I wrote a login code in PHP:
<form NAME="form1" METHOD="POST" ACTION="operation/validateLogin.php">
Username <br/><input name="username" type=text autocomplete="off"><br/><br/>
Password <br/><input name="password" type=text autocomplete="off"><br/><br/>
<button class="btn btn-primary submit" type="submit">Sign In</button>
</form>
When I submit the form the credentials are sent to a validation file. If an error occurs the file sends the error message back to the login page:
header("Location: http://localhost/demoapp/login.php/?em=28");
I handle the 'GET' parameter and print the error message:
if (isset($_GET['em'])){
if($_GET['em'] == 28){$errorMessage = "Your username or password was incorrect.";}
}
Now the user needs to try to login again by resubmitting the form, but the action of the form is:
operation/validateLogin.php
and the URL is now:
http://localhost/demoapp/login.php/?em=28
Therefore, when the form is submitted the url becomes:
http://localhost/demoapp/login.php/operation/validateLogin.php
When it should be...
http://localhost/demoapp/operation/validateLogin.php
How do you prevent this from happening to the URL?
The ACTION attribute of an HTML form can be set with a relative URL:
/operation/validateLogin.php
or
/validateLogin.php
It's actually recommended to work with relative URLs for HTML elements:
Absolute vs relative URLs
However, when working with PHP an absolute URL is your best option:
http://localhost/demoAPP/operation/validateLogin.php
The use of absolute URLs will relieve your code of accidental URL concatenation.
I had trouble recently figuring out which type of URL to use for certain situations, but this is what I've realized...
PHP (local/server language) = Absolute Local/Server Address
require "C:/dev/www/DEMO/operation/login/validateLogin.php";
include "C:/dev/www/DEMO/operation/login/validateLogin.php";
header("Location: http://localhost/demoapp/login.php/?em=28"); (redirect to a web address)
This may seem really simple but remembering this will save you a lot of troubleshooting time.
If you are using .PHP files, alter the URL in any way, and are not using absolute URLs you will most certainly receive errors.
Additional: You'll notice that you can use a web address for HTML attributes and not run into any problems. However, with PHP requires and includes you can only use local addresses. There is a reason for this limitation and it's all because of one important PHP setting...
https://help.dreamhost.com/hc/en-us/articles/214205688-allow-url-include
Related
I have a form.
<form name="form1" method="post" action="<?php echo $_SERVER["PHP_SELF"];?>">
<p><label>User Name : </label>
<input id="username" type="text" name="username" /></p>
<p><label>Password : </label>
<input id="password" type="password" name="password"/></p>
<a class="btn" href="register.php">Signup</a>
<input class="btn register" type="submit" name="submit" value="Login" />
</form>
which use $_SERVER["PHP_SELF"].
On submitting (POST) the data, the users credentials are sent in plain text (shown below)
Where as if I replace the $_SERVER['PHP_SELF'] with say a "check_login.php" there isn't a problem.
I used the acunetix scanner too which also says "User credentials are sent in clear text".
I need to use the $_SERVER['PHP_SELF'] but without the credential being shown.
The vulnerability alert you are receiving is being displayed because the web server is making use of HTTP rather than HTTPS when the client is sending the user credentials.
This would not have anything to do with your PHP form—regardless of how you implement it, the information is still being sent in clear text. Example:
POST /userinfo.php HTTP/1.1
Host: testphp.vulnweb.com
uname=test&pass=test
You can see the uname and pass parameters being sent in plain text and can be intercepted and read by anyone.
For more information, I would encourage you to read the answer of the following question.
Whilst we're at it, you might also want to check out Let's Encrypt and Acunetix should you want to keep yourself extra secure ;-)
You are misunderstanding the problem, and misunderstanding $_SERVER['PHP_SELF'].
Firstly, your actual problem has nothing to do with $_SERVER['PHP_SELF'], nor with your form nor PHP. The problem is because your site is not secured with HTTPS. If you're using HTTP, then everything the browser sends or receives is sent in plain text and can potentially be intercepted. If you want your traffic to be secure then you need to use HTTPS instead. This is something you configure in your server, and is entirely separate from anything in your PHP code.
Secondly, you state "I need to use the $_SERVER['PHP_SELF']...". This is not actually true: you don't need to use $_SERVER['PHP_SELF'] in this context. $_SERVER['PHP_SELF'] is a global variable in your PHP program that contains address of the current page. So if you visit userinfo.php within your site, then the $_SERVER['PHP_SELF'] will contain /userinfo.php. This is the value that you're putting into the form's action attribute. That's fine, but understand that you don't actually need it in this context, because the default value of action is to submit the form back to the current page. In other words, your form will work exactly the same if you omit $_SERVER['PHP_SELF'] entirely. This isn't in any way related to your security warning, but I felt it was important to clarify what's going on here, to help you understand that $_SERVER['PHP_SELF'] isn't some magical thing that makes the form work; it's just a string variable with a pagename in it.
Hello I have a web page where users can view and edit their application information. I have an Edit button. When a user clicks on this button it takes him to an edit page. Here is my code:
<form name="form3" method="post" action="pages/application_edit.php?id=<?php echo "$id[0]";?>&pwd=<?php echo "$pwd";?>">
<input type="submit" name="Submit" value="Edit Application" class="button">
</form>`
After a click the user sees this URL:`http://website.com/pages/application_edit.php?id=1&password=Flower1
How can I hide the password from the URL?
Instead of sending the values as $_GET values, send them as $_POST values to that PHP page.
<form method="POST" action="pages/application_edit.php"> // no need for the URL query string
In the PHP file
<?php
$user_id = $_POST['id']; // similar to how you'd use $_GET
....
Although the way you're approaching this is wrong, you shouldn't be passing these values between pages. At the very least your username/id should be stored as a session variable and information should be accessed when required from a database.
Either way, that's how you can send them without having them "visible".
It seems you lack session control routines.
You should manage all private options of your application (the ones you are able to perform only - and just only - when you are logged in) inside a session to avoid exposing user credentials.
You can start learning about it here.
Also, consider encrypting your HTTP requests using SSL certificate.
I developed a web crawler to search for certain tags on my companies websites to make sure they are live, have Google analytics, blah blah. However, my company has close to a hundred websites so the actual crawl process, is literally a crawl. So I wanted to create a form where the user inputs a web address of one of our companies and it only crawls that one website. I am not good with forms, so what I basically want the form to do is store the url the user inputs then redirect to a different page where the url is given to the crawler and the results are shown.
Here is basically what I have so far, not much, I am having trouble redirecting to a different page and storing the URL variable so I can pass it to the crawler code that I have.
<div id="main-content" class="mc-left"> <div class="entry"> <div style="position:absolute; margin-left:520px; height:25px; width:120px; font-size:10px;"> </div>
</div>
<h2><?php the_title(); ?></h2>
<form name="form1" id="form1" method="POST" action="submitcrawler.php">
<div class="hiddenfields">
<p>Website Address:<br>
<input name="websiteaddress" type="text"></p>
<input type="submit" class="submit" name="submit" value="Submit">
</form>
As you can see I want this form to bring me to submitcrawler.php, however, when I create that php file, when I hit submit it brings me to the current slug (../crawler-2/submitcrawler.php instead of ../submitcrawler.php) so it throws up a 404 error
The form is submitting to 'submitcrawler.php' in the same folder as the file that you're looking at, so if its in /crawler-2/ then that's where its looking.
Use ../ if you want to ascend to the directory above, or probably better, use / and enter the path to the file from the web root (the top directory viewable by apache / the web server).
So
<form action="../submitcrawler.php">
or
<form action="/submitcrawler.php">
For the functionality that you're looking for, you could try using method="GET". That way, you can see the information that is being passed to the other PHP script in the URL.
Then simply retrieve the information in the other PHP script:
if(isset($_GET['websiteaddress'])) {
$websiteaddress = $_GET['websiteaddress'];
} else {
echo "No web address was received.";
}
In terms of the form action attribute, you need to use an absolute path if the scripts will both be static, otherwise if the scripts are dynamic and may change locations on the servers, then use relative paths.
Path Info:
http://en.wikipedia.org/wiki/Path_%28computing%29
http://webdesign.about.com/od/beginningtutorials/a/aa040502a.htm
If the file you're talking about is under crawler-2 directory it will submit the form to that file unless you use a relative path ../submitcrawler.php
The action you have set on that form will send it to submitcrawler.php in the same directory as the current script. Try changing the action to ../submitcrawler.php, or alternatively set it to the absolute url of the script (http://mydomain.me/submitcrawler.php)
You used a relative path in your post action value. If for example your crawler script is in your webroot you should use action="/submitcrawler.php". If not you can do something like action="/path/to/submitcrawler.php"
I've got a form on my websites homepage that contains a box for a user to enter a members name. From there the form currently submits to a PHP script which just calls Header('Location: blah); and then directs them to /search/username/.
Would it be worth it (i'm assuming so) doing that redirection in javascript so that directs them straight to /search/username? If so how would I go about redirecting with javascript, just plain old window.location = "http://www.google.com/"
Server side is always better method as it's more difficult to bypass than client side method.
Be sure to add exit function after redirection using header.
ob_clean();
header('Location: target.php');
exit();
To do it in JavaScript, you could:
<input id="username" type="text" onclick="" />
<input type="button" onclick="window.location='/search/'+document.getElementById('username').value" />
You could add some validation to the event as well.
Would it be worth it
That depends on your specific situation. If your server is getting 100's of these requests a second, then sure. Otherwise, it really doesn't matter which way you do it.
I enabled URL rewriting on my PHP site with Apache (http://example.com/index.php?param=12 becomes http://example.com/index/param/12).
I have a few forms which are in GET instead of POST.
After subitting the form, the resulting URL is not rewritten.
Is it possibile to keep rewritten URLs after submitting a GET form?
UPDATE: I found this article on the topic http://matthewjamestaylor.com/blog/how-to-post-forms-to-clean-rewritten-urls but I really don't like the idea of redirecting to rewritten URL. Is there really no way to keep rewritten URLs without redirecting?
UPDATE 2: Here is an example of what I'm trying to do.
Let's say I have a simple form like this:
<form method="get" action="">
<fieldset>
<input type="text" name="q" />
<input type="submit" value="Search" />
</fieldset>
</form>
and let's say my url is http://example.com/index/param/12
After submitting the GET form, the url becomes http://example.com/index/param/12?q=my-input-text, while I would like to get a rewritten url like http://example.com/index/param/12/q/my-input-text
Seems like if you want your form to go directly to /q/my-input-text you should use JavaScript to make that happen on the form's onSubmit.
apache mod_rewrite only processes incoming (request) urls - it has no control of the urls you generate in your php scripts. This is something you should take care of yourself.