I am using the CSRFProtector library for PHP (https://github.com/mebjas/CSRF-Protector-PHP) and as soon as I turn it on all forms stop submitting and I get an error:
403 Access Forbidden by CSRFProtector!
My config file contains:
return array(
"CSRFP_TOKEN" => "ctkn",
"logDirectory" => "log",
"failedAuthAction" => array(
"GET" => 0,
"POST" => 0),
"errorRedirectionPage" => "",
"customErrorMessage" => "",
"jsPath" => "js/csrfprotector.js",
"jsUrl" => "ABS PATH TO js/csrfprotector.js",
"tokenLength" => 10,
"disabledJavascriptMessage" => "",
"verifyGetFor" => array()
);
and the log file for CSRF shows:
{"timestamp":1433842328,"HOST":"MYDOMAIN.COM","REQUEST_URI":"\/add","requestType":"POST",
"query":{"title":"234","date":"08\/06\/2015","submit":""},
"cookie":{"ctkn":"3c8c7dfebc","__insp_uid":"1173752613",
"PHPSESSID":"SESSION_ID","_ok":"3274-991-10-2674","__utma":"98457856.2008088440.1420840286.1431630284.1432025914.10",
"__utmc":"98457856","__utmz":"98457856.1429793890.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)","__insp_wid":"801086210",
"__insp_nv":"false","__insp_ref":"aHR0cHM6Ly93d3cubmF0dXJhbGhyLm5ldC9sb2dpbg==",
"__insp_identity":"33101","__insp_norec_sess":"true","__insp_slim":"1433237660812",
"mp_3a3715a3d0ca553aea5e93832d489346_mixpanel":"{\"distinct_id\": \"14adaecc111146-0576c4449-63161675-232800-14adaecc1122e6\",
\"$initial_referrer\": \"$direct\",\"$initial_referring_domain\": \"$direct\"}",
"_okbk":"cd5=available,cd4=true,vi5=0,vi4=1433789710017,vi3=active,vi2=false,vi1=false,
cd8=chat,cd6=0,cd3=false,cd2=0,cd1=0,","_gat":"1","_ga":"GA1.2.2008088440.1420840286",
"_oklv":"1433842325615,1q2TBnOvCYwsP8Vp452Bb0OMFOHE0QN6","olfsk":"olfsk31493824627250433",
"_okac":"96642aff6954f6ce73ba12dfbb632117","_okla":"1","wcsid":"1q2TBnOvCYwsP8Vp452Bb0OMFOHE0QN6",
"hblid":"BpAXj2n915tZ7ULn452Bb0OMFPI1k134"}}
Can anyone tell me why this is failing? What do I need to do to allow this genuine request but still stop any illicit ones?
For me, the problem was that I'm using a bootstrap confirmation modal to confirm before submitting the forum. When I checked the $_POST object, I found that it doesn't include the csrf_token.
You might have the same problem.
you have changes CSRFP_TOKEN in config file, so you need to change in js file too..
i.e.
CSRFP_TOKEN: 'ctkn'
Related
I tried to stream music while connecting the agent into the phone call.
but it's stuck in the stream and then calling.
anyone used it before? I'm sure that's impossible to make this.
Code:
$array[] = array(
"action" => "stream",
"streamUrl" => array("https://pbx.makeapp.co.il/wait.mp3"),
);
$array[] = array(
"action" => "connect",
"eventType" => "synchronous",
"eventUrl" => array("https://pbx.makeapp.co.il/config.json?step=1"),
"timeout" => 30,
"from" => "YOUR_NEXMO_PHONE",
"endpoint" => array(array(
"type" => "sip",
"uri" => "sip:your_sip#sip.antisip.com",
)
)
);
You are correct, it is not possible to have 2 actions running at the same time using an NCCO. When you add a stream action to the start of your NCCO, this must be completed before it moves onto the next action. An NCCO array is actioned from top to bottom, and only moves onto the next action when the current one has finished. You can find out some more info in the concepts of an NCCO section of the documentation: https://developer.nexmo.com/voice/voice-api/ncco-reference
How can i parse ini file with .php extension. eg config.ini.php
below are content file as in it.
<?php
[Session]
SessionTimeout=1200
ActivityTimeout=600
CookieTimeout=0
SessionNameHandler=custom
Handler=SessionHandlerDB
?>
I tried parse_ini_file its not working.
here is the error i am getting Warning: syntax error, unexpected END_OF_LINE, expecting '='
I am using a framework in which I cannot remove PHP tag.
<?php
$configContent = file_get_contents('config.ini.php');
$iniContent = preg_replace('/<\?php|\?>/m', '', $configContent);
var_export(parse_ini_string($iniContent));
Result:
array (
'SessionTimeout' => '1200',
'ActivityTimeout' => '600',
'CookieTimeout' => '0',
'SessionNameHandler' => 'custom',
'Handler' => 'SessionHandlerDB',
)
If you cannot remove the PHP-tags, a better approach:
<?php
return [
'session' => [
'SessionTimeout' => 1200,
'ActivityTimeout' => 600,
'CookieTimeout' => 0,
'SessionNameHandler' => 'custom',
'Handler' => 'SessionHandlerDB',
]
];
Use:
$config = require 'config.inc.php';
I know this is more than 5 years old now, but I wanted to add my 2ยข.
I don't know why everyone is giving the OP such a hard time about creating their ini file as PHP. It adds extra security so that even if a user knows the path to the file, it cannot be accessed.
To answer the OP's original question, I'm doing this in my own homebrewed CMS and it's working beautifully with parse_ini_file:
;<?php die();
/*
[Session]
SessionTimeout=1200
ActivityTimeout=600
CookieTimeout=0
SessionNameHandler=custom
Handler=SessionHandlerDB
*/
?>
Just block comment out the ini code and prepend the first line with a semi-colon. The ini sees the PHP as a comment and the PHP sees the ini as a comment, all while parse_ini_file can still read it. For even extra security, you can add the die();.
I'm trying to fill the following form field with info passed from a form via url. I just can't seem to make it work. My PHP is super limited.
This is the url:
https://www.example.com/membership-account/?level=1&course=Online%20Membership
And this is the text field I'm trying to fill in the php form
$fields[] = new Form_Field("Course", "text", array(
"size" => 40,
"class" => "Course",
"profile" => true,
"required" => true
));
I'm presuming I need to put $_GET['course'] in there somewhere, but wherever I place it, it just doesn't seem to work. Maybe there is more code required than simply including a the $_GET function?
Additional Information:
Mohans addition of the GET function works, however removing 'text' means the field type is not defined so where the field should be, it instead reads - "Unknown type Online Membership for field Course." Including 'text' where it was originally, for some reason prevents $_GET from working??
So I guess the question now is, how do I get 'text' and $_GET to work together??
Additional Information:
Could the $_GET be placed as a value in the array? I've tried putting:
"text" => $_GET['course']
or
"course" => $_GET['course']
But neither work.. I'm probably thinking about it the wrong way.
Any help at this point would be really appreciated.
Thanks
$fields[] = new Form_Field("Course", trim($_GET['course']), array(
"size" => 40,
"class" => "Course",
"profile" => true,
"required" => true
));
I'm using Cloudinary, JQuery with PHP but can't find any option on how to limit upload to just one file.
In my cl_image_upload_tag I tried setting "html" => array("multiple" => false))); but this has no effect.
I read the Cloudinary documentation but couldn't see any option for it, any ideas thanks
I found that changing the line from;
echo cl_image_upload_tag('xx', array("tags" => "xxxx", "callback" => $cors_location, "html" => array("multiple" => true)));
To this;
echo cl_image_upload_tag('xx', array("tags" => "xxxx", "callback" => $cors_location ));
ie. removing the multiple did the trick, setting it to false didnt work, nor did changing limitMultiFileUploads in the js file.
I've seen some question here about almost the same thing, but, after following their suggestions I keep getting the same behavior.
I'm constructing the json object in my action as follows:
return $this->renderText(json_encode(array(
'html' => addslashes($this->renderPartial('global/formWrapper',
array(
'form' => $nareas,
'url' => $this->generateUrl('new_promo_step2'),
'cancelUrl' => 'new_promo',
))),
'error' => true)));
and Im getting the following response:
<html>
The html content which is supposed to be in the "html" property of my json
object...
</html>{"html":"None","error":true}
along with a header with a Content-Type:text/html; charset=utf-8.
In my jQuery ajax request, I've set the dataType as 'json' (and of course I get an unexpected character error), and as 'text' (and I get no error, but keep getting the malformed json)
I've tried using addslashes() (as in the example), and without this function; tried using the ESC_RAW symfony option, and got the same.
I'm expecting to get something like this:
{"html":"<html>Html content</html>","error":true}
Please! any help would be strongly appreciated!
Thanks!
To render a partial from the action you will need to load your partials as an include and use getPartial to retrieve it into your renderText call.
sfLoader::loadHelpers('Partial');
return $this->renderText(json_encode(array(
'html' => addslashes(getPartial('global/formWrapper',
array(
'form' => $nareas,
'url' => $this->generateUrl('new_promo_step2'),
'cancelUrl' => 'new_promo',
))),
'error' => true)));