How To Securely Implement Sorting & Filtering - Build Expense Tracker App With PHP 8
HTML-код
- Опубликовано: 5 июн 2024
- In this video we add sorting & filtering as well as discuss possible SQL injection when trying to sort by a column that comes from the request.
SOME OF THE WAYS YOU CAN SUPPORT THE CHANNEL
👍 Smash the like button
🤝 Subscribe to the channel & turn the notifications on
💬 Post comments, any feedback is greatly appreciated
⭐ Become a Patreon: / programwithgio
THANK YOU!
🛠️ TOOLS & SERVICES I USE
Digital Ocean Hosting - Get 100$ credit - m.do.co/c/38b935ad74e5
Domains on Namecheap - namecheap.pxf.io/rnRjdQ
Envato Elements - 1.envato.market/c/2937311/298...
LESSON P.18
Starting Source Code - github.com/ggelashvili/expenn...
Ending Source Code - github.com/ggelashvili/expenn...
Course Outline - github.com/ggelashvili/learnp...
Course Playlist - • Learn PHP The Right Wa...
TABLE OF CONTENTS
00:00 - Implement Sorting
03:32 - SQL Injection
06:21 - Implement Filtering
09:29 - Refactoring
13:59 - Exercise
** Affiliate Disclaimer: Some of the above links may be affiliate links, which may generate me a sales commission at no additional cost to you.
I've finished watching all videos.
So great and practical.
I wanted to ask to create about vagrant and PHP, if it's possible.
Thanks a lot.
Thank you & thanks for the suggestion 💙🙌
Thanks a lot Gio. I'll get to it
You're welcome 🙌
Hi Gio. Amazing video. I've been working on applying the transactions input, tables and all. It's been fun but I'm stuck. It's been tough debugging it. Ive not been able to vardump to see why I'm getting errors. I've however traced my challenge to my create function. Can't seem to save transactions. The Ajax request is hitting the right route with the proper payload but it fails at the create function. I don't feel very smart right now. Lol. Maybe I'll send you some screenshots, perhaps if you can spare a little time to look at it. Thanks alot Gio for these amazing lessons.
That's ok, send me the screenshots and I'll help troubleshoot. Check error log to see if there are any errors.
Hello Gio, thanks for the amazing content, when trying sorting there a simple console error !is it okay to use an else if (deleteBtn) in the categories.js so that ignore those clicks on the table sorting ? thank you very much
Yea you can do that
Hey, please upload other videos too once in a while, except this expense tracker app for those of us who are not following the series. Thanks
Expense Tracker is part of the PHP series & my current focus is this project so that I can finish the PHP series. Unfortunately I don't have a lot of free time to record, edit & publish multiple types of videos. Once the PHP series is over then I'll have more time.
Great bro thanks for sharing your knowledge put more videos asap
Trying my best 🙌
Hey, Gio, will you do some videos about
Laravel or Symphony in the future?
Yes, I'll be doing Laravel after
@@ProgramWithGio that is awesome!
Hey Gio. We used $orderBy = $params['columns'][$params['order'][0]['column']]['data'] and the $params['order'][0]['column'] is the query parameter. What are the perspectives of an attacker to break into the code by juggling with single or double quotes in this case?
Hey, I explain it at 3:33 - SQL Injection. That's why we have an array of allowed columns & filter it
@@ProgramWithGio
I apologize if my question was not clear. My point was that we are executing
$orderBy = $params['columns'][$params['order'][0]['column']]['data']
inside of
$params = $this->requestService->getDataTableQueryParams($request);
before it reaches the code which checks the column is in allowed list which is:
$categories = $this->categoryService->getPaginatedCategories($params);
So basically, I think we are using the query parameter without any validation by creating $orderBy value. If the user changes `order[0]['column']` to a value that contains a quote like (99") then it may break the code.
But we are not executing it, we are just preparing a DTO class with values. It wouldn't break it. You can give it a try
How to contact you gio? Any social media handle? Discord? And do u plan to make course on other languages as well after this php series?
If you go to the channel about page you will see my social links. Im mostly active on Twitter (GioDev8).
After this series I'll be working on Laravel content
been kinda quiet lately....
Yea sometimes I don't get enough free time to record unfortunately 😔