I need to extract 3 input parameters (in this example a=test, b=sell, c=12536) from the following URL
/property-test-sell-12536
and pass to the PHP file as $_GET parameters. And inside PHP file I want to access this parameter as $_GET['a'], $_GET['b'], $_GET['c'].
I researched Google about this issue. Is it possible to use only NGINX for this purpose or should I do it inside PHP file?
Input arguments are defined as ?index=value&anotherIndex=anotherValue and so forth, for example: https://example.com/search.php?query=How+to+google&lang=en
PHP will then have the variables named as the appropriate index ($_GET['index'] will return you the value).
If you'd like to have routes like example.com/shoes/5/seller then you'd need to code a custom PHP function which trims the URL and looks for strings and then stores them in an appropriate variable, probably using a regex and preg_match. Though, be careful about security as these can be rather vulnerable to things like SQL injections and server-side code execution vulnerabilities.
Related
Pls am new to programming
Pls sir I have being seeing this in many php files .php?id=3
But I don't understand how it works or how to put it in my code,
This is called the query string, it's a way of passing parameters to your page.
You can access them in the php using the $_GET superglobal like so:
var_dump( $_GET['id'] );
Tips for using query string variables:
Check it is set before trying to use it: isset($_GET['id']) because you can't be sure it will be there.
This is "user input" and so you should not trust it implicitly. Whatever you do with user input you should use the appropriate security mechanism to sanitize it to prevent vulnerabilities.
If you generate a link with dynamic query string variables then be sure to use URL encoding/Percent encoding which can be done with urlencode().
I'm including a remote file with file_get_contents() like so:
function checkData($serial) {
file_get_contents("http://example.com/page.php?somevar=".$serial."&check=1");
return $http_response_header;
}
This remote page performs some basic data manipulation, and looks up the serial number in a database (The input is sanitised and I'm using PDO, so I don't have to worry about SQL injections), and then returns a value in the response header. The input $serial is a get parameter - So completely controlled by the user. I'm wondering if there are any inputs to this function that would lead to undesirable behaviour, for example getting contents of another page other than the one desired.
Thanks in advance.
If the $serial variable is always going to be numeric you can apply intval() around the value to ensure the value will always be a number and not contain other non-numeric data for path traversal / RFC, etc.
E.G.
file_get_contents("http://example.com/page.php?somevar=".intval($serial)."&check=1");
Alternatively you can use preg_replace to strip unwanted characters, should you need alpha characters also.
http://php.net/manual/en/function.preg-replace.php
What is the difference between
Input::get('value')
and this:
$_GET['value']
and when is better to use one of them?
The first line of code
input::get('value')
is some framework (perhaps Laravel 4.2) wrapper around PHP GET variables like the second line of code
$_GET['value']
which is a PHP superglobal containing the same data but in plain vanilla PHP.
So the difference is more or less syntactical, e.g. how you prefix, write the name and the parenthesis:
Prefix Name Parenthesis
-none- "input::get" ()
"$" "_GET" []
Next to syntactical differences, the first one is a function call while the other one reads a variable.
A function call allows to interact more, e.g. the framework can inject code to provide extra functionality in the "read" operation (returning/getting a value), like allowing to specify a default value if an input is not set, which plain vanilla PHP didn't support that well in the past (I think there will be an improvement on this in PHP 7 but can't find the RFC right now).
It's not that PHP can't deal with default values for non-existent GET variable entries, it's just some little boilerplate:
$value = isset($_GET['value']) ? $_GET['value'] : null;
Input::get() is a function from Laravel
$email = Input::get('email');
Note: The "get" method is used for all request types (GET, POST, PUT,
and DELETE), not just GET requests.
Retrieve all input from the input array:
$array = Input::get();
Retrieve all input including the $_FILES array:
$input = Input::all();
And $_GET is superglobal variable in PHP used to get parameters from
querystring .
$_GET is PHP builtin variable.
It is global static variable and has several bad qualities, especially for testing. Laravel has introduced Input::get() instead so you can easily swap the implementation.
In Laravel there should be no reason to use $_GET and use Input::get() whenever possible.
So apparently, Input::get() is from Laravel just like what #hakre said.
$_GET['value'] will parse the URL if there is a set value in it.
For example we have a url http://www.example.com/index.php?myget=value
we can use $_GET['myget'] to fetch its value like so:
echo $_GET['myget'];
// this will print "value"
First of all, I heard some web-servers allow you to reach parameter with $a instead of $_GET[a], this is not the case here.
Anyway, I have to reach a multiple times, so instead of doing $a = $_GET[a], I instead use $_GET[a] everytime. In single php tag as in <?php ?>, is that an issue, should I absolutely use variables? does it matter?
Another thing is my php file is really scrambled in my html, I wonder if does it matter with multiple gets?(should not, im just worried)
Thanks.
What you refer of using just $a instead of $_GET['a'] (or $_POST['a'] too) is an old feature known as register_globals. This feature was dangerous and leading to messy code, so it was considered deprecated in PHP 5.3 and finally removed in PHP 5.4.
Then, using $_GET['a'] everywhere in your scripts may lead to problems, because you should never trust user input (all things coming from $_GET, $_POST, $_REQUEST, $_COOKIE and some from $_FILES or $_SERVER). It is recommended to do something like $a = sanitize($_GET['a']); (the sanitize function does not exist, depending on what type of value are you expecting, you should check that what you get is an integer, or a valid date, or whatever, depending on your needs). From now on you should stop referencing $_GET['a'] and use instead the new sanitized variable you have just created $a. Because if you were using always $_GET['a'], chances are that you forget to sanitize it someplace.
Also, before sending this sanitized variable into a SQL query, you should escape it or use it inside a prepared statement to avoid SQL injections. Before outputting it to an html for the user to see, use htmlspecialchars to avoid XSS attacks.
And finally, about having multiple php blocks mixed with html blocks, this is only bad for maintenance reasons, because in the long run it will be a complete mess. Try to separate the html you send the user from the php code. Try to read something about the MVC pattern (Model-View-Controller) (this link is probably too complicated or maybe you don't see the utility right now for you that are just beginning with php (at least I didn't see how it was way better than mixing html with php, for all the complexity needed), but try to grasp the idea behind it) .
First of all, I heard some web-servers allow you to reach parameter with $a instead of $_GET[a], this is not the case here.
This is a PHP config setting called register_globals. It is insecure and should NOT be used. See this question for more information.
You can access an element in the $_GET array as many times as you like, it will not cause problems. However if you are printing an element of the $_GET array (or any other user submitted data) to the page, you should run it through htmlspecialchars() or the like before printing it out to prevent XSS vulnerabilities.
using a variable is a preference for you to decide it does not matter. but variable is the way forward if you use the same one multiple times.
<?php echo htmlspecialchars($_GET['a']);?>
using a variable means that it reusable again especially if you have added extra code, which mean just editing one variable for all instances.
<?php $a = htmlspecialchars($_GET['a']);
echo $a;
echo $a;
echo $a;
echo $a;
?>
Firstly - some background. We have a config.php file which lists several variables and settings in this format:
$MY_EMAIL_ADDRESS = 'test#test.com';
$MY_WEBSITE = 'www.test.com';
$SOMETHING_ELSE = 'foobar';
I would like to replace them with more sensible (and secure) names as part of an array, throughout the entire PHP project. Mostly so we can do this more securely: Get PHP variable value via Ajax with variable name as parameter
We have also forgotten some of these variables names, so that they are used throughout the project, but possibly not documented - hence doing a search one-by-one will prove difficult.
Is there a way I can search the php files for any values that start with a dollar sign ($) and then are made up of only upper case letters and possibly underscores?
$MY_SETTING_NAME
We could then either build a list and update manually, or build some kind of script to replace things with a more sensible way of working:
$CONFIG['MY_SETTING_NAME']
Thank you!
You can use get_defined_vars function which will return all variables as array.
Please look at php.net website for example