I want to be able to test a website I am building using PHP that gets all its content from a database that uses point in time. I have a series of pages that I use to maintain the content and assign effective dates.
The live website will not have access to a session.
I simply want to hack the URL with a parameter like so:
mywebsite.com/current.php?asof=2016-01-01
But I want this parameter to appear on all subsequent pages.
I could use cookies I guess but I want the visual cue.
Finally, some of the pages I navigate to will have additional parameters.
Can this be done? If so, how?
EDIT:
Is there a way to edit the response by injecting URL parameters for any arbitrary response.
If navigation is done only via links and forms, and you have no session, you could try injecting the params into all links and forms before rendering the html.
// set the asof value once upon starting navigation
$_GET['asof'] = '2016-01-01';
// then on all pages onward
// grab all links and inject all $_GET params
$html = preg_replace('/(href="[^"]+)"/', '$1?'.http_build_query($_GET).'"', $html);
// the same for forms
$html = preg_replace('/(action="[^"]+)"/', '$1?'.http_build_query($_GET).'"', $html);
echo $html;
This gets all the data passed in the query string ($_GET) and injects it into all links and forms. So every click on a link will propagate the $_GET params. Keep in mind that this is a rough implementation. This doesn't take into account links that already have query strings or pasting the url.
Set your cookie and then for every link you can do something like the following:
<?php
$asof = (isset($_COOKIE['asof']) ? 'asof=' . $_COOKIE['asof'] : '');
?>
link
Related
I'm trying to make an <a> link which triggers PHP code on the next page. I've tried using $_GET variables to do this but the thing is I also want to remove the variable afterwards, as I automatically link back to the redirected page with header(). There don't seem to be any feasible ways to do this without redirecting the user to one page alone, but the thing is they're expected to be redirected to the page they were on previously. Keeping $_GET variables then cause an endless loop of redirects.
In general, I wish to avoid using $_GET as it could be abused in the context I'm using it in. Any other workarounds would be greatly appreciated, though. Basically I'm just trying to use an <a> link to remove an entry from a MySQL database.
Here's the PHP that handles the variable.
if (isset($_GET['rm'])) # 'rm' contains the uuid of the entry to be deleted.
{
$uuid = $_GET['rm'];
unset($_GET['rm']); # Didn't expect this to work, of course it didn't remove the variable from the URL.
$query = "DELETE FROM posts WHERE uuid = '$uuid'";
$result = $mysqli->query($query);
header("Location: " . $_SERVER['REQUEST_URI']);
exit();
}
EDIT: I realize now that I have wildly complicated my explanation here. The main goal was to make the click of an <a> link trigger PHP code, with a variable specific to the link clicked. (Each link is a delete button on a post, and each post has a UUID)
If there is a way to alternatively trigger javascript code, that would be immensely helpful as well, since I'm looking to use such a method here too. I will likely be making a separate thread asking about this.
You can use $_SESSION to delete the variable after for example
if (isset($_SESSION['rm'])) # 'rm' contains the uuid of the entry to be deleted.
{
$uuid = $_SESSION['rm'];
unset($_SESSION['rm']); # Didn't expect this to work, of course it didn't remove the variable from the URL.
$query = "DELETE FROM posts WHERE uuid = '$uuid'";
$result = $mysqli->query($query);
header("Location: " . $_SERVER['REQUEST_URI']);
exit();
}
consider that you have register the value of the next shape.
$_SESSION['rm'] = "My value";
If your goal is to redirect to the current page but remove the query string, you can redirect to header("Location: ?"); which is essentially just that. (Technically you are redirecting to a new query string with no value which is different than no query string at all but php will just show an empty array for $_GET which is essentially the same)
I was going to mention additional options like variables from $_SERVER, but many of those have various security or other issues associated with them. I only mention this because I wouldn't suggest using any unless necessary. Also, it really doesn't get easier than the above.
I have a blogsystem where users can enter a name for a free url and the content which should be displayed on the url.
So.. the html-tags have to be rendered in browser but when they write php-code or other similar things they should not be executed when the user then visits the new site.
Right now I do it like this:
$new_url = $_POST["newurl"];
$header = file_get_contents("./header.php");
$part1 = "<?php echo html_entity_decode(\"";
$content = htmlspecialchars($_POST["content"]);
$part2 = "\"); ?>";
$footer = file_get_contents("./footer.php");
file_put_contents("./$new_url".".php",$header.$part1.$content.$part2.$footer);
Like that the html is rendered correctly in the users browser when he calls domain.tld/"url-he-entered".php
But I am unsure if this is a safe way or could the user still enter php-code in the content and it would be executed when he loads the new url?
The comments from #CD001 solved the issue:
The whole idea is a security nightmare anyway mind - ideally you don't want a public facing application able to write anything within the DOCROOT unless you've got a really good handle on the security. You'd be better off storing whatever they enter in a database then using mod_rewrite to hijack the URLs so that whatever the user's URL is, it pulls in your PHP but drops in their sanitised content from the DB (you could use something like http://htmlpurifier.org/).
I need to link to a specific page in my Facebook app. The app is not in a page tab, and cannot be in one due to the project constrictions.
This is the url format:
https://apps.facebook.com/myappname
I would need to pass a parameter at the end (like /next.html or ?page=next) so that I can link to the specific page directly from outside the app (from an email).
How would I set this up? My project uses PHP and jQuery. I would love to be able to do this strictly in Javascript if possible.
I have found tons of info on how to deep link a page tab or a mobile app, but not to a regular application. I have found messages stating it's possible, but nothing about how to actually do it anywhere online or on Facebook.
Thanks for your help.
EDIT:
Okay, I got it working in PHP. For anyone else with this issue, this is what I did.
Add a "?" at the very end of the 'Site URL' in your FB app, then create a redirect file similar to this as your app landing page (just use absolute paths instead of relative ones like I did below):
<?php
$query = $_SERVER['QUERY_STRING'];
$params = explode("/", $query);
if (in_array("gallery", $params)) {
header("Location: /gallery.html");
exit;
}
else {
header("Location: /index.html");
exit;
}
?>
This answer is what helped me figure this out:
$_GET on facebook iframe app
I may be missing something here, but why don't you just link to http://apps.facebook.com/yourapp/something.php - this should automatically load your canvas URL, with something.php appended to the path
Obviously this won't work if your canvas URL points to a specific file and not a directory, but plenty of apps do this with success
When you are using the ? all you are doing is issuing a $_GET request, so all of the info you require will exist in the $_GET array.
Rather than query the $_SERVER array, query the $_GET array.
So if you had:
http://myurl.com?info=foobar
You can simply access that info using:
$info = $_GET['info'];
It is good practice to check for the existence first though:
if (isset($_GET['info']))
{
$info =$_GET['info'];
}
else
{
$info="default";
}
Incidently if you use the & character you can have multiple parameters:
http://myurl.com?info=foo&moreinfo=bar
You get a special parameter called app_data that you can use however you want. I've used it in the past to encode a full querystring of my internal app. for example, &app_data=My/Custom/Page
More found in this SO question: Retrieve Parameter From Page Tab URL
e.g. i have page with url http://mysite.com?page=3&var=10 also there is form on page.
When form submitted there some actions in php but i need to remove this ?page=3&var=10 after form was submitted somehow is there way compatible with all browsers trough PHP without mod_rewrite?
This is an old topic, but just in case anyone else is searching for this in the future, you can use the javascript replaceState to change the history and browser bar label. A simple php function to do this:
function set_url( $url )
{
echo("<script>history.replaceState({},'','$url');</script>");
}
Then would simply call this function with the desired url (presumably dropping the post variables):
set_url("http://example.com");
A page reload or a back after calling another page will now have the new url location in the history.
I think that using POST may be a more elegant solution, but if you must use GET this is a work around.
If you're using action=index.php, then all values will be posted to index php, ?page=3&var=10 will be automatically removed.
If you want to post to the same page you can either use 'action=index.php?page=3&var=10' or action=<?php echo $_SERVER['PHP_SELF'] ?>
You can check at the beginning of the page if something submitted and then redirect to whatever you want with header('Location: http://www.example.com/'); More about header function http://php.net/manual/en/function.header.php
Yeah, the solution is quite simple (even if not really SEO friendly):
<?php
header("Location: http://mysite.com")
?>
just for information...why do you need it?
use parse_str to get the query string as an associative array that is easy to modify. Then use http_build_query to convert the associative array into a query string.
$queryString = $s['QUERY_STRING'];
$params = array();
parse_str($queryString, $params);
//change $params as needed
$queryString = http_build_query($params);
if ($queryString) {
$queryString = '?'.$queryString;
}
return preg_replace("/\\?.*/s","",$s['REQUEST_URI']).$queryString;
preg_replace("/\\?.*/s","",$s['REQUEST_URI']) removes the original query string allowing you to replace it.
Does this work for you?
header('Location:/');
mod_rewrite cannot affect what's displayed in the user's browser address bar, UNLESS the rewrite does an externally visible redirect. Otherwise it only rewriting things within the webserver, and that's invisible to the user.
If you want to affect the user's address bar, you'll have to do a redirect via header('Location: ...') after the form's finished processing.
I am designing a site where external links form various are being shown on my page. I am using
$url=$_GET['url'];
$website_data = file_get_contents($url);
echo $website_data;
so essentially a user would click on a hyperlink which is something like www.test.com/display_page.php?url=http://www.xyz.com/article/2.jpg
My page, list_of_images.php, typically has a list of images with href for each image as above on the page and when any image is clicked it would go to display_page.php, which would show our banner on the top of this page, some text and then this image beneath that. This image could be from any website.
I am currently sending the url directly and grabbing it using GET. I understand that users/hackers can actually do some coding and send commands for the url variable and could break the server or do something harmful and so i would like to avoid this method or sending the url directly in the header. what is the alternate approach for this problem?
The safe approach is to use a fixed set of resources stored in either an array or a database, and the appropriate key as a parameter.
$ress = Array('1' => 'http://www.google.com/', ...);
$res = $ress[$_GET['res']];
I would make sure the url starts with http:// or https://:
if(preg_match("`^https?://`i", $_GET['url']))
// do stuff
You may also want to make sure it isn't pointing anywhere internal:
if(preg_match('`^https?://(?!localhost|127\.|192\.|10\.0\.)`i', $_GET['url']))
// do stuff
Rather than a big dirty regex, you could go for a more elegant host black-list approach, but you get my drift...
Try POST....
Try doing this using POST method