I am trying to sanitize my GET variables but Accuntrix is still complaining for some reason.
So I visit a page and the URL contains parameters. I pass these parameters between pages. To do this I do
something like the following
<a class="navbar-brand" href="https://someDomain/someFolder/someFile.php?WT.var1=<?php echo $_GET['WT_var1']; ?>&var2=<?php echo $_GET['var2']; ?>&var3=<?php echo $_GET['var3']; ?>&var4=<?php echo $_GET['var4']; ?>" title="logo"><img src="logo.png"></a>
I have lots of links like this on the page, and when I first ran the page it was vunerable to cross site scripting because
I was not sanitizing the GET requests. So at the top of the page, I put
<?php
$_GET['WT_var1'] = htmlspecialchars($_GET['WT_var1']);
$_GET['var2'] = htmlspecialchars($_GET['var2']);
$_GET['var3'] = htmlspecialchars($_GET['var3']);
$_GET['var4'] = htmlspecialchars($_GET['var4']);
?>
Initially, this seemed to work. But I have recently run another scan, and every single link like the above shows up as a high.
The details look something like this
URL encoded GET input WT.var1 was set to 1}body{acu:Expre/**/SSion(prompt(926954))}
The input is reflected inside a text element.
And the exploit looks like this
/someFolder/someFile.php?WT.var1=1%7dbody%7bacu:Expre/**/SSion(prompt(941830))%7d&var2=&var3=&var4=
Is that not showing a sanitized url though? Is this something I need to fix or is it a false/negative?
Thanks
htmlspecialchars() encodes your variable for output as content in an html page. If you need to pass your variables through the url, you need urlencode(().
So for example:
...someFolder/someFile.php?WT.var1=<?php echo urlencode($_GET['WT_var1']); ?>&var2...
Related
i tried to find a solution for my problem for 2 hours now, but i don't know why my code does not work.
I have a sql output which looks like this:
function output(){
while($row = $this->statement->fetch()) {
$id = $row["id"];
echo '
<tr>
<td>'.$row["comname"].'</td>
<td>'.$row["district"].'</td>
<td>'.$row["industry"].'</td>
<td>"Details"</td>
</tr>
<br>
';
}
If someone click on the link "Details" i want to give out more information about that specific company. Therefore i save the id in the url to identify which company was clicked.
To check if the Details link was clicked, i wrote this:
Edit: just added the "$id = $_GET['details']" after your hints, it looks like this now:
if (isset($_GET['details'])){
$id = $_GET['details'];
echo $id;
}
}
When i click on the link "Details" it changes the URL correctly, but it doesn't print the id. (I don't only want to print the id, i just do this to check the functionality.) Why does my code not work? Is there a second "$GET" i have to use? I really don't know what is going on.
Edit: The php-code ends here, there is nothing i do afterwards.
Edit2: I tried print_r($_GET) and it looks like, the id is not even in the $GET-Array. Also the if (isset($_GET['details'])) statement is not executed.
Thank you!
You should print the $_GET['details']:
if (isset($_GET['details'])){
echo $_GET['details'];
}
Or put it in a variable:
if (isset($_GET['details'])){
$id = $_GET['details'];
echo $id;
}
$_GET[] is just an array of all GET parameters in the URL. You see them for example on https://www.google.com?q=stack+overflow where the parameter q is set to stack+overflow. So if you would echo out $_GET["q"] on that URL you would get stack+overflow. You can store it in a variable like $id and echo it out, but you need to set it first like $id = $_GET["details"];
EDIT: I just realized the code you have now is vulnerable to an attack called XSS or HTML Injection. Since we can specify the $_GET["details"] and so $id that is being echoed, an attacker can put HTML code or the <script> tag in there to execute dangerous JavaScript code on everyone that accesses the URL.
Luckily, there is an easy fix: just put the function htmlspecialchars() around whatever user input you echo. The echo you have here would become echo htmlspecialchars($id);
I've just designed my first form in HTML and a PHP page to display the results. In the form the user inputs some codes in response to some questions, a bit like a multiple choice, so for example, these are "ABC". The PHP page displays the code to the user as a link, which when clicked will go to a bookmark (a link within the same page) with the ID #ABC. This was achieved with simple manipulation of the PHP variable as follows:
<?php
$code = "ABC"
$part1 = '<a href="mywebpage.php#';
$part2 = '">Go to this code</a>';
$string = $part1.$code.$part2;
echo $string;
?>
(i.e. Link in the page says "go to this code" and when clicked will go to section with bookmark ABC)
This all works fine, but I simply need to know if there is a way of error trapping so that if a bookmark does not exist for the code entered, a message can be displayed to the user instead? Can this be done using the PHP variable, or do I need to use JavaScript? One work around may be to search the web page for the ID "#ABC'. Is it possible to do this? Another option would be to store an array of valid codes on the server then query this before setting the bookmark, but I want to keep it as simple as possible. Any help appreciated, thanks.
What you call a "bookmark" we call a hash. And when you say "go to a bookmark" you mean a hash change. Hash changes do not make an additional request to the server, it is all handled on the client-side, therefore this must be done with JavaScript and not PHP.
So let's just do some simple JavaScript on hash change window.onhashchange that will search for an element with that ID and if it's not found alert something.
window.onhashchange = function(){
if(!document.getElementById(location.hash){
alert("not found");
}
}
I have a URL like given below
http://mydomain.com/wrt/search.php?org=125&assignedto[]=NULL&Search=req_assigned_to&state[]=New&state[]=Pending%3A+Installation&state[]=Pending%3A+More+Info&state[]=Assigned&state[]=Working&orgs[]=125
i need to get the values of other required variables which results from accessing the above URL given in PHP..
Actually i should use this above mentioned link to access the form varaible values which will be displayed in that form resulted by execution of some queries using the parameters passed through the link given above..i wont be using form concepts such but can use this link alone,as i dont have access to the required database so this link is the base to retrieve values ...
Please suggest how it can be done.Its of high urgency.
You can access URL parameter via $_GET, when you have this URL try for example:
echo $_GET['Search']; should output req_assigned_to.
I'm not quite sure what you are trying to do but if I'm right you are looking for:
echo $_GET['org'];
This will echo 125. replace org with any other parameter in your url.
Read up on: http://www.php.net/manual/en/reserved.variables.get.php
One solution to automatically building navigation for a site is by scanning a folder for documents like this:
foreach(glob('pages/*.pg.php') as $_SITE_NAV_filePath):
$_SITE_NAV_filePath = explode('.pg',pathinfo($_SITE_NAV_filePath,PATHINFO_FILENAME));
$_SITE_NAV_fileName = $_SITE_NAV_filePath[0];
$_SITE_NAV_qv = preg_replace('/([A-Z])/','-$1',$_SITE_NAV_fileName); $_SITE_NAV_qv = trim($_SITE_NAV_qv,'-');
$_SITE_NAV_name = preg_replace('/([A-Z])/',' $1',$_SITE_NAV_fileName);
?>
<li><?=$_SITE_NAV_name?></li>
<?php
endforeach;
This code will turn "AnAwesomePage.pg.php" into a menu item like this :
<li>An Awesome Page</li>
This might be bad practice (?).
Anyway; I don't use this method very often since most of the time the sites have a database, and with that comes better solutions...
But my question is this:
Is there a way to prefix the filename with a integer followed by and underscore (3_AnAwesomePage.pg.php), for sorting order purposes, and pass it somehow to the destination page outside of the querystring and without any async javascript?
I could just explode the filename once again on "_" to get the sort order and store it somewhere, somehow?
This is the code for handeling the page query request:
$_SITE_PAGE['qv'] = $_GET['page'];
if (empty($_SITE_PAGE['qv'])){ $_SITE_PAGE['qv'] = explode('-','Home'); }
else { $_SITE_PAGE['qv'] = explode('-',$_GET['page']); }
$_SITE_PAGE['file'] = 'pages/'.implode($_SITE_PAGE['qv']).'.pg.php';
This code turns "An-Awesome-Page" back into "AnAwesomePage.pg.php" so it's possible to include it with php.
But with a prefix, it's not so easy.
The probliem is; Now there's no way to know what prefix number there was before since it has been stripped away from the query string. So I need to send it somehow along in the "background".
One very bad solution I came up with was to transform the navigation link into a form button and just _POST the prefix interger along with the form. At fist it sounded like a nice solution, but then I realized that once a user refreshes their page, it didn't look very good. And after all, that's not what forms are for either...
Any good solutions out there?
Or some other and better way for dealing with this?
There are two ways to keep that number saved, you can use cookies or php session variables.
But in this case, if user first enter the url in the browser or in a new browser, then he should be taken to default number.
Like you have:
1_first-page.php
2_first-page.php
3_first-page.php
If user enter the url like: domain.com/?page=first-page, you have to take him to 1_first-page.php to any number which you want to be default.
Im trying to create some links depending on the GET parametre currently set.
My URL looks like this:
http://mysite.com/index.php?bar=test&page=page
In my code I do the following:
$bar = $_REQUEST['bar'];
<a href="index.php?bar=<?php echo $bar?>&page=anotherpage"
But every time I click the link, it adds the whole string to the URL again.
Like first click would give me this URL:
http://mysite.com/index.php?bar=test&page=anotherpagepage=anotherpage
And next click creates:
http://mysite.com/index.php?bar=test&page=anotherpagepage=anotherpagepage=anotherpage
And so on.
Is there any way to only get the request once so that the URL always looks like this:
http://mysite.com/index.php?bar=test&page=anotherpage
No matter how many times I click the link?
Thanks a lot!
You missed an ampersand in your first example. (&). Give this a try:
$bar = $_REQUEST['bar'];
<a href="index.php?bar=<?php echo $bar?>&page=anotherpage"
Or even better, escape your variables before use to prevent XSS, Cross Site Scripting security vulnerability. Use urlencode() for URLs.
http://nl.php.net/manual/en/function.urlencode.php:
$bar = $_REQUEST['bar'];
<a href="index.php?bar=<?=urlencode($bar)?>&page=anotherpage"
You should take a look on the php function http_build_query
That enables you to construct your array first, like this:
$query = array("bar"=>$_REQUEST['bar'], "page"=>"anotherpage")
echo 'Link';