " ", implode(", ", $aColumns))."
FROM $sTable
WHERE stage = '" . $_GET['stage'] . "'
$sOrder
$sLimit
";
[/code]
I could then draw a table displaying only the required data (filtered).
I got that part to work very well for me.
However, it is still a 2 phase action. How can I shorten this to get to the Editor direct from my GET link
I noted that it is possible to assign a field/value to the WHERE close in Editor.php
here is the thread:
[quote]http://datatables.net/forums/discussion/11398/where-using-editor/p1[/quote]


here is my question:
because DT uses aliases for Editor.php, how can I pass a value to that specific section in editor.php:
I would like to do this:
[code]$query->where( "stage", "$stage" );[/code]

where $stage is past on from the url specified in my html(now php) page

I hope that makes some sense to someone?

Replies

  • allanallan Posts: 63,489Questions: 1Answers: 10,470 Site admin
    So basically you are replacing the server-side processing script with the Editor scripts - is that correct? Your Editor `where` looks like it should be okay. Perhaps you can post the full file? (unless it is hundred of lines long!)

    Allan
  • fapworx_gmailfapworx_gmail Posts: 7Questions: 0Answers: 0
    Hi Allan

    What I'm trying to do is to load the $stage variable dynamicaly from a set url As:

    www.mypage.php?stage=somestage
    or even better,
    www.mypage.php?stage=$somestage
    I could then assign $somestage from where ever I want.
    passing this to the basic serverside processing page is easy
    but with Editor, there's an alias in between mypage.php and Editor.php
    [code]use
    DataTables\Editor,
    [/code]
    Or I'm not looking at the right place.
    if I hardcode the where statement in editor.php like this:
    [code]$query->where( "stage", "Glade" );[/code]

    it works but I then limited myself to just the "Glade " stage.
    In festivals like Glastonbury, that would be pretty laim if they only had one stage :-)
  • allanallan Posts: 63,489Questions: 1Answers: 10,470 Site admin
    I see - so you want to pass it through from the browser to the PHP script? The `ajaxUrl` parameter could be used for that = add your extra parameter as a GET string: `ajaxUrl: "/myLoader.php?stage="+...` where the `...` is your GET parameter for the master page - you could get that using `window.location` or a little bit of PHP. When in your Editor script you can access it using `$_GET['stage']` .

    I would say that the risk with that method is that it is a wide open security hole. All the user needs to do is change the GET parameter and they might be able to access something you perhaps didn't indeed for them to?

    Allan
  • fapworx_gmailfapworx_gmail Posts: 7Questions: 0Answers: 0
    Thanks Allan

    This has always been a problem so i catered for this by creating a unique reference by doing an md5 on a collection of data that is concatenated and then md5(). I then use this unique reference for public use.
    i should add that none of the tables are for public use but only for admin.
    To sum up, the id field from the table is only used by DT. Anything else uses a generated string that looks like this:

    58a2f895be5b0665ffped522951c68f0

    ...still having a go...
  • fapworx_gmailfapworx_gmail Posts: 7Questions: 0Answers: 0
    I found a way to pass a GET or POST variable to Editor so I can get a filtered table the way I need to see it but in a CRUD mode.
    I know it can be a security thing but for my app, that's all i need.

    so I edited my table init so it says:

    [code]
    $('#example').dataTable( {
    "sDom": "lTrtip",
    "aLengthMenu": [[5, 10, 25, 50, -1], [5, 10, 25, 50, "All"]],
    "sAjaxSource": "../my_serverside_php_file.php",
    "oSearch":{
    "sSearch":"<?php echo $__GET["$"]; ?>", //This could be a POST or a JS var just the same
    "bRegex": false,
    "bSmart": false }, [/code]

    This table, in my project will be called from a specific link from my base table and filterd accordingly.
    so I would call my table with:
    [code]
    .../my_table_file.php?my_get_var=my-get-var-value"
    [/code]


    Also, because the called table will be in a modal, I removed the search input field so all that table will show is the filtered data without allowing the user to change the filtration but still accessing the CRUD
    I also found that if i just suppress the POST or GET value or theres no value present like
    [code]
    .../my_table_file.php?my_get_var="
    [/code]


    The table will display all.

    That works for me.
    I know its a work around for a specific need but hey! ...still worx

    I mean, there was always The column filter plug-in but for this instance, I didn't want that.
  • allanallan Posts: 63,489Questions: 1Answers: 10,470 Site admin
    > I know its a work around for a specific need but hey!

    Doesn't that also apply for every line of software ever written? ;-)

    Good to hear you got it working as you need!

    Allan
This discussion has been closed.