I am writing PHP code for my hosting web page.
I create a search domain filled on page with $_GET to check if domain was available. I need to protect my $GET function in code.
The $GET code to process searching of a domain:
if(isset($_GET['search'])){
$domena = ($_GET['search']);
}
HTML CODE
I have a submit button with FORM POST ACTION and I get the URL:
www.domain.com/index.php?search=domain.com
I need know if I can hide the URL search=domain.com
Note - I don't want to use AJAX or other language, just PHP.
If you want to hide search parameter, then send it by POST method and accept it by $_POST instead of $_GET.
if(isset($_POST['search'])){
$domena = ($_POST['search']);
}
Have you thought about using the $_POST method? The data sent from the user will be in the HTTP request and not in the url. The $_GET method would be posted in the url.
Mozilla does a good job explaining this.
Make sure to specify method $_POST in your form. For example:
<form action="http://foo.com" method="post">
<input name="say" value="Hi">
<input name="to" value="Mom">
<button>Send my greetings</button>
</form>
Then to retrieve your data, use the same code you posted in your question but change $_GET to $_POST
Related
loaded page from javascript. tested for GET & POST. Only GET set as expected;
window.location.href = "medications_edit_revised.html?recordId="+id ;
Retrieved and used the data from the GET[]
Reloaded page from SUBMIT as shown below.
<form method="post" action="">
<table id="detailsDivTable">
<?php
$editClass->selectTheRecord();
?>
</table>
<fieldset name="Group1">
<legend>Group box</legend>
<input name="saveButton" type="submit" value="Save" />
<input name="deleteButton" type="submit" value="Delete" />
<input name="cancelButton" type="submit" value="Cancel" />
</fieldset>
</form>`
Tested GET[] & SET[]
if (isset($_GET['recordId']) ) {
$recordId = $_GET['recordId'];
require_once "medications_edit_revised.class.php";
$editClass = new editRevisedClass($DBH, $recordId);
}
if(isset($_POST['saveButton'])) {
Both tested TRUE. Is this normal behavior. I expected the GET[] would have been cleared when the form was POSTed
If yes is there a way to clear the GET before sending the SUBMIT
Thanks
When you set the URL like this:
window.location.href = "medications_edit_revised.html?recordId="+id ;
You have set URL params. Then when you do this:
Reloaded page from SUBMIT as shown below.
<form method="post" action="">
Because the action is empty it'll retain the URL parameters, because that's what empty and (eg) $_SERVER['PHP_SELF'] do - they send to the current URL, params and all.
You already know the URL so just set it as needed:
action="medications_edit_revised.html"
You seem to be confusing POST/GET requests and the PHP $_POST and $_GET superglobal variables.
PHP will populate $_GET with data in the query string of the URL the request was made to.
PHP will populate $_POST with data in the request body of a POST request if that data is encoded using a supported encoding.
It doesn't matter if the request was caused by JavaScript, a form submission, or something else.
Is this normal behavior.
Yes
If yes is there a way to clear the GET before sending the SUBMIT
Submit the form to a URL which does not have a query string.
The URL the form is submitted to will be specified by the action attribute.
If you don't have an action attribute, it will be submitted to the URL of the current page. If that URL has a query string, then so will be the URL that the form is submitted to (and thus $_GET will be populated).
If you want to avoid that, then specify the action explicitly.
Can you please past some of your code?
If you use GET to revice your variable, it gets it from the URL: example.com?name=jesper&lastname=kaae
The differences is:
GET requests a representation of the specified resource. Note that GET should not be used for operations that cause side-effects, such as using it for taking actions in web applications. One reason for this is that GET may be used arbitrarily by robots or crawlers, which should not need to consider the side effects that a request should cause.
And
POST submits data to be processed (e.g., from an HTML form) to the identified resource. The data is included in the body of the request. This may result in the creation of a new resource or the updates of existing resources or both.
You can read more about them here
Suppose my Form codes look like this
URL : localhost/my-url.php
<form action="hello.php">
...bla bla bla
</form>
I will process the data in hello.php and i want to redirect to user to same url after processing (according to above example)
localhost/my-url.php
I know we can use header but i don't know how to get that url from which form was submited :(
Googled but didn't found any use full.
Thanks.
Add a hidden value in your form:
<input type="hidden" name="lastUrl" value="<?php echo $_SERVER['REQUEST_URI'] ?>" />
You now have the URL in $_POST['lastUrl'] data. You need to do it that complicated because $_SERVER["HTTP_REFERER"]; is send by the browser, and not all of them do this reliable.
You should put a hidden field in your form and set its value to current page url.
Then you submit the form and get the value of hidden field.
Then you can redirect user to hidden field (which is actually a URL of the page where you are submitting form) by using javascript or php.
You can use the
$_SERVER["HTTP_REFERER"];
to get the original URL where the form was posted from.
Remember to escape it, if you use it however. ]
Alternatively, you can process the form using AJAX, send process things (redirection) client-side.
Note that form data can be changed and intercepted if you wish to send the URL of the page as form data.
I have a https page named user.php that gets data and posts it to another receiving.php https page. My problems is whenever I submit my data for posting the receiving.php displays server error. I have read articles about cURL but I don't have a clear picture of the syntax.
user.php
<form action="https://www.mydomain.com/ssl/receiving.php">
<input type="text" name="variable" />
<input type="submit" name="buttonName" />
</form>
receving.php
if(isset($_POST["buttonName"]))
{
$variable=$_POST['variable'];
}
You want to add method="POST" to your form tag. By default it'll submit through GET. If that doesn't work, try var_dump($_POST) in receiving.php to see exactly what's coming through. cURL is mainly for when you want a script to make a request to a server on its own. A form submit shouldn't need to worry about cURL.
What error are you receiving though? This shouldn't display an error as your isset() should just return false.
you need to use the $_GET method instead of $_POST because $_GET is a method that displays your request in the form in URL. while $_POST for security reason is just getting data from the form and not displaying the actions you've requested.
<form action="https://www.mydomain.com/ssl/receiving.php">
if you want to use $_POST you need to make your form method set to method="POST" or by default your method form is using "GET".
So you instead of using $_POST , you need to use $_GET in your case.
I have a simple php test page as follows
<?php
if(isset($_POST['hitme']))
{
echo "hello world";
}
?>
I'm hitting this page as, http://www.abc.com/page.php?hitme=true but this is not echo'ing anything. Is something wrong with this?
Use $_GET['hitme'], not $_POST, since you passed the value in the query string. $_POST would hold values sent via a <form action='post'>, but not values passed in the query string.
if(isset($_GET['hitme'])) {...}
It's recommended to read about the differences between PHP's superglobal arrays.
$_POST only contains variables which are posted to the page as part of an HTTP POST request. If you are typing the address into your browsers address bar, you're issuing a GET request, not a POST request, and no variables will be set in $_POST. Even if you are issuing a POST request, variables specified on the query string will still only be available inside $_GET, so for this example your using the wrong array either way.
You must use $_GET instead of $_POST when it's in the URL
If it's in the URL, e.g. http://example.com/index.php?hitme=true, it's in $_GET.
However, if you want it to be in $_POST, you'd have to do something like this (very basic example):
<form method="post" action="page.php">
<input type="checkbox" name="hitme" value="true" />
<input type="submit" value="Post data!" />
</form>
This script will allow the user to check it if wanted, and then click "Post data!".
However, it won't be in $_POST as long the user didn't click the button.
As for $_GET, it will be there as long as it's in the URL.
Or you can use $_REQUEST['hitme'], this one will check both $_POST['hitme'] and $_GET['hitme']
I understand that I am able to use the POST method for URL parameters to display data according to a specific variable, I know how to make use of the GET method - but I am told that the POST method can be used to hide the part of the URL that is like this.
/data.php?parameter=1234
What is the actual difference of the two methods in terms of URL parameters?
Below is some code that fetches data from a database according to the id of a specific link
<?php
//This includes the variables, adjusted within the 'config.php file' and the functions from the 'functions.php' - the config variables are adjusted prior to anything else.
require('configs/config.php');
require('configs/functions.php');
//This is the actual interaction with the database, according to the id.
$query = mysql_query("SELECT * FROM table WHERE id=" .$_GET['id'] . ";") or die("An error has occurred");
//This re-directs to an error page the user preventing them from viewing the page if there are no rows with data equal to the query.
if( mysql_num_rows($query) < 1 )
{
header('Location: 404.php');
exit;
}
//Here each cell in the database is fetched and assigned a variable.
while($row = mysql_fetch_array($query))
{
$id = $row['id'];
$title = $row['title'];
$month = $row['month'];
$day = $row['day'];
$photo = $row['photo'];
$text = $row['text'];
}
?>
On a separate page I generate links to the data.php file according to the ID like so:
<?php echo $content['title']; ?>
Forgetting that there are potential SQL injections that can occur through the above code, how would I go about making use of the POST method in order to hide the URL parameters, or at least not display them like this:
http://example.com/data.php?id=1
In order to use POST, you will need to use a <form> tag, and depending on how you are pulling up these URLs, it could be easier to use javascript to help out. Here's a basic example:
<form method="post" action="data.php">
<input type="hidden" name="parameter" value="1234" />
<input type="submit" value="Go" />
</form>
The Go button would POST the form data, and now in data.php you will be able to retrieve the value from $_POST['parameter']. Note that when using POST, you will probably want to redirect (HTTP 302) back to a page so that when a user hits the back button, the browser doesn't prompt to resubmit the form.
Using javascript, you could set the parameter input to a different value before posting the form.
Use method "POST" for your form. I had the same issue, just adding POST to the form removed the parameters from the URL
<form id="abc" name="abc" action="someaction.php" method="post">
<input type="text" id="username" name="username"/>
<input type="password" id="password" name="password"/>
<input type="submit" id="submit" name="submit" value="submit"/>
</form>
To POST values, a browser would have to use a form with method="post", or javascript simulating a form. Various developer tools (fireug, etc) can convert GET forms to POST forms, but generally, a form is what is required.
In theory GET requests should not have any side effects, and "should" be consistent from request to request. That is, the server should return the same content. In todays world of just about everything being dynamic, this might be of little practical design significance.
Whether you use GET or POST, the parameters will appear in $_REQUEST. The critical difference is that using POST allows the variables NOT to appear in URL history. This decreases the visibility of data such as passwords which you do not want to show up in URL history. To use POST instead of GET, simply produce <form method="POST" ...> in the document.
Even better is to store sensitive values (like user ids) in cookies, so that they don't appear in $_REQUEST at all. Since the contents of cookies are provided in extra HTTP request headers, not in the content, they are generally not stored as part of the history.
In order to use POST instead of GET, you would need to use an HTML form tag in your html, like so:
<form method="POST" action="/data.php">
<input type="hidden" name="parameter" value="1234" />
<button type="submit">Submit</button>
</form>
When submitted, your URL will just be /data.php and parameter=1234 will be in your (hidden) post buffer.
Make sense?
To do a POST, you have to use a form, or some javascript/ajax trickery. An <a> will only ever cause a GET request.
Note that POST requests can still have query parameters in the URL. It's not "normal" to have them, but they are allowed. The main difference being that with a GET request (ignoring cookies), the URL is the ONLY way to send parameters/data to the server. With POST, you can use both the URL, and the body of the POST request, which is where POSTed form data is normally placed.