I have a script.php that can be accessed by browser. To be able to do anything it has to be called by using script.php?abc=1
What is the best way to check if parameter was called and if not, stop the script?
Would checking for $_SERVER['REQUEST_URI'] be enough? Do all browsers use it?
Thank you
You can use the isset() function - this is a very common thing to use if you need to check whether input values have been provided or not.
In the simplest case, just exit the script if the value isn't set:
if (!isset($_GET["abc"])) exit();
Documentation: https://www.php.net/manual/en/function.isset.php
P.S. $_SERVER['REQUEST_URI'] provides the whole URI following the domain, including the path and the whole querystring. So you could pick that apart to get the value you want, but it's pointless because $_GET["abc"] will take you straight to it. See this answer for an example of the difference.
Related
There is something I've been working and I ran into a problem that I could only solve doing this
header("Location:messages.php?ID_Conversation=$row[ID]");
Is this "wrong"?
This is not wrong exactly. You are redirecting to a resource and passing information to that resource as part of the URL, and this is perfectly acceptable.
However, the part that is wrong is the way the URL is structured. If you are going to be doing this with any regularity, you will want to get into the habit of setting the location as precisely as possible.
At the very least this is to say that you should set the full path relative to the domain root:
header("Location:/any_directories/messages.php?ID_Conversation=$row[ID]");
And at the best, this means including the domain and protocol as well:
header("Location:https://yourdomain.com/any_directories/messages.php?ID_Conversation=$row[ID]");
To simplify this, create a helper function or object to handle this kind of redirect.
function redirect($url) {
header("Location:https://yourdomain.com/$url");
}
redirect("any_directories/messages.php?ID_Conversation=$row[ID]");
Obviously there are other considerations in the above function, passing data for the GET query as an array maybe, discovering the domain and/or protocol, etc, and it should not be used as it is written, but the idea is sound.
When I click on "Laxatives"
Then I should see the '/laxatives" page
For the above behat scenario how can i validate or make sure that it redirects to correct url.
For now when i run this it redirects to correct page, but if incase it does not how will i validate through script.Kindly help
when there is no big amount of links you're testing, you can use switch statement to specify expected URL for each option.
Otherwise I would suggest to create some class acting like translations, so when you request Laxatives, it will tell you, that "/laxatives" string must be present within the page URL. You can then specify this "translations" in some JSON or CSV file.
Then just use: $this->assertSession()->addressMatches($regex); where the regex will be set by switch statement or loaded by the class I mentioned.
The simplest and easiest way of achieving is this:
Given I am on 'home-page'
When I follow 'link-to-laxatives-page'
Then I should see 'Welcome to Laxatives'
So Welcome to Laxatives is a simple text which presents in /laxatives page.
Note: If there is a text which is completely unique to the page then use that otherwise use something else.
OTHER OPTIONS:
You can use getCurrentUrl() in your FeatureContext.
Use already build-in step which is in MinkContext
On one of my pages I have a require_once('../path/to/url/page.php'); which works with no problems. The moment I add a query string require_once('../path/to/url/page.php?var=test'); it won't include the file anymore. It's just blank. Anyone have any ideas of why? Can you not use a query-string in a require?
Thanks,
Ryan
By using require_once('../path/to/url/page.php?var=test');, php will not make a new request to page.php, it will actually search for the file named page.php?var=test and include it, because in unix, you are allowed to have such a filename. If you want to pass a variable to that script, just define it: $var="test" and it will be available for use in that script.
require loads a File (from a file path) to include. It does not request that file through apache (or other webserver), therefore you cannot pass query strings in this way.
If you need to pass data into the file, you can simply define a standard php variable.
Example
<?php $a_variable = "data"; require_once('../path/to/url/page.php'); ?>
Note, the variable must be set before the include/require is called, otherwise it won't be available.
All answes true. But most importantly: since $_GET is a global, it's present' in all included files as well, so there's absolutely no use in passing those parameters with the include.
require only accepts paths it would be pointless to add any request since it doesn't make any
it simple includes the required code into the current one
I am really new to online web application. I am using php, I got this code:
if(isset($_GET['return']) && !empty($_GET['return'])){
return = $_GET['return'];
header("Location: ./index.php?" . $return);
} else {
header("Location: ./index.php");
}
the $return variable is URL variable which can be easily changed by hacker.
E.g i get the $return variable from this : www.web.com/verify.php?return=profile.php
Is there anything I should take care? Should I use htmlentities in this line:
header("Location: ./index.php?" . htmlentities($return));
Is it vulnerable to attack by hacker?
What should i do to prevent hacking?
Apart from that typo on line 2 (should be $return = $_GET['return'];) you should do $return = urlencode($return) to make sure that $return is a valid QueryString as it's passed as parameter to index.php.
index.php should then verify that return is a valid URL that the user has access to. I do not know how your index.php works, but if it simply displays a page then you could end up with someting like index.php?/etc/passwd or similar, which could indeed be a security problem.
Edit: What security hole do you get? There are two possible problems that I could see, depending how index.php uses the return value:
If index.php redirects the user to the target page, then I could use your site as a relay to redirect the user to a site I control. This could be either used for phishing (I make a site that looks exactly like yours and asks the user for username/password) or simply for advertising.
For example, http://yoursite/index.php?return?http%3A%2F%2Fwww.example.com looks like the user accesses YourSite, but then gets redirected to www.example.com. As I can encode any character using the %xx notation, this may not even be obvious to the user.
If index.php displays the file from the return-parameter, I could try to pass in the name of some system file like /etc/passwd and get a list of all users. Or I could pass something like ../config.php and get your database connection
I don't think that's the case here, but this is such a common security hole I'd still like to point it out.
As said, you want to make sure that the URL passed in through the querystring is valid. Some ways to do that could be:
$newurl = "http://yoursite/" . $return;
this could ensure that you are always only on your domain and never redirect to any other domain
$valid = file_exists($return)
This works if $return is always a page that exists on the hard drive. By checking that return indeed points to a valid file you can filter out bogus entries
If return would accept querystrings (i.e. return=profile.php?step=2) then you would need to parse out the "profile.php" path
Have a list of valid values for $return and compare against it
this is usually impractical, unless you really designed your application so that index.php can only return t a given set of pages
There are many ways to skin this cat, but generally you want to somehow validate that $return points to a valid target. What those valid targets are depends on your specification.
If you're running an older version of both PHP 4 or 5, then I think you will be vulnerable to header injection - someone can set return to a URL, followed by a line return, followed by any other headers they want to make your server send.
You could avoid this by sanitising the string first. It might be enough to strip line returns but it would be better to have an allowed list of characters - this might be impractical.
4.4.2 and 5.1.2: This function now prevents more than one header to be
sent at once as a protection against
header injection attacks.
http://php.net/manual/en/function.header.php
What would happen if you put in a page that didn't exist. For example:
return=blowup.php
or
return=http://www.google.co.uk
or
return=http%3A%2F%2Fwww.google.co.uk%2F
You could obfuscate the reference by not including the .php in the variable. You could then append it in the code-behind and check for the existence of the file in your directory / use a switch statement of allowable values before redirecting to it.
In this case, it more depends on what's done with that part of the query string on index.php. If it's being sent to a database query, output, eval(), or exec() yes, its a very common security hole. Most other situations will be safe unfiltered, but its best to write your own general purpose sanitizing function which converts quotes of all varieties to their HTML entity, as well as equals symbols.
The things I would do are:
Define, what type of return values are allowed?
Write down all types of possible return values.
Then, make conclusions: what characters are not allowed, what is the maximum url length, what domains are allowed, etc.
Finally: make a filter function according to above conclusions.
I Thing hacker can do this
you will redirect if $_GET['return'] Contain any thing
the hacker can use it as xss
redirect to virus or any thing like it
but there is no ability to make any thing else
I am creating a website and on one particular page, am wanting to send the user back to the previous page. I am fairly new to PHP/HTML and have been using some existing code for ideas and help.
The existing code uses the following method:
if (! empty($HTTP_REFERER))
{
header("Location: $HTTP_REFERER");
} else
{
header("Location: $CFG->wwwroot");
}
However, when I use this code the HTTP_referer is always treated as empty and the user redirected to the root page. Any obvious flaws in this code?
Don't rely on the HTTP Referrer being a valid or even non-empty field. People can choose to not have this set leaving any checks for that variable going to the empty side of the IF-ELSE clause.
You can guard against this by sending along a parameter in either the URL or POST parameters that would hold a value that you can use to redirect the user back to.
You need to use:
$_SERVER['HTTP_REFERER']
isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '';
If you wanted to send the person back to the previous page and have it work regardless of the referrer being set correctly, you can append a GET parameter to the URL (or POST).. you will need to encode the URL.. Something like
http://www.domain.com.au/script.php?return=http%3a%2f%2fwww.domain.com.au%2fthis-is-where-i-was%2f
You can use PHP's urlencode() function.
Also note that the referer header might be empty or missing anyway, so you shouldn't rely on it at all..
You should use
$_SERVER['HTTP_REFERER']
However look at the register_globals configuration in php.ini, it should be turned off due to security reasons. You can read more on PHP Manual site.