0

I'm building a webpage that allows a user to choose a theme for it. How can I build that based on this suggestion (I have to use SESSION): 

<link rel="stylesheet" type="text/css" href="<?php echo $_SESSION['style']?>" />

I've try to make table named 'theme' on mysql database like this:

    id | th_name | link    
    1  | blue    | style.css
    2  | back    | black.css
    3  | pink    | pink.css
.................

And my code (not work):

<?php       

        echo "<form>";
        echo "<select>";
        $sql = "select * from theme";
        foreach ($dbh->query($sql) as $row)
        {
?>
<option value="<?php $row['link'] ?>"><?php echo $row['th_name'] ?></option>

<?php
        }
        echo "</select>";
        echo "</form>";
?>

The 1st code is the key. Do you have any solution for this? (using jquery or something....?)

aynber
  • 22,380
  • 8
  • 50
  • 63
surisava
  • 181
  • 2
  • 4
  • 11

2 Answers2

1

You could do it the way that you showed above, but for security's sake you would probably want to do it a little different (your way would allow significant opportunity for XSS).

Essentially, you will need to set the $_SESSION global variable to have the style, and that should come directly from the database. If it were me, I would do this:

<?php       
    echo "<form>";
    echo "<select name=\"theme\" id=\"select-theme\">";
    $sql = "select * from theme";
    foreach ($dbh->query($sql) as $row)
    {
?>
<option value="<?php $row['id'] ?>"><?php echo $row['th_name'] ?></option>
<?php
    }
    echo "</select>";
    echo "</form>";
?>

Then, on your postback script, do this:

<?php
if (isset($_POST['theme']) {
    // Perform query here to get the link's file, using PDO - watch out for XSS

    // Note - you may have to call session_start()
    // depending on your php.ini's settings
    $_SESSION['style'] = $link;
}

If you are wanting to do this on the fly with jQuery, you can see the information here: How do I switch my CSS stylesheet using jQuery?

In addition, you would want to persist your changes like this:

<script type="text/javascript">
    $("#select-theme").on("change", function() {
    $.post({
        url:'yoururl.php',
        data: { 
            theme: $(this).find("option:selected").value() 
        });
    });

Community
  • 1
  • 1
Joseph at SwiftOtter
  • 4,276
  • 5
  • 37
  • 55
  • you and I were writing the same answer at the same time, thus, I don't need to post it here. No downvote required. – Sithu Dec 22 '12 at 03:29
  • What would be XSS prevent in your code? I could not see any difference yours and mine. – Sithu Dec 22 '12 at 03:31
  • I've tried the php but it not work, if I use your jQuery, what should my tag – surisava Dec 22 '12 at 04:15
1

Why would you want to use mysql database? You can give a variable the same name css file. And use cookies. This is an implementation example

Just be careful to secure it well!

Damonsson
  • 1,532
  • 14
  • 25
  • The link you provided doesn't work. Also, you open yourself up majorly for XSS with this implementation. If you use the database, you are much more assured that all data is coming from a "clean" location. – Joseph at SwiftOtter Dec 22 '12 at 03:21
  • Link worked. And this is first google link only showing implementation this. Using database for change css style is doing unnecessary things. The key is cookies. – Damonsson Dec 22 '12 at 03:24
  • OK. It must have been a fluke. But still, that code is vulnerable. Using a database in my opinion prevents this from happening. – Joseph at SwiftOtter Dec 22 '12 at 03:27
  • As you can see above written "Just be careful to secure it well!". From XSS vulnerability in this case, to use it for evil purposes is a long way to go. – Damonsson Dec 22 '12 at 03:30
  • 1
    @JMax you don't need to use a database just to ensure the data came from a "clean" location. The information could come from a flat file or the `$_SESSION`/`$_COOKIE` variable could be compared against a directory of CSS files. Involving the DB is a little unnecessary. – cimmanon Dec 22 '12 at 03:43