I'm building the Rest API in Php Slim. API working fine on localhost. Now I placed it on live server. The issue is when I send data in body using GET method, Postman shows error: 500 Internal Server Error.
. But it's working fine when changing GET to POST. I'm new in backend so don't understand what the issue is. The index.php file of API is located in subdirectory as example.com/api/public/index.php so I made some changes in .htaccess but it's not working.
.htaccess
# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php73” package as the default “PHP” programming language.
<IfModule mime_module>
AddHandler application/x-httpd-ea-php73 .php .php7 .phtml
</IfModule>
SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d [OR]
RewriteCond %{REQUEST_URI} ^/$
RewriteRule ^(.*)$ /api/public/index.php [L,QSA]
# Don't listing directory
Options -Indexes
ErrorDocument 403 http://www.example.com/
# Follow symbolic links
Options +FollowSymLinks
# Default handler
DirectoryIndex index.php
# php -- END cPanel-generated handler, do not edit
Could I use POST instead of GET or there is something wrong?
The issue is when I send data in body using GET method
Take a look at the specification:
A payload within a GET request message has no defined semantics;
sending a payload body on a GET request might cause some existing
implementations to reject the request.
While it is possible to get some clients (e.g. Postman) to make an HTTP GET request with a body and it is possible to get some servers to read the body from an HTTP GET request, it does completely lock out some other clients (e.g. the browser APIs of XMLHttpRequest and fetch).
Either don't use a GET request or don't use a request body for this.
Related
On my test server with Apache and php7.1 I can work with an URL like example.com/news/id/title
and it redirects me to
example.com/news.php
but the url is still the same and I can use the Parameters after the slashes.
Now I work on a live hosting and its not working anymore.
I tried to redirect with htaccess and it works for
example.com/news to redirect to example.com/news.php
but if I put anything after that i get an 404 error.
How can I redirect the requests from
/news/id/ to news.php where I want to read out the id?
And why did that work natively on my test server?
Thousand thanks for any hint.
My actual .htaccess:
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}.php -f
RewriteRule ^news/(.*) /news.php/$1 [R=301,NC,L]
Sounds like you may have a conflict with MultiViews (part of mod_negotiation). You need to make sure MultiViews is disabled at the top of your .htaccess file:
Options -MultiViews
If MultiViews is enabled and you make a request for /news/id/ then mod_negotiation makes an internal subrequest for /news.php (without any additional path-info) before mod_rewrite is able to rewrite the request.
why did that work natively on my testserver?
MultiViews is disabled by default on Apache, however, a number of shared web hosts do enable it for some reason. It makes extensionless URLs "magically" work without doing anything, however, this potentially creates duplicate content (bad for SEO) and causes no end of unexpected conflicts with mod_rewrite, such as this.
UPDATE: Change your directives to something like the following instead:
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^news/(.*) /news.php/$1 [L]
This internally rewrites (as opposed to _externally redirects_) all requests that start /news/to/news.php/- whereis passed as _path-info_ to/news.php`. (I assume that passing the URL-path as path-info is the intention? You could instead use the query string or not pass anything in the directive and simply examine the requested URL in PHP? - but this might require marginally more processing in PHP.)
There's no need to check that the target file exists, since it's hardcoded in this example.
Removal of the R flag results in the internal rewrite.
You will need to clear your browser cache since the 301 (permanent) redirect will have been cached by the browser.
If you need a more generic solution that rewrites /<action>/<data> to /<action>.php/<data> then write it like this:
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{DOCUMENT_ROOT}/$1.php -f
RewriteRule ^([^/]+)/(.*) /$1.php/$1 [L]
Again, no need to check that the request does not map to a file before checking that it does map to a file when .php is appended.
Note that this is not using a TestString of the form %{REQUEST_FILENAME}.php (as you had initially), as this can result in a rewrite loop (500 error) for certain requests. See my answer to the following question on ServerFault that explains this further: https://serverfault.com/questions/989333/using-apache-rewrite-rules-in-htaccess-to-remove-html-causing-a-500-error
My wordpress is infected by malware. I found malicious code attached right after jquery codes in every js file.
Also I found multiple requests being made to unknown host/ip. I'm unable to find which script makes this call.
So I'm thinking to block any request to third party domain or IP via htaccess. But it doesn't seem to work.
Please advice the correct way to write this.
path to .htaccess file:
public_html\.htaccess
The content if it (before changes):
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
I tried:
attempt 1
//but I don't think this is relevant as it's meant for incoming
requests
order allow,deny
allow from all
deny from 134.249.116.78
attempt 2
Deny from 134.249.116.78
This is how network tab looks like:
And the header like this:
You will need to do this at the Web Server level of your stack. In your case using Apache configuration.
Specifically, the important one for your question is:
Header always append X-Frame-Options SAMEORIGIN
Additionally for the issue of XSS
Header set X-XSS-Protection “1; mode=block”
It should be noted that is not all that is necessary to lock down a server and that will not stop all XSS but it is a step towards a more secure server environment.
I am having troubles using my url parameters to write to a blue host DB.
As soon as I pass parameters into the url I get a server error(500).
I am also not receiving any error reports on the PHP side.
what am I doing wrong?
I have reloaded the page, cleared all cookies, and I am fairly sure it is not a gateway Timeout.
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
There are a couple more .htacces rules but those contain this:
# Use PHP54CGI as default
AddHandler fcgid54-script .php
# BEGIN WordPress
# END WordPress
What i suggest is using a different hosting provider as this problem is not easy to be solved.
I moved my database to a different provider and it works now.
However this does not solve the problem for people who encounter the same
By any chance are you using the shared secure URL like "https://secure.bluehost.com/~userid" ?
I discovered that the .htaccess code for php 5.4:
AddHandler fcgid54-script .php
causes a failure when using the shared SSL url. Of course when you take it out, you are back on php 5.2.
I am using POSTMAN to send a GET request into the api with a header containing Authorization.
I know the data header works because if it doesn't the route returns a 401 error.
I wanted to get the Authorization header like so:
$access_token = Request::header('Authorization');
But noticed that it returns NULL.
So I tried to catch the values with:
die(var_dump(Request::header()));
And noticed that it doesn't contain any Authorization header. Just host to cookie headers.
update
Should get Authorization: Bearer ACCESS TOKEN
What POSTMAN Version did you use?
Are you on your local machine or managed server, some hosting companies don't allow AUTHORIZATION HEADER.
.htaccess modification
RewriteEngine On
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
The answer from dschniepp is right, but I have problems with this too. You have to do two things:
Check if mod_rewrite is available and activated.
Update the .htaccess file of Laravel, located in the public folder.
In the first point you have to check if the "mod_rewrite" module is available through php_info function, in a separate php file. Then if it is available you have to activate it, that depends on the configuration of your webserver, in my Nitrous box I added these lines to my httpd.conf file:
<IfModule mod_rewrite>
RewriteEngine On
</IfModule>
Or you can activate the module in the .htaccess file too:
RewriteEngine On
Then in the same .htaccess file located in public folder in the root of the laravel app, you have to add these lines:
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
These lines worked for me. Your .htaccess file should look like this:
<IfModule mod_rewrite.c>
<IfModule mod_negotiation.c>
Options -MultiViews
</IfModule>
RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
# Redirect Trailing Slashes...
RewriteRule ^(.*)/$ /$1 [L,R=301]
# Handle Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
</IfModule>
And that's it, you should have the Authorization header in the Request::header() array. Just to clarify these is an issue with Apache, not with Laravel itself.
In Laravel 5.5 you can read herders by using apache_request_headers simply read it in your controller by the following lines
$headers = apache_request_headers();
dd($headers['Authorization']);
Make sure you have added use Illuminate\Http\Request; in your controller
Missing authorization headers with Apache virtual host.
Apart of the solution above the culprit may be because Apache server does not allow authorization header to pass through virtual host.
To solve this issue you have to add the line allowing Apache to pass authorization header to PHP in you virtual hosts configuration. E.g. for Ubuntu 18.04 the virtual host is defined in /etc/apache2/sites-available/your-site-name.conf, see this tutorial for better context.
<VirtualHost>
# ...
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
# ...
</VirtualHost>
After updating the virtual host config do not forget to restart Apache (again e.g. Ubuntu 18.04 sudo systemctl restart apache2).
This should fix the issue.
Here is the original answer.
Posting this here as it solved my problem. This applies for sub domains but can obviously be adjusted for plain domains as well. Applied this within my routes file at the top.
$newUrl = '';
try{
$urlParts = parse_url($_SERVER['HTTP_REFERER']) ?? '';
$newUrl = $urlParts['scheme'] . "://" . $urlParts['host'];
if(!stristr($newUrl, '.yourdomain.com')){
$newUrl = 'false';
}
}catch(Exception $e)
{}
header('Access-Control-Allow-Origin: ' . $newUrl);
header('Access-Control-Allow-Credentials: true');
header('Access-Control-Allow-Headers: access-control-allow-origin,cache-control,content-type,postman-token');
I have a content in htaccess
Options FollowSymLinks
RewriteEngine on
# if a directory or a file exists, use it directly
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
# otherwise forward it to index.php
RewriteRule .* index.php
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
How do I add to enable PUT method?
Thanks
Here is the solution which may work for you
First, a utility file to support HTTP digest authentication, which
can be located in the target directory (or a common PHP include
directory if you can set one up): dowload and rename dauth.php
Second, in the directory concerned, place the following PHP script:
download and rename put.php
Third, store the following .htaccess file in the target directory,
replacing '/path-to-target-directory' with the domain-relative path
(e.g. if a target file can be read at http://mydomain/x/y/z.html,
then the /path-to-target-directory would be '/x/y'): download and rename .htaccess
.htaccess example:
Options FollowSymLinks
RewriteEngine on
RewriteBase /path-to-target-directory
RewriteCond %{REQUEST_METHOD} !PUT
RewriteRule ^/put\.php$ - [F]
RewriteCond %{REQUEST_METHOD} PUT
RewriteCond %{QUERY_STRING} ^$
RewriteRule ^/put\.php$ - [F]
RewriteCond %{REQUEST_METHOD} PUT
RewriteRule ^(.*)$ put.php?url=$1 [L]
For more info refer: Here
Conventions talk about the X-HTTP-METHOD-OVERRIDE header that transports the underlying method to be used (in a POST request).
You can get this request header in your php application to define whether or not you handle a PUT request.
No action is required to "enable" PUT requests with apache.
if you mean that you don't receive the data sent with a PUT request - you need some php code like this in your code:
if ($_SERVER['REQUEST_METHOD'] === 'PUT') {
$data = file_get_contents('php://input');
}
since a PUT request will not populate $_POST (obviously, since it's not a POST request).