Hello I have a web page where users can view and edit their application information. I have an Edit button. When a user clicks on this button it takes him to an edit page. Here is my code:
<form name="form3" method="post" action="pages/application_edit.php?id=<?php echo "$id[0]";?>&pwd=<?php echo "$pwd";?>">
<input type="submit" name="Submit" value="Edit Application" class="button">
</form>`
After a click the user sees this URL:`http://website.com/pages/application_edit.php?id=1&password=Flower1
How can I hide the password from the URL?
Instead of sending the values as $_GET values, send them as $_POST values to that PHP page.
<form method="POST" action="pages/application_edit.php"> // no need for the URL query string
In the PHP file
<?php
$user_id = $_POST['id']; // similar to how you'd use $_GET
....
Although the way you're approaching this is wrong, you shouldn't be passing these values between pages. At the very least your username/id should be stored as a session variable and information should be accessed when required from a database.
Either way, that's how you can send them without having them "visible".
It seems you lack session control routines.
You should manage all private options of your application (the ones you are able to perform only - and just only - when you are logged in) inside a session to avoid exposing user credentials.
You can start learning about it here.
Also, consider encrypting your HTTP requests using SSL certificate.
Related
I have a form.
<form name="form1" method="post" action="<?php echo $_SERVER["PHP_SELF"];?>">
<p><label>User Name : </label>
<input id="username" type="text" name="username" /></p>
<p><label>Password : </label>
<input id="password" type="password" name="password"/></p>
<a class="btn" href="register.php">Signup</a>
<input class="btn register" type="submit" name="submit" value="Login" />
</form>
which use $_SERVER["PHP_SELF"].
On submitting (POST) the data, the users credentials are sent in plain text (shown below)
Where as if I replace the $_SERVER['PHP_SELF'] with say a "check_login.php" there isn't a problem.
I used the acunetix scanner too which also says "User credentials are sent in clear text".
I need to use the $_SERVER['PHP_SELF'] but without the credential being shown.
The vulnerability alert you are receiving is being displayed because the web server is making use of HTTP rather than HTTPS when the client is sending the user credentials.
This would not have anything to do with your PHP form—regardless of how you implement it, the information is still being sent in clear text. Example:
POST /userinfo.php HTTP/1.1
Host: testphp.vulnweb.com
uname=test&pass=test
You can see the uname and pass parameters being sent in plain text and can be intercepted and read by anyone.
For more information, I would encourage you to read the answer of the following question.
Whilst we're at it, you might also want to check out Let's Encrypt and Acunetix should you want to keep yourself extra secure ;-)
You are misunderstanding the problem, and misunderstanding $_SERVER['PHP_SELF'].
Firstly, your actual problem has nothing to do with $_SERVER['PHP_SELF'], nor with your form nor PHP. The problem is because your site is not secured with HTTPS. If you're using HTTP, then everything the browser sends or receives is sent in plain text and can potentially be intercepted. If you want your traffic to be secure then you need to use HTTPS instead. This is something you configure in your server, and is entirely separate from anything in your PHP code.
Secondly, you state "I need to use the $_SERVER['PHP_SELF']...". This is not actually true: you don't need to use $_SERVER['PHP_SELF'] in this context. $_SERVER['PHP_SELF'] is a global variable in your PHP program that contains address of the current page. So if you visit userinfo.php within your site, then the $_SERVER['PHP_SELF'] will contain /userinfo.php. This is the value that you're putting into the form's action attribute. That's fine, but understand that you don't actually need it in this context, because the default value of action is to submit the form back to the current page. In other words, your form will work exactly the same if you omit $_SERVER['PHP_SELF'] entirely. This isn't in any way related to your security warning, but I felt it was important to clarify what's going on here, to help you understand that $_SERVER['PHP_SELF'] isn't some magical thing that makes the form work; it's just a string variable with a pagename in it.
just wanted to find out the safest way to do something so it is not vulnerable.
Say I have a url like www.mysite.com?name=nick
This loads a static html page with a form. One of the forms fields is
<input type="text" id="pName" value="" name="pName" readonly>
What is the best way to get the url param into the value of this input? Basically, I have an app which will be used by several people in different locations. I need a way to identify who is using it, so I thought I could just add their name into the url and then inject this into my form.
Any information appreciated,
UPDATE
Going off the comments, I have added this to the top of index.php
<?php
session_start();
if (!isset($_SESSION['pName'])) {
$_SESSION['pName'] = $_GET['pName'];
}
?>
And then the input is like so
<input type="text" id="pName" value="<?php $_SESSION['pName'] ?>" name="pName" readonly>
Would this be acceptable?
Use session and put $_SESSION['YourSessionVariable'] into textbox.
<?php
$valueForTextbox = '';
if(isset($_POST['yourSubmitName'])){
$_SESSION['pName'] = $valueForTextbox = $_POST['pName'];
}else if(isset($_SESSION['pName'])){
$valueForTextbox = $_SESSION['pName'];
}
?>
<input type="text" id="pName" value="<?php echo $valueForTextbox;?>" name="pName" readonly>
Why ?
What if I change url GET parameter ? It will be security issue as well..
Also if I have to maintain that data in many pages(say a wizard to complete) And if I delete some parameters from URL, it will create issue.
Query string will be unnecessarily big with GET parameters which can easily saved in sessions.
Edit :
When form is Not submitted. Fetch value from Database rather than taking from Query string. And after form submit put value in SESSION. Form posting will keep updating value for that session variable.
If the user is to be defined in the URL, you must check on the server, if the user is authorized.
Since you need to have a safe method to identify the authorized user, the identification happens before the form is called, for example through login.
On login you store the user's name on the server, usually in the session, then you forward him to the form.
If a user tries to call the form for another, not identified user, you will realize this on the server. The form comes back, but the user does not match the username stored in the session.
Now, as you already have the user in the session, the question arises, if you really need the user in the url. Reasons for that could be, that you want more than one form open at a time, or you have authorized access to the form of other users (for example admin access).
I'm trying to make a registration page for an Openfire XMPP server. The easiest route seems to be to use the user service plugin to register accounts, which lets you register users with HTTP requests.
Essentially, I need to make HTTP requests like
http://hostname:9090/plugins/userService/userservice?type=add&secret=passcode&username=kafka&password=drowssap&name=franz&email=franz#kafka.com
Which will register user kafka with password drowssap, name franz, etc.
So it seems to me the best method would be to create an HTML form which collects the user information, then makes the HTTP request. This seems simple enough, but I'm not sure where the best place to start is. PHP? Python? Wget? Lynx? I'm not quite sure how to use those from within an HTML form.
Thanks.
Don't EVER include sensible data that way. That's a GET request. You need a POST request (which doesn't include data in the URL).
Your HTML should be like:
<form action="saveData.php" method="post">
<input type="text" name="username" />
<input type="password" name="password" />
<!-- other inputs here -->
<input type="submit" value="Create user" />
</form>
That form sends POST data to the saveData.php script. That script should process the parameters and redirect to another page.
<?php
// Here process the data the way you want (using data inside $_POST array, i.e. $_POST['username'], $_POST['password'], etc...
// Usually you'd want to save to a database
// When done, redirect to "success" page
header("Location: success.php");
?>
Your success.php page can contain anything:
<?php
echo "User created successfully!";
?>
Suppose a user inputs his/her username and password and clicks on the submit button, which utilizes $_POST method on the form. To log in successfully, obviously the username and password have to match what's in my mysql database, which is done through a series of "if" statements. The form and "if" statements have to lie within the html tags to display the correct error messages if the credentials are wrong. After the username and password successfully satisfy all of the "if" statements, which are located within the html tags, I obviously want to set a cookie. However, I can't set a cookie within the html tags.
/*setcook() function can ONLY be placed HERE before the <html> tags, but that does not work with my php code*/
<html>
<head><title></title><body>
<?php
if (isset($_POST['username']) OR isset($_POST['password']))
{
/*bunch of "if" statements go here to confirm the credentials are correct and match what's in the database. if the username and password are correct, all of the "if" statements here are passed, and then i WANT to set a cookie HERE so the user is logged in but i can't*/
}
else echo <<<_END
<form action="login.php" method="post">
Username: <input type="text" name="username"/>
Password: <input type="password" name="password" />
<input type="submit" value="Submit" />"; //this is the form that the user fills out and submits
</form>
_END;
?>
</body>
</html>
HOWEVER, the setcookie() function only works BEFORE the html tag. How can I set a cookie AFTER all the username and password credentials are verified in my PHP code that lies inside the html tags?
You shouldn't be putting logic like this mixed in with your HTML. Put all of your PHP to validate credentials before any output is sent. Then, you can set any cookies you want.
The reason you can't set the cookie later is that cookies are set as part of headers, which are done being sent by the time output begins. You could work around this by enabling output buffering... but don't do it. It's bad practice, isn't always enabled on other servers, and has the potential to slow things down a hair.
I also recommend using PHP sessions. If you do, you can set data in them anywhere you want, as the data is stored server-side. You just have to be sure to start your session right off the bat, so that the cookie is set and the session data is available to your applicatoin.
I am sending login status = fail, back to my login page.Here is my code-
header("location:index.php?login=fail");
but that is sending through URL like-
http://localhost/303/index.php?login=fail
is there any way to pass value without showing in URL? And how to get this value on the second page?
You are passing that value via a GET request, which is why it appears in the URL. In order to pass a value without showing it in the URL, you want to pass it via a POST request.
In order to do this you aren't going to want to "return" the value to your login page. Instead, whatever php form is handling the process of logging in the user after they click the "login" button, will decide what to show the user.
In PHP post variables can be accessed by the global $_POST object -
$_POST['username'];
Would get the value with the name "username" that you passed via POST:
<form method="post" action="checkLogin.php">
Username:
<input type="text" name="username" maxlength="25" />
Password:
</td><td><input type="password" name="password" />
<input type="submit" name="submit" value="Login">
</form>
In order to dynamically save and show errors to the user, you can store them in the session, for example have a file called "errors.php"
<?php
if (isset($_SESSION['errors']))
{
echo $_SESSION['errors'];
}
unset($_SESSION['errors'])
?>
And in your php that checks the login, do:
session_start();
$_SESSION['errors'] = "Invalid username or password.";
Then redirect to your login page (don't pass any variables) and on your form always have this field:
<?php include("errors.php"); ?>
If you didn't have any errors, it won't show anything and the login page will look normal.
Note: In any php form that you use a session_start(), it HAS TO BE THE FIRST THING in the form.
Other ways are to use session or hidden fields but you what you are doing is fine for the purpose. You can later retrieve the value like this:
if ($_GET['login'] === 'fail')
{
// failed.......
}
there are several ways to accomplish your task
Modern AJAX way. Form being sent using AJAX. No page reload until password is correct. Errors shown in place. Requres javascript.
Post/Redirect/Get pattern. Form being sent using regular POST. No redirect on errors, shown in place.
sessions, when we store an error in the session