my php script creates for some reason a super long new URL.
My original URL looks like this
http://someserveryoudon'tneedtoknow/index.php
And this is what I get after running the script.
http://someserveryoudon'tneedtoknow/index.php?vorname=and&nachname=andasd&ort=asd&email=asd&sonstiges=+Bitte+nur+ausfuellen+wenn+%27Sonstiges%27+ausgewaehlt+wurde+&sonstiges=&sonstiges=&sonstiges=&sonstiges=&sonstiges=
The script is about typing some data in some windows. And the weird words standing in the long URL are german words. Maybe important about them is that they are used in my script as messages standing in some textboxes. And some of them are variables.
Do you know what I can do to make php stop this? (At least I guess it's php's fault)
Yanakin
These are GET parameters. You should use POST to avoid this. POST is recommended anyway.
Reasons why you should use POST
It's secure
These parameters can be stored anywhere. POST doesn't store parameters in the URL. It sends the parameters in data. It can possibly stop some attacks.
GET /signup.php?username=john&password=johnny1234567890 HTTP/1.1
or
POST /signup.php HTTP/1.1
username=john&password=johnny1234567890
What seems better?
It's stored all on your computer. In your browsing history. Everywhere!
It's shorter
Not everyone wants to see https://example.com/signup.php?username=john&password=johnny1234567890&confidentialstuff=105650970950940 in the URL.
it looks like you pass data using get parameter. so that is why your url have a data like email is asd and so on..
Related
please i've been searching for a week now and i'm stuck .
I have a web app that send using xmlhttprequest in javascript to send value to be passed like a parametres in url like this :
xmlhttp.open("GET","http://127.0.0.1/filename/name.php?q="+value,true);
xmlhttp.send();
but if any one who get to know the url can change that value with any thing he want, I've allready implement the sql injection in the php files using : real_escape_string
but i need to crypt the value in the url , how can i do it ? i want to use ssl , but i didn't find aything on google , please dont give me a bad marks i really need answers
You can use POST.
Look here how to do that:
http://www.openjs.com/articles/ajax_xmlhttp_using_post.php
If the data is sensitive and shouldn't be accessible to the user, you shouldn't be using JavaScript to handle it. JavaScript runs on the client and so is at its mercy.
There's nothing you can do to stop people requesting a URL, so the only thing you can do is not display the content when people inevitably do. Put some logic in name.php that figures out whether the person requesting the file has access to download it. If they don't, simply display an error.
I have a page like this. User write an URL into a form and submit. Once the URL is submitted, I connect that page with CURL, search for a string. If it finds the string, it adds URL into our database. If not, it gives an error to user.
I sanitize URL with htmlspecialchars() also a regex to allow A-Z, 1-9, :/-. symbols. I also sanitize the content retrieved from other website with htmlspecialchars() also.
My question is, can they enter an URL like;
www.evilwebsite.com/shell.exe or shell.txt
Would PHP run it, or simply look for the HTML output? Is it safe as it is or if not, what should I do?
Thank you.
Ps. allow_url_fopen is disabled. That's why I use curl.
I don't see why htmlspecialchars or a Regex would be necessary here, you don't need those. Also, there is no way that PHP will "automatically" parse the content retrieved using cURL. So yes, it is save (unless you do stuff like eval with the output).
However, when processing the retrieved content later, be aware that the input is user-provided and needs to be handled accordingly.
curl makes a request and to a server and the server sends back data. If there were an executable file on a web server you'd get back the binary of the file. Unless you write the file to your disk and execute it there should be no problem. Security in that sense should not be an issue.
HEllo I have this URL I need to get with PHP
http://www.domain.com/forum/#forum/General-discussions-0.htm
The problem is this is not a real URL, but this the mask created by the .htaccess.
I need to get the visible URL and not the real path of the file, because I need to compare it with some PHP variables I have.
In fact the real path will look like this:
http://domain.com/modules/boonex/forum/index.php
And in that way is totally useless for me.
How do I get the first URL as it is?
You can't get that from http://www.domain.com/forum/#forum/General-discussions-0.htm. Everything after the fragment (#) is not even send to the server, there is no way to retrieve it save for a delayed update with javascript. All you'll get it is http://www.domain.com/forum/ send to the server, and on the onload event of your document you can possibly load something in with javascript.
Look into the source code or it may not have real urls at all. The part is for ajax based navigation. It may mean that there are no real urls on that site and if there are then they should be extracted from <a href="someurl"> as they might masked using javascript.
With
file_get_contents();
for example. Neither user nor your server mind about .htaccess
It's server proccessing the request who have to direct you to correct address
however php does ignore everything after #, so in this case you have no chance to get it without real url
As #Wrikken said, there is no way to get url after # fragment
I have Javascript updating my URI as below:
/index.php?page=list#page=news
But I would like to make page=news accessible somehow from my server so that when the URI is copied and pasted, it would go to the news page. What is the best way to do this?
I tried $_SERVER['REQUEST_URI'] but everything stored in $_SERVER is before the hash tag.
You can't. That data, called the fragment, is reserved for client side processing and thus is never sent to the server.
The only way to utilize the fragment is to have Javascript intervene at some point. This probably means checking for a hash-tag on the page onload, and then displaying the proper data.
You could make your entire page loaded via Javascript. While it would kill compatability for anyone who turned off Javascript, it would ensure that the hash tag eventually gets sent to PHP
Basically, it would look something like this:
PHP Sends Page
Javascript reads the hastag
Make a URL with a hashtag parameter (loader.php?page=list&page=news)
(Note that in the above, page=list wil be overriden by page=news, so $_GET['page'] will be news.
AJAX call to PHP
Load the content into a div.
(And this question is very much a duplicate question)
I'm trying to store a url such as:
http://localhost/pro_print/index.php#page=home
in a variable, but I can't find a function that does that. I found plenty of solutions to store the index.php, but it doesn't include the hashmark and what follows it. Is there a PHP solution for this?
I did see that I can get the full url including hashmark with javaScript using document.write(document.url) or document.write(location.href) but how do I store that into my variable? Is there any way I can combine PHP with javaScript in some sort of solution like this?
<?php $url ="?><script>document.write(document.url)</script><?php "?>
The fragment identifier (the # and everything that appears after it) is handled entirely client side, and is not sent to the server when the URI is requested.
To make it available to PHP, you would have to:
Allow the page to load
Read the location with JavaScript
Send it to the server using an Ajax technique (e.g. XMLHttpRequest) or in a subsequent request
This won't make it available to the server at the time the original script runs, but nothing else can.
An alternative approach would be to duplicate the information in the fragment identifier somewhere else in the URI (e.g. the query string). This is used by this site when submitting an answer.