I am just a weekend coder and only work on my own projects but I would like to use $_GET in a reasonably secure way. I typically use $_GET from a table with many items that I would like to perform some action on (Edit, Delete). Do any of you veterans see any security issues with the functions I have created or a simpler more elegant way of doing it? I appreciate any input, Thanks.
<?php session_start();
if (empty($_SESSION['SecretKey'])) {
$_SESSION['SecretKey'] = bin2hex(openssl_random_pseudo_bytes(16));
}
function GetURLEncode($ArrayData,$SecretKey,$Echo = true) {
$GetQuery = http_build_query($ArrayData,'','&');
$Checksum = http_build_query(Array("Checksum" => hash_hmac('ripemd160', $GetQuery, $SecretKey)));
if ($Echo) {
echo ''.htmlspecialchars($ArrayData['Action']).'';
} else {
return "?".$GetQuery."&".$Checksum;
}
}
function GetURLDecode($GetData,$SecretKey,&$ReturnData) {
$Checksum = $GetData['Checksum'];
unset($GetData['Checksum']);
$GetQuery = http_build_query($GetData,'','&');
if (hash_equals(hash_hmac('ripemd160', $GetQuery, $SecretKey),$Checksum)) {
$ReturnData = $GetData;
return true;
}
$ReturnData = "";
return false;
}
if (!empty($_GET)) {
if (GetURLDecode($_GET,$_SESSION['SecretKey'],$ReturnData)) {
echo "Array Returned<br>";
echo var_dump($ReturnData)."<br><Br>";
} else {
echo "Checksum Error<br><br>";
}
}
//Example 1
$MyArray1 = Array ("FirstName" => "John",
"LastName" => "Doe",
"Adderss" => "12345 MyStreet",
"City" => "Apple Valley",
"State" => "California");
echo "Sample 1<br>";
$URL = GetURLEncode($MyArray1,$_SESSION['SecretKey'],false);
echo 'Click Me';
//Example 2
$MyArray2 = Array(Array("Id" => 0,"Make" => "Chevy","Model" => "HHR"),
Array("Id" => 1,"Make" => "Chevy","Model" => "Corvette"),
Array("Id" => 2,"Make" => "Ford","Model" => "Mustang"),
Array("Id" => 3,"Make" => "Nissan","Model" => "Sentra"),
Array("Id" => 4,"Make" => "Ford","Model" => "Ranger"),
Array("Id" => 5,"Make" => "Dodge","Model" => "Charger"));?>
<br><br>
<table>
<th>sample 2</th>
<?php foreach ($MyArray2 as $Array) { ?>
<tr>
<td><?= $Array['Make'];?></td>
<td><?= $Array['Model'];?></td>
<td><?php GetURLEncode(array("Id"=>$Array['Id'],"Action"=>"Edit"),$_SESSION['SecretKey']);?></td>
<td><?php GetURLEncode(array("Id"=>$Array['Id'],"Action"=>"Delete"),$_SESSION['SecretKey']);?></td>
</tr>
<?php } ?>
</table>
Hello there weekend coder, the only issue i see with using a GET method is that a user can directly change the GET data in the url. for example, lets take youtube for example ( at least back in the day ), each youtube video has a GET value of v and it's value is some random 64bit alphanumeric hex hash of digits and you can see it directly in the URL youtube com/watch?v=xxxxxxxxxxxx since this is so, you can manually change this value and it will take you to another video because you changed the video id number. this is useful because you can copy this link and send it to your friends.
on the other hand, POST is different as you cannot really directly change the POST data values being sent. though there some mischievous ways some may be able too, which is why form validation is always needed for POST forms and values!!!
if we changed youtube's methods to use POST, all youtube videos would have youtubeDOTcom as the URL and the video ID would be hidden underneath the page as POST. now the user cannot directly see their video's random unique ID and cannot send the link to others to be shared.
Hope this explains a bit, it depends on what type of information you are sending. if you think it should be secured and not visible to all users, use POST. if you want the link to be shared and changed often to view different pages,media, etc, that's not confidential, you can use GET
Related
I need to display site visitor's continent. I am using geoip functionality to pull 2 letter code, which I can get to work very easily. However, just displaying 'AS' for Asia to the site visitor is clearly undesirable. So I'm trying to convert that. This is what I am trying to do. . .
<?php
$continent = geoip_continent_code_by_name($_SERVER['REMOTE_ADDR']);
$africa = array('AF');
$antarctica = array('AN');
$asia = array('AS');
$europe = array('EU');
$northamerica = array('NA');
$oceania = array('OC');
$southamerica = array('SA');
if ($africa) {
echo 'Africa';
}
elseif ($antarctica) {
echo 'Antarctica';
}
elseif ($asia) {
echo 'Asia';
}
elseif ($europe) {
echo 'Europe';
}
elseif ($northamerica) {
echo 'North America';
}
elseif ($oceania) {
echo 'Australia and Oceania';
}
elseif ($southamerica) {
echo 'South America';
}
else {
echo '';
}
?>
It just displays 'Africa' no matter where the site visitor, so it's getting stuck there. I'm reading though PHP tutorials but can't figure out what I'm doing wrong. My if, else and elsifs look good as far as I can tell.
Well, you're kind of going about it wrong.
You're getting the code correctly with your first line, but then you are creating a bunch of different arrays, each containing one of the possible codes. Then you are checking for the existence of each array, and since you just created them, they do exist, so your IF block will stop with the first check and output Africa.
What you want to do is create one array that contains all the codes as keys, with the output name as values, and then just use the code you got from $_SERVER to return the matching value from that array. (I got the list of codes from the manual)
$continent = geoip_continent_code_by_name($_SERVER['REMOTE_ADDR']);
$continents = [
'AF' => 'Africa',
'AN' => 'Antarctica',
'AS' => 'Asia',
'EU' => 'Europe',
'NA' => 'North America',
'OC' => 'Oceania',
'SA' => 'South America',
];
echo $continents[$continent];
It's worth a little explanation for WHY your IF block functions the way it does. PHP is loosely typed, meaning that you don't have to explicitly set the type of variables. So when PHP encounters a variable it has to guess about how to use it. So when you say if($africa), php tries to make sense of $africa in the context of a boolean question, and since it DOES exist and is not 0 or false, it sees it as TRUE and executes the first block.
The issue is this:
I have a web application that runs on a PHP server. I'd like to build a REST api for it.
I did some research and I figured out that REST api uses HTTP methods (GET, POST...) for certain URI's with an authentication key (not necessarily) and the information is presented back as a HTTP response with the info as XML or JSON (I'd rather JSON).
My question is:
How do I, as the developer of the app, build those URI's? Do I need to write a PHP code at that URI?
How do I build the JSON objects to return as a response?
Here is a very simply example in simple php.
There are 2 files client.php & api.php. I put both files on the same url : http://localhost:8888/, so you will have to change the link to your own url. (the file can be on two different servers).
This is just an example, it's very quick and dirty, plus it has been a long time since I've done php. But this is the idea of an api.
client.php
<?php
/*** this is the client ***/
if (isset($_GET["action"]) && isset($_GET["id"]) && $_GET["action"] == "get_user") // if the get parameter action is get_user and if the id is set, call the api to get the user information
{
$user_info = file_get_contents('http://localhost:8888/api.php?action=get_user&id=' . $_GET["id"]);
$user_info = json_decode($user_info, true);
// THAT IS VERY QUICK AND DIRTY !!!!!
?>
<table>
<tr>
<td>Name: </td><td> <?php echo $user_info["last_name"] ?></td>
</tr>
<tr>
<td>First Name: </td><td> <?php echo $user_info["first_name"] ?></td>
</tr>
<tr>
<td>Age: </td><td> <?php echo $user_info["age"] ?></td>
</tr>
</table>
Return to the user list
<?php
}
else // else take the user list
{
$user_list = file_get_contents('http://localhost:8888/api.php?action=get_user_list');
$user_list = json_decode($user_list, true);
// THAT IS VERY QUICK AND DIRTY !!!!!
?>
<ul>
<?php foreach ($user_list as $user): ?>
<li>
<a href=<?php echo "http://localhost:8888/client.php?action=get_user&id=" . $user["id"] ?> alt=<?php echo "user_" . $user_["id"] ?>><?php echo $user["name"] ?></a>
</li>
<?php endforeach; ?>
</ul>
<?php
}
?>
api.php
<?php
// This is the API to possibility show the user list, and show a specific user by action.
function get_user_by_id($id)
{
$user_info = array();
// make a call in db.
switch ($id){
case 1:
$user_info = array("first_name" => "Marc", "last_name" => "Simon", "age" => 21); // let's say first_name, last_name, age
break;
case 2:
$user_info = array("first_name" => "Frederic", "last_name" => "Zannetie", "age" => 24);
break;
case 3:
$user_info = array("first_name" => "Laure", "last_name" => "Carbonnel", "age" => 45);
break;
}
return $user_info;
}
function get_user_list()
{
$user_list = array(array("id" => 1, "name" => "Simon"), array("id" => 2, "name" => "Zannetie"), array("id" => 3, "name" => "Carbonnel")); // call in db, here I make a list of 3 users.
return $user_list;
}
$possible_url = array("get_user_list", "get_user");
$value = "An error has occurred";
if (isset($_GET["action"]) && in_array($_GET["action"], $possible_url))
{
switch ($_GET["action"])
{
case "get_user_list":
$value = get_user_list();
break;
case "get_user":
if (isset($_GET["id"]))
$value = get_user_by_id($_GET["id"]);
else
$value = "Missing argument";
break;
}
}
exit(json_encode($value));
?>
I didn't make any call to the database for this example, but normally that is what you should do. You should also replace the "file_get_contents" function by "curl".
In 2013, you should use something like Silex or Slim
Silex example:
require_once __DIR__.'/../vendor/autoload.php';
$app = new Silex\Application();
$app->get('/hello/{name}', function($name) use($app) {
return 'Hello '.$app->escape($name);
});
$app->run();
Slim example:
$app = new \Slim\Slim();
$app->get('/hello/:name', function ($name) {
echo "Hello, $name";
});
$app->run();
That is pretty much the same as created a normal website.
Normal pattern for a php website is:
The user enter a url
The server get the url, parse it and execute a action
In this action, you get/generate every information you need for the page
You create the html/php page with the info from the action
The server generate a fully html page and send it back to the user
With a api, you just add a new step between 3 and 4. After 3, create a array with all information you need. Encode this array in json and exit or return this value.
$info = array("info_1" => 1; "info_2" => "info_2" ... "info_n" => array(1,2,3));
exit(json_encode($info));
That all for the api.
For the client side, you can call the api by the url. If the api work only with get call, I think it's possible to do a simply (To check, I normally use curl).
$info = file_get_contents(url);
$info = json_decode($info);
But it's more common to use the curl library to perform get and post call.
You can ask me if you need help with curl.
Once the get the info from the api, you can do the 4 & 5 steps.
Look the php doc for json function and file_get_contents.
curl : http://fr.php.net/manual/fr/ref.curl.php
EDIT
No, wait, I don't get it. "php API page" what do you mean by that ?
The api is only the creation/recuperation of your project. You NEVER send directly the html result (if you're making a website) throw a api. You call the api with the url, the api return information, you use this information to create the final result.
ex: you want to write a html page who say hello xxx. But to get the name of the user, you have to get the info from the api.
So let's say your api have a function who have user_id as argument and return the name of this user (let's say getUserNameById(user_id)), and you call this function only on a url like your/api/ulr/getUser/id.
Function getUserNameById(user_id)
{
$userName = // call in db to get the user
exit(json_encode($userName)); // maybe return work as well.
}
From the client side you do
$username = file_get_contents(your/api/url/getUser/15); // You should normally use curl, but it simpler for the example
// So this function to this specifique url will call the api, and trigger the getUserNameById(user_id), whom give you the user name.
<html>
<body>
<p>hello <?php echo $username ?> </p>
</body>
</html>
So the client never access directly the databases, that the api's role.
Is that clearer ?
(1) How do I ... build those URI's? Do I need to write a PHP code at that URI?
There is no standard for how an API URI scheme should be set up, but it's common to have slash-separated values. For this you can use...
$apiArgArray = explode("/", substr(#$_SERVER['PATH_INFO'], 1));
...to get an array of slash-separated values in the URI after the file name.
Example: Assuming you have an API file api.php in your application somewhere and you do a request for api.php/members/3, then $apiArgArray will be an array containing ['members', '3']. You can then use those values to query your database or do other processing.
(2) How do I build the JSON objects to return as a response?
You can take any PHP object and turn it into JSON with json_encode. You'll also want to set the appropriate header.
header('Content-Type: application/json');
$myObject = (object) array( 'property' => 'value' ); // example
echo json_encode($myObject); // outputs JSON text
All this is good for an API that returns JSON, but the next question you should ask is:
(3) How do I make my API RESTful?
For that we'll use $_SERVER['REQUEST_METHOD'] to get the method being used, and then do different things based on that. So the final result is something like...
header('Content-Type: application/json');
$apiArgArray = explode("/", substr(#$_SERVER['PATH_INFO'], 1));
$returnObject = (object) array();
/* Based on the method, use the arguments to figure out
whether you're working with an individual or a collection,
then do your processing, and ultimately set $returnObject */
switch ($_SERVER['REQUEST_METHOD']) {
case 'GET':
// List entire collection or retrieve individual member
break;
case 'PUT':
// Replace entire collection or member
break;
case 'POST':
// Create new member
break;
case 'DELETE':
// Delete collection or member
break;
}
echo json_encode($returnObject);
Sources: https://stackoverflow.com/a/897311/1766230 and http://en.wikipedia.org/wiki/Representational_state_transfer#Applied_to_web_services
Another framework which has not been mentioned so far is Laravel. It's great for building PHP apps in general but thanks to the great router it's really comfortable and simple to build rich APIs. It might not be that slim as Slim or Sliex but it gives you a solid structure.
See Aaron Kuzemchak - Simple API Development With Laravel on YouTube and
Laravel 4: A Start at a RESTful API on NetTuts+
I know that this question is accepted and has a bit of age but this might be helpful for some people who still find it relevant. Although the outcome is not a full RESTful API the API Builder mini lib for PHP allows you to easily transform MySQL databases into web accessible JSON APIs.
As simon marc said, the process is much the same as it is for you or I browsing a website. If you are comfortable with using the Zend framework, there are some easy to follow tutorials to that make life quite easy to set things up. The hardest part of building a restful api is the design of the it, and making it truly restful, think CRUD in database terms.
It could be that you really want an xmlrpc interface or something else similar. What do you want this interface to allow you to do?
--EDIT
Here is where I got started with restful api and Zend Framework.
Zend Framework Example
In short don't use Zend rest server, it's obsolete.
Ok so yesterday I was working on a PHP API all day (2:30PM - 3:30AM CT).
The user/client/front end of the API can submit a filename or link to the API so it can view it, edit it, or delete it.
But that's a problem because if the user can do that that means they could edit or delete the website with the client.
So I'm wondering can I store a bunch of variables that are equal to links, so when the client submits, the API will see if that link is unauthorized or authorized
Could you do it like this
<?php
$myArray = array( //Unauthorized Links
$link1 => "http://example.com" //First Link
);
?>
Then check the links using $myArray?
If you need the API code I'll provide it.
use this code and it will work for you
<?php
$myArray = array(
1 => 'http://example-1.com',
2 => 'http://example-2.com',
3 => 'http://example-3.com',
4 => 'http://example-4.com'
);
foreach($myArray as $key => $value){
echo 'link '.$key.' = '.$value.' <br>';
}
?>
I'm looking for a more efficient, elegant and secure way to sort data displayed inside an HTML table. This is what I've come up with so far and it looks somewhat bloated / noobish.
I also thought of something like storing the sorting in a $_SESSION so I don't have to carry the currently selected order over to the next page "manually" within the URL. Maybe a "safe&simple" piece of JavaScript+PHP (but no frameworks please) would make sense? My thoughts go in circles for hours now.
<?php
$ro_arr = array(
"kid" => "kid",
"kwd" => "Keyword",
"cpc" => "ApproximateCPC",
"cmp" => "Competition",
"mov" => "MonthlyValue",
"gms" => "GlobalMonthlySearches",
"lms" => "LocalMonthlySearches",
"dfc" => "KeywordDifficulty",
"com" => "com",
"net" => "net",
"org" => "org",
);
if (!empty($_GET['ro']) && strlen($_GET['ro']) == 7 && array_key_exists($col = substr($_GET['ro'], 0, 3), $ro_arr)) {
$dir = (substr($_GET['ro'], 4, 3) == 'asc' ? "ASC" : "DESC");
$res_order = $res_arr[''. $col .''] ." ". $dir;
} else {
$_GET['ro'] = "kid_asc";
$res_order = "kid ASC";
}
?>
<!-- just for testing -->
<pre><?php echo $res_order; ?></pre>
<!-- done testing -->
<table>
<tr>
<td>Keyword</td>
<td>Comp.</td>
<td>Ad CPC</td>
<td>Value</td>
<td>Global Searches</td>
<td>Local Searches</td>
<td>Difficulty</td>
<td width="22">com</td>
<td width="22">net</td>
<td width="22">org</td>
</tr>
</table>
You can reduce the amount of code to almost a half if you'll use two parameters instead of one:
The parameter by which you're sorting: kid, com, net, org...
Order: asc, dsc
If your table isn't too large and you're not adverse to using jQuery, use tablsorter. Once you get into the thousands of rows, client side sorting can get a little unwiledy.
{"99.net":{"status":"regthroughothers","classkey":"dotnet"},
"99.org": {"status":"regthroughothers","classkey":"domorg"},
"99.mobi":{"status":"regthroughothers","classkey":"dotmobi"},
"99.name":{"status":"Invalid Domain Name","classkey":"dotname"},
"99.us":{"status":"regthroughothers","classkey":"domus"},
"99.com":{"status":"regthroughothers","classkey":"domcno"},
"99.info":{"status":"Invalid Domain Name","classkey":"dominfo"},
"99.co.uk":{"status":"available","classkey":"thirdleveldotuk"},
"99.biz":{"status":"Invalid Domain Name","classkey":"dombiz"},
"99.in":{"status":"Invalid Domain Name","classkey":"dotin"}}
I'm able to display the output with the following code:
$json1 = json_decode($response1);
foreach($json1 as $key=>$sel_rows)
{
echo $key ;
echo " status: ". $sel_rows->status." ";
echo " Class: ". $sel_rows->classkey." ";
echo "Price";
echo "<br>";
}<br>
Now, I need to sort it so that a table such as the following can be shown:
<table border="1">
<tr>
<td>.com</td>
<td>.net</td>
<td>.info</td>
<td>.org</td>
</tr>
<tr>
<td>ADD</td>
<td>ADD</td>
<td>ADD</td>
<td>ADD</td>
</tr>
</table>
I'm having trouble figuring out how to sort the response in a way that I can use to generate this table, using the response data to add tool tips to the ADD links (like dinakar.com).
$json1 = json_decode($response1, TRUE);
foreach($json1 as $key=>$sel_rows)
{
echo $key ;
echo " status: ". $sel_rows['status']." ";
echo " Class: ". $sel_rows['classkey']." ";
echo "Price";
echo "<br>";
}
It looks like you're not having a problem decoding the response, but rather normalizing it for what you need to display. To do that, you'll need to extract the TLD from the domain string, unless you know it ahead of time. Presumably you do, as it was used to request the response to begin with?
Anyway, the following code illustrates one way of getting it into an array suitable for you to pass to your view (or however you're doing it):
$response1 = <<< EOF
{"99.net":{"status":"regthroughothers","classkey":"dotnet"},
"99.org": {"status":"regthroughothers","classkey":"domorg"},
"99.mobi":{"status":"regthroughothers","classkey":"dotmobi"},
"99.name":{"status":"Invalid Domain Name","classkey":"dotname"},
"99.us":{"status":"regthroughothers","classkey":"domus"},
"99.com":{"status":"regthroughothers","classkey":"domcno"},
"99.info":{"status":"Invalid Domain Name","classkey":"dominfo"},
"99.co.uk":{"status":"available","classkey":"thirdleveldotuk"},
"99.biz":{"status":"Invalid Domain Name","classkey":"dombiz"},
"99.in":{"status":"Invalid Domain Name","classkey":"dotin"}}
EOF;
function get_tld($url) {
$host = parse_url($url);
$domain = $host['path'];
$tail = substr($domain, -7); // Watch out, gotcha! Be sure of this.
$tld = strstr($tail, ".");
return $tld;
}
$domains = array();
$json1 = json_decode($response1);
foreach ($json1 as $idx => $obj) {
$tld = get_tld($idx);
$domains[$tld] = array('tld' => $tld, 'status' => $obj->status, 'classkey' => $obj->classkey);
}
This is off the top of my head. The resulting $domains array looks like this (truncated for brevity):
Array
(
[.net] => Array
(
[tld] => .net
[status] => regthroughothers
[classkey] => dotnet
)
[.org] => Array
(
[tld] => .org
[status] => regthroughothers
[classkey] => domorg
)
Note, I'm not doing a whole lot of sanity here, but that should be enough to help you sink your teeth into it. You'd then just make your table head off the keys, and populate your add links with whatever information they need that was returned in the response.