I have two files, the first is a form (signup.php) that posts user inserted fields (first name, last name, user name, email..etc) into another file containing an error handlers (Signup.chk.php) using post method. in case of error in the inputs, i wanted signup.chk.php to send back all the fields inserted by the user to the signup.php file using GET method to re-display the form with the errors and the user's inputs.
i'm expecting a URL that looks like below:
localhost/signup?signup=error&firstname=Joe&lastname=Doe&user=Jdoe1&email=Jdoe#abc.com
it works fine if the user didnt insert special chars as inputs.
if the user inserts $ or & as part of the inputs it will mess up the _GET function on the other page.
what is the best way to encode/decode the URL values to prevent XSS and also allow the signup.inc file to properly receive the url values and display it correctly in the form fields again (Even if containing <>$&%..etc)
To do what you want, you can use urlencode() and urldecode().
// To form the URL
$url = "localhost/signup?signup=error&firstname=" . urlencode($firstname);
// To get the value from the URL and decode it.
$firstname = urldecode(isset($_GET['firstname']) ? $_GET['firstname'] : "");
However, there is a security issue, user may add some code on the url to attack your website, so you need to do something to avoid it, eg restrict input length or avoid unnecessary specific characters.
Related
In my website, I am passing the user input to a new page using get method. And I am having troubles when the user enters something with &. I am reading two inputs from user. Assume the user entered xxxyyzz for $_GET['input1'] and aaa&bbb for $_GET['input2']. Here is the page the user is directed to:
http://www.mywebsite.com/?input1=xxxyyzz&input2=aaa&bbb
In the directed page, I am getting the inputs using this code:
$input1 = $_GET['input1'];
$input2 = $_GET['input2'];
Obviously $input2 is not populated properly when the user enters an input with something &.
Is there any simple way to handle this other than replacing all &s with another string?
I have a scenario where when I submit a form in PHP, sometimes the url would be something like this prior to submitting:
http://localhost/pre_school-schedules.php#ps-n2
What I want to do is set the url after submitting to be as follows:
http://localhost/pre_school-schedules.php
Currently I'm trying to do that with:
header('Location:http://localhost/pre_school-schedules.php');
But this is not working and prevents my custom messages such as Item inserted successfully. or there was a problem with... to show. Is there any other way to make the page after a post request remove any extra stuff from the URL?
as you don't define the post action, the current url is used, if it has a fragment (the bit after the #) that gets sent also. So simply hard code the action like so:
action="pre_school-schedules.php"
You should be able to remove the anchor and everything after it during your form processing with preg_replace, trim, or similar function.
$url = preg_replace('/#.*/', '', $url);
If you end up needing to redirect, save your needed data such as errors in a session then send them to the destination page.
When a user submits any form, a $_GET['variable_name'] is sent by the webpage and will give a URL like the following: www.mywebsite.com/index.php?variable_name_here='yes'.
However people can just write the URL www.mywebsite.com/index.php?variable_name='yes' into the address bar of the website and gain access to this part of the script, without actually submitting the form!
This is a problem! It's breaking specific parts of the script linked to that form submission! This is because the part of the script relating to the $_GET['variable_name'] can't get the variables that should be sent by the form as it is never submitted!
How do I stop people getting to specific parts of a script when they manipulate the URL by sending them back to www.mywebsite.com/index.php?
P.S. : This is for user submitted data through a form which is then processed (no SQL or any alike software involved)
If you are worrying about people getting in to your site without logging in or not having correct params, you should first check to see if the correct $_GET variables exist using isset(). If all paramaters you are expecting exist allow them to pass, otherwise use header('Location: /index.php'); to force a redirect.
To redirect from www.mywebsite.com/index.php?variable_name='yes' to www.mywebsite.com/index.php you would need to include the following code below before you open a HTML header! This solution will work for any $_GET variables within your whole website if you place it within an includes("filename_here"), no need to change the code.
//if there are any $_GET variable(s) set (doesn't matter what the name of the variables are)
if (! empty($_GET))
{
//if there is no record of the previous page viewed on the server
if(! isset($_SERVER['HTTP_REFERER']))
{
//get requested URL by the user
$redir = $_SERVER['PHP_SELF'];
//split parts of the URL by the ?
$redir = explode('?', $redir);
//redirect to the URL before the first ? (this removes all $_GET variables)
header("Location: $redir[0]");
}
}
I've a very strange problem in my form and have no idea how to solve it. Tried a search but found nothing about it. I have a form which i receive the data with $get in a php page to process the data. Strangely, when i insert an # in a field like the email for example, the # is lost durring the process of sending data. I verified in the line before the redirection to the php page if the # was there and it was, so i don't know this character is lost in the next step of the process.
Any hints?
The redirection comes from a javascript function that i call when i click the submit form:
window.location.href = 'index.php?pagina=candidaturasB&'+ qstringA;
the "qstringA" contains all the data of my form, and if in some input i put an #, if i do alert(qstringA) before de redirection line, the # is there, after that, in the url, of the php page where i received the data there's no #.
ex: index.php?...&email="ren#something.com" appears on the url "index.php?...&email="rensomething.com".
Use urlencode() for each form data :
eg :
$url = "index.php?pagina=candidaturasB";
$url .= "&email=".urlencode($_GET['email']);
$url .= "&data="urlencode($_GET['data']);
And pass the result string to window.location.href
I have a doubt about how I can check an URL like this:
http://your.url/set_new_password.php?userid=564979&code=54c4a2767c2f485185ab72cdcf03ab59
I need to check if the userid exists in the database and if the userid is associated to the hash in the link.
I Read that it is not possible check the url within php. If so, is it possible to solve this problem? I need to verify if the hash and userid present in the link exist in the database.
Any other alternatives?
The variables userid and code in the URL are made available to PHP in an array called GET:
echo $_GET['userid']; // 564979
If you have a hash (or fragment) in your URL, this won't get back to PHP:
www.mysite.com?val=1#part2
In the above, PHP can see the domain and the val variable, but not #part2. Sites that use the hash to significantly change the page (eg GMail) use javascript to pull in new content when the hash changes.
Be sure to sanitize your variables before using them, to avoid malicious users being able to hack into your system. This is a big topic, but read up on the following:
Data Filtering
PHP Data Objects
Sanitize and Validate Data with PHP Filters
If you don't sanitize, someone could change your url so that the variable is set to:
;DELETE * FROM mytable;
When you query your db without sanitising your inputs, you could lose all your data.
use the $_GET variable in php
$_GET['userid']
see tutorial here
In PHP, the $_GET array has the url parameters. So in this case, you'd use $_GET['userid'] and $_GET['code']
See Server consist of apache , php , mysql . When you access this url through your browser it is first send to apache which forwards your request to php . Php takes full controle from there on . A request made by client browser consist of various data which can be divided into types cookies , headers , post , get request . All these data can be access in there respective suprglobal variables in php $_GET , $_POST and so on . In your case you need to access $_GET . so do $_GET['userid'] to access userid , and $_GET['code'] to access code . Lastly you would connect ot MYSQL and do querly like "Select * from users where 'userid' = $_GET['userid'] and 'code' = $_GET['code'] " ;