Server-side script PHP-OO

Server-side script PHP-OO

jonatanjonatan Posts: 2Questions: 0Answers: 0
edited March 2011 in General
Allan, congrats for this great plugin. I'm using it in all my projects.
I've written a PHP class to deal with the server-side manipulation (database select, parsing, etc). It takes the parameters passed by the DataTables plugin (like the columns names and number of results per page) and build the queries to database automatically, so you don't need to change anything.

When you need to modify some behavior, for example, use SQL Joins or process the results, all you have to do is override the functions in your controller class.

I hope it can be useful for someone! Also, it would be nice if you put this class in server-side scripts sections, so anyone can easily find it.

Here is the project link:
http://code.google.com/p/datatables-serverside-php-oo/

Replies

  • allanallan Posts: 63,761Questions: 1Answers: 10,510 Site admin
    Very cool - I like this :-) Thanks for taking the time to create your script and sharing it with us. I'll get it up on the server-side processing scripts page (although I'm a little stretched at the moment, so it might not be for a little while - sorry).

    A couple of things strike me about the script:

    1. I think there is an SQL injection attack possible with sColumns since that isn't escaped
    2. I quite like the idea of using sColumns, as it does make installation easier, however I've tended to avoid it myself because it would make reading information from the database that you perhaps shouldn't be able to trivial (just change the column name in Javascript).

    I really like the OO approach you've taken. I've just made a change that will be released as part of DataTables 1.8 which would really benefit from this (deferred loading of server-side data). So thanks :-)

    Regards,
    Allan
  • jonatanjonatan Posts: 2Questions: 0Answers: 0
    Thanks for your interest!

    Indeed, relying on aoColumns parameter to make the select on database allows the user to retrieve information from other columns. I just included an option in the script to avoid that! The getTableData() function now accepts a 3rd parameter that takes the columns names. This way the user can't change the columns on the client-side.

    I also added escaping and verifications to sColumns parameter and a new function (fnCheckAuthorization) that allows you to check if the user is authenticated or not to access the table data. By default, it returns always true, but that can be overridden in your Controller class.
This discussion has been closed.