I am having an issue here, I'm working on my own website for university however I have came across a problem I can't find the answer to anywhere. I have a product page and a php module that handles adding the item to cart session data, however I'm getting this error:
https://saturn.csit.rmit.edu.au/~s3482230/wp/a2/product.php?productid=P001' was loaded over a secure connection, but contains a form which targets an insecure endpoint 'module: add to cart.php'. This endpoint should be made available over a secure connection. (the website is hosted on the school servers that you cant access without login on so you can't view it sadly.
but the form is writen as such...
<form class=productqty action="module: add to cart.php" method="post">
<p id=price>$<span id=pricedouble>0</span></p>
<input name="price" id=prodprice type="hidden" value="20.00" required/>
<input name="product code" type="hidden" value="P001" required/>
<input name="quantity" id=qtyinput maxlength="3" type="text" value="1"
onblur='checkButtons()' onkeypress='checkIfNumber(event)' required/>
<button id=negativebutton type="button" onclick="minusOne()" disabled> - </button>
<button id=positivebutton type="button" onclick="plusOne()"> + </button>
<input type="submit" value="Purchase" />
</form>
and the module code that handles adding to session and cart is: (unfinished)
<?php
session_start();
if (isset($_SESSION['user'])) {
}
$_SESSION['cart'][$_POST['product code']]['qty'] = $_POST['quantity'];
$_SESSION['cart'][$_POST['product code']]['price'] = $_POST['price'];
header("Location: ".$_SESSION["redirect_url"]);
?>
NOTE: the redirect_url is being used to redirect after logging on and off and works on those modules so it should work here, have also tried commenting the redirect out but doesn't change the warning, I hope this is enough information.
FIXED IT!
turns out, you can't use a lot of certain characters in the action="xxxx" method, I had to replace ':' with '%3A' and spaces with '%20'
so I used action="module%3A%20add%20to%20cart.php" and works fine.
Related
I try to design a save reset-password-page for my scripts. I got very far, but now I could need some help. What I got already:
user puts his mail into a form and the script is sending him a mail with a url the user have to open. parameters: usertype, userid, token.
if the users visits the url he will get to a page, with a form where the token is already inserted. he only needs to click "proceed".
third page shows a form to change the password.
Now I'm a little doubtful with the security of this script. Lets say the attacker knows the mail, the usertype and the userid (would only be people with login, but its possible to know all that). He can now send a password-reset-link to users mail. Not a problem so far.
But he knows that there is a token generated now and can try to brutforce it. For this he calls the 2nd or 3rd page with the known parameters and just trys every token.
To prevent this I put a captcha in the 2nd-page.
But now I need to protect the 3rd page/form. For now I give the token and check it a 2nd time. Thats not nice and makes the 1st-captcha just useless. Giving it another captcha would be possible, but not userfriendly. Checking the captcha after 3rd form is filled is also not userfriendly.
So how can I make sure, the users passed the token-page (with captcha) in my script. So that the user can not just send a POST (e.g. with curl) with input-data of my 3rd-form (the password-change-form).
Thank you in advance.
2nd-form
<form name="confirm" method="GET">
<p>
<label for="confirm">Token
<input type="text" name="confirm" id="confirm_code"
<?php
if(isset($_GET['confirm'])) echo ' value="'.$_GET['confirm'].'"';
?>
></label>
</p>
<p><div class="g-recaptcha" data-sitekey="X" data-callback="checked" data-size="invisible"></div></p>
<p style="text-align:center;">
<input type="submit" value="Proceed">
</p>
<?php
echo '<input type="hidden" name="usertype" value="'.$_GET['usertype'].'">';
echo '<input type="hidden" name="userid" value="'.$_GET['userid'].'">';
echo '</form>';
3rd-form
<form name="change" method="post">
<p>
<label for="pw">New pw
<input type="password" name="pw" id="pw"></label>
</p><p><label for="pw_repeat">Repeat
<input type="password" name="pw_r" id="pw_repeat"></label>
</p><p style="text-align:center;">
<input type="hidden" name="usertype" value="<?php echo $_GET['usertype']; ?>">
<input type="hidden" name="userid" value="<?php echo $_GET['userid']; ?>">
<input type="submit" name="change" value="Change now">
</p>
</form>
Hey I too am a programmer who is getting started and I work mostly on logins and stuff.
Here are my Suggestions:
Add an algorithm that generates some automatic key purely on random basis.
Produce a link based on that random piece of key and a specified set of values(keep that a secret) and also make sure the final generated link is pretty big.
At the second page make sure you ask for a key (You'd send this key straight to his email along with the page link) i.e., the random generated key and then the algorithm magically decrypts to see if the underlying data is the same based on some values attached to his account or something else.
Make sure the link expires in the time needed to brute force through the page
If you can make sure above steps are followed correctly, then even with a bit of discomfort to the user your security will be pretty good. What do you think?
Cheers,
Rj
I have weird problem with Wordpress. I've made POST script which redirect user from single.php to index.php.
The problem is that Chrome recognizes going to index.php as going 'Back' literally, so it doesn't refresh page or read POST parameters.
However, this works perfectly in Mozilla or Edge.
Any tips on how to fix this annoying behavior of Chrome?
<form method="post" id="back-form" action="localhost/wordpress/">;
<input type="hidden" name="no" id="no" value="<?php echo $no; ?>">
<input type="submit" id="header-back" value="">
</form>
Add something to let the browser know you are not requesting a page that it can give you from cache:
<form method="post" id="back-form" action="localhost/wordpress/?x=<?php echo uniquid(); ?>">;
<input type="hidden" name="no" id="no" value="<?php echo $no; ?>">
<input type="submit" id="header-back" value="">
</form>
Alternatively, you can use a Wordpress plugin or personal code to send headers that immediately expire the cache of the page.
I am currently developing a login form for my website. Whenever I use it with chrome, I am not being asked to save my password. However, it works in other browsers (Tested with Edge, Firefox and Internet Explorer).
This is my login form:
<div id="login">
<div id="loginbox">
<h2>Login</h2>
<form action="./login.php" method="post">
<input type="text" name="username" placeholder="Username" id="loginform-usrname"><br>
<input type="password" name="password" placeholder="Password" id="loginform-passwd"><br>
<input style="display: none;" type="text" name="page" value="<?php echo $_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'] ?>">
<input type="submit" name="submit" value="Login" id="loginform-btn">
</form>
</div>
</div>
The form is submitted as a plain post form (without using any javascript).
Another thing worth mentioning is that the actual login script is running on a different page than the one, where the login form is located. However, in case the user types in the wrong password, the same form is displayed on the login page.
I could find out the reason for the problem: Right after the login, the php script redirected the user back to the last page.
However, the redirect instantly closed the dialog where the user has to choose whether chrome should remember the password.
I switched from an instant php redirect to a delayed redirect via javascript and it works now.
Here is the Form Code i am using :
<form name="download_frm" action="https://www.salesforce.com/servlet/servlet.WebToLead?encoding=UTF-8" method="POST">
<input type=hidden name="oid" value="***********">
<input type=hidden name="retURL" value="http://----/">
<!--<input type="hidden" name="debug" value="1"> -->
<p><input type="text" value="" name="name" id="name" maxlength="50" class="" placeholder="Name"/></p>
<p><input type="text" value="" name="mail" id="mail" maxlength="50" class="" placeholder="E-mail"/></p>
<p><input type="text" value="" name="org_name" id="org_name" maxlength="50" class="" placeholder="Organization Name"/></p>
<p>
<select name="org_typ" id="org_typ" >
<option selected="selected">Organization Type</option>
{if isset($orgtypes)}
{foreach $orgtypes as $array}
<option value="">{$array->Dev_Type}</option>
{/foreach}
{/if}
</select>
</p>
<p><input type="number" value="" name="phnum" id="phnum" maxlength="50" class="" placeholder="Phone Number(Optional)"/></p>
<p><input type="text" value="" name="cntry" id="cntry" maxlength="50" class="" placeholder="Country (Optional)"/></p>
<p><input type="submit" name="submit" id="submit" value="submit form" /></p>
</form>
After submitting the form,it is returning to the given returnURL.But i want to get the information whether the form data is stored successfully or not.
Please Advise me..
Thanks in Advance.
Because the Salesforce Web to Lead code is designed to work with all web servers / web sites / pages, by design it doesn't retrieve that information in regular usage. Whether the submission is successful, or fails, it will simply redirect the visitor to the page specified in retURL.
This behavior might be frustrating if you want information back, but it does allow the web-to-lead to be used practically anywhere, which is the point.
You can, in testing, enable debugging mode. See the original HTML produced by the Salesforce Web to Lead code generator. This will enable an intermediary page that will show you what is being submitted. However, you would not want to use this on a production site, as all of your customers would see this intermediary page.
If you're worried about rejected submissions, that is rare, and in any case Salesforce will send you an email with the submitted form values and why it failed. It will usually fail because of validation rules (to get around this, use Page Layout rules rather than validation rules if you want to require a field to be populated).
You still have a couple options to accomplish what you are trying to do.
One is simply to check Salesforce Leads for submissions - but I presume this information need to be processed, not just viewed by a human.
In that case, the rest of your options require you to do something more than use the standard web to lead code if you want your website to know about the form submission.
Presuming you're using a common CMS you can use plugins for Wordpress (Gravity Forms Salesforce Add-On or Wordpress to Lead) or Drupal's Webforms with the Salesforce add-on.
Or, alternatively, you can re-write the form as a PHP file (or a similar language) that passes the information to Salesforce via CURL - and does any other number of things at the same time using PHP, like passing it to another database. There's a lot on the internet - just google 'salesforce web to lead php curl'
All of the above options work for all versions of Salesforce. If you have Enterprise and higher, or Professional with the API, you can also pass the information to Salesforce via the API. This will allow you to bring back information such as the Lead ID - or pass the information to other objects, de-dupe, upsert, etc. Keep in mind this level of coding is both more complex and will require authentication into Salesforce, so only follow this option if the added functionality is worth the additional overhead.
I have two different websites. One is a non-wordpress website and the other one is blog made from wordpress framework. Is it possible to set up a login form to the non-wordpress site which redirects you to the wordpress blog dashboard if your login information is valid?
I tried creating a form in my website and set the action to my blog wp-login.php but instead of redirecting me to the dashboard it just displays the main wordpress login window but I am already logged in.
Use below form:
<form method="post" action="http://yourdomain.com/blog/wp-login.php" id="loginform" name="loginform">
<p>
<label for="user_login">Username<br>
<input type="text" size="20" value="" class="input" id="user_login" name="log"></label>
</p>
<p>
<label for="user_pass">Password<br>
<input type="password" size="20" value="" class="input" id="user_pass" name="pwd"></label>
</p>
<p class="forgetmenot"><label for="rememberme"><input type="checkbox" value="forever" id="rememberme" name="rememberme"> Remember Me</label></p>
<p class="submit">
<input type="submit" value="Log In" class="button button-primary button-large" id="wp-submit" name="wp-submit">
<input type="hidden" value="http://yourdomain.com/blog/wp-admin" name="redirect_to">
<input type="hidden" value="1" name="testcookie">
</p>
</form>
Note: Replace http://yourdomain.com/blog/ with your actual blog url
I needed the same thing as requested here and the solution of Tahir Yasin works fine but if there is no test cookie('wordpress_test_cookie') then http://yourdomain.com/blog/wp-login.php will give you this error
ERROR: Cookies are blocked or not supported by your browser. You must
enable cookies to use WordPress.
Remove this line will fix the problem: <input type="hidden" value="1" name="testcookie">
You can do this in 2 ways.
Cookies
Sessions
After your login is validated you store the information in an cookie/session, you send the users to your wordpress website. And the login page, checks if the desired session/cookie is available and if yes you skip the login fase.
Just add ?redirect_to=http%3A%2F%2Fsample.net%2Fwp-admin%2F&reauth=1 to the action.