I'm trying to send a POST request with part of the webpage URL as the parameter. For instance, in this url:
http://testsite.com/confirmEmail/?token=abcdefg
I want to be able to send the input token with the value abcdefg. I want to make this responsive to different token values. Any ideas?
Thanks
This answer is assuming they will do some action on this page, otherwise you would want a redirect.
<?php
$token=$_GET['token'];
?>
<form method="POST">
<input type="hidden" name="token" value="<?php echo htmlentities($token, ENT_QUOTES);?>" />
<!--other form fields and submit button here-->
</form>
UPDATE:
This was a simple answer, to be easily understood, but of course echoing out a get variable straight from the url opens you up to xss. Someone edited my answer to strip quotes from that variable but htmlentities() is also vulnerable to xss. I believe the appropriate function nowadays is htmlspecialchars($token, ENT_QUOTES, "UTF-8"). If you go this route, you need to be careful about which encoding & characters you put in your tokens now, so they aren't stripped, which would probably break your verification process. Looks like it's numeric in the example, so you should be ok. Also remember someone could still post a modified form, so you need to sanitize this token field to prevent injections, but hopefully that's not relevant to this question.
Related
My need is to send multiple values when a user clicks a button which uses GET METHOD.
Since multiple values are to be sent, I am using an argument as follows:
$argument='var2=value2&var3=value3';
echo "<button value='value1&$argument&' type='submit' name='var1'>Send</button>";
Essentially, the button tag in HTML has a restriction that it can send ONLY one name-value pair. In this case, it will send name='var1' and corresponding value as value1. Hence, I am appending the other name-value pairs through the PHP $argument variable. In this case, var2=value2&var3=value3 are getting appended, and sent.
All good till here.
The problem is that when it reaches the submitted page, it is getting the following encoding:
https://example.com/dir1/page.php?var1=value1%26var2%3Dvalue2%26var3%3Dvalue3%26
Essentially, the & is getting %26, and = is becoming %3D.
I am aware that this is due to the inbuilt encodeURIComponent of HTML, but due to this encoding the form submission is failing.
I am looking for a way/method to receive the following in the submitted page (i.e. without encoding), so that it can be processed smoothly:
https://example.com/dir1/page.php?var1=value1&var2=value2&var3=value3&
PS: have explored existing threads like Escaping ampersand in URL & Why does %26 get decoded to & when passed as a parameter to a JavaScript function from a link? & many more, but unable to find the answer.
Also tried the following as mentioned in URL/HTML escaping/encoding, but not working:
echo "<button value='value1&".htmlspecialchars($argument)."' type='submit' name='var1'>Send</button>";
If any existing answer exists, pls point me to it in the comment before marking this question down.
Thanks
You can simply put these values individually in hidden fields in the form which the button is part of.
e.g.
<form>
<button type='submit' name='send'>Send</button>
<input type="hidden" name="var1" value="<?php echo htmlspecialchars($val1)?>">
<input type="hidden" name="var2" value="<?php echo htmlspecialchars($val2)?>">
</form>
The browser will then use these to create a properly-constructed and encoded URL for you automatically when the form is submitted.
I am trying to input submit value and want to pass the value to another page through GET but for that I have to use two Clicks button.
I want the same in a single click. Help required.
Code:-
<form method="post">
<input name="inwardid" type="text" id="inwardid" />
<?php $inwardid = $_POST['inwardid']; ?>
<input type="submit" value="Next" />
</form>
<a href="addbook.php?up=<?php echo $inwardid; ?>"><button>Proceed</button>
You want to send the value the user typed in to the other page. So use this for your <form>:
<form method="POST" action="addbook.php">
<input name="up" type="text" id="up">
<input type="submit" value="Proceed">
</form>
To access the value in addbook.php, use $_POST['up'].
This will send the value the user typed in the input label (type="text") to the addbook.php page, using a $_POST. No need for a $_GET, $_POST will do just fine.
As you deliberately asked for method GET, my solution shows you GET!
You must know there is no security issue when using GET. It depends what you want to do. GET is useful if you want to use a dynamic code in multiple ways depending on some some variables that you do not want to hard-code in your script, or simply do not want to send files or other huge data.
Lets admit a newspaper has a site called breaking_news.php and you want to access the breaking news of November 8, 2016you could use this as :
breaking_news.php?y=2018&m=11&d=08
The fact that one can see your GET vars means nothing. Even by using POST one can see your variables by looking at your code. And one way or the other you must protect against code injection and brute force.
But if your not in the mood to show this vars to your visitor you can use URL rewriting to rewrite the url above in the browser as
RewriteRule ^breaking/(.*)/(.*)/(.*)/news\.html$ breaking_news.php?y=$1&m=$2&d=$3 [NC,L]
so you send your visitor to see the (rewritten)URL
breaking/2018/11/08/news.html
but what the web-server is showing him is:
breaking_news.php?y=2018&m=11&d=08
A reason to use this if for example when you want your dynamic site to be taken into consideration by some searching engine as a static site, and get indexed. But this is again another battle field.
Second, you want to send the variable to "addbook.php", and not to itself.
Your question sounded like you want to send to "another page" not to the same page.
Third, I can see in your code snippet you want to submit the variable "up" and not "inwardid", as you did in your code.
And also I can see you want the "submit" button to be called "Proceed".
Your code would look like this:
<form method="GET" enctype="application/x-www-form-urlencoded" action="addbook.php" target="_blank">
<input name="up" type="text" id="inwardid" />
<input type="submit" value="Proceed" />
</form>
As I said you must protect against injection, and this means for example, that in the "addbook.php",to whom you are sending the variables you must write some code that protects you against this issues. As your question is not in this direction I will not enter this subject.
To avoid problems with special chars you must "url-encode" your variable specially when sending them per POST method. In this case you must use this enctype if your handling text. Because this enc-type is transforming special chars into the corresponding ASCII HEX-Values.
Using GET your safe, because GET cant send in another enc-type. So your variable will automatically be url-encoded and you receive a string that is compliant to RFC 3986 similar by using:
rawurlencode($str)
Lets admit someone smart guy fills in a your input box the following code, in the desire to break your site. (This here is not exactly a dangerous code but it looks like those who are.)
<?php echo "\"?> sample code in c# and c++"; ?>
using enctype="application/x-www-form-urlencoded" this will become something like this:
%3C%3Fphp%20echo%20%22%5C%22%3F%3E%20sample%20code%20in%20c%23%20and%20c%2B%2B%22%3B%20%3F%3E
what makes it safe to be transported in a URL, and after receiving and cleaning it using
strip_tags(rawurldecode($_GET['str']))
it would output something like this, what is a harmless string.
sample code in c# and c++
I have a form.
<form name="form1" method="post" action="<?php echo $_SERVER["PHP_SELF"];?>">
<p><label>User Name : </label>
<input id="username" type="text" name="username" /></p>
<p><label>Password : </label>
<input id="password" type="password" name="password"/></p>
<a class="btn" href="register.php">Signup</a>
<input class="btn register" type="submit" name="submit" value="Login" />
</form>
which use $_SERVER["PHP_SELF"].
On submitting (POST) the data, the users credentials are sent in plain text (shown below)
Where as if I replace the $_SERVER['PHP_SELF'] with say a "check_login.php" there isn't a problem.
I used the acunetix scanner too which also says "User credentials are sent in clear text".
I need to use the $_SERVER['PHP_SELF'] but without the credential being shown.
The vulnerability alert you are receiving is being displayed because the web server is making use of HTTP rather than HTTPS when the client is sending the user credentials.
This would not have anything to do with your PHP form—regardless of how you implement it, the information is still being sent in clear text. Example:
POST /userinfo.php HTTP/1.1
Host: testphp.vulnweb.com
uname=test&pass=test
You can see the uname and pass parameters being sent in plain text and can be intercepted and read by anyone.
For more information, I would encourage you to read the answer of the following question.
Whilst we're at it, you might also want to check out Let's Encrypt and Acunetix should you want to keep yourself extra secure ;-)
You are misunderstanding the problem, and misunderstanding $_SERVER['PHP_SELF'].
Firstly, your actual problem has nothing to do with $_SERVER['PHP_SELF'], nor with your form nor PHP. The problem is because your site is not secured with HTTPS. If you're using HTTP, then everything the browser sends or receives is sent in plain text and can potentially be intercepted. If you want your traffic to be secure then you need to use HTTPS instead. This is something you configure in your server, and is entirely separate from anything in your PHP code.
Secondly, you state "I need to use the $_SERVER['PHP_SELF']...". This is not actually true: you don't need to use $_SERVER['PHP_SELF'] in this context. $_SERVER['PHP_SELF'] is a global variable in your PHP program that contains address of the current page. So if you visit userinfo.php within your site, then the $_SERVER['PHP_SELF'] will contain /userinfo.php. This is the value that you're putting into the form's action attribute. That's fine, but understand that you don't actually need it in this context, because the default value of action is to submit the form back to the current page. In other words, your form will work exactly the same if you omit $_SERVER['PHP_SELF'] entirely. This isn't in any way related to your security warning, but I felt it was important to clarify what's going on here, to help you understand that $_SERVER['PHP_SELF'] isn't some magical thing that makes the form work; it's just a string variable with a pagename in it.
Suppose my Form codes look like this
URL : localhost/my-url.php
<form action="hello.php">
...bla bla bla
</form>
I will process the data in hello.php and i want to redirect to user to same url after processing (according to above example)
localhost/my-url.php
I know we can use header but i don't know how to get that url from which form was submited :(
Googled but didn't found any use full.
Thanks.
Add a hidden value in your form:
<input type="hidden" name="lastUrl" value="<?php echo $_SERVER['REQUEST_URI'] ?>" />
You now have the URL in $_POST['lastUrl'] data. You need to do it that complicated because $_SERVER["HTTP_REFERER"]; is send by the browser, and not all of them do this reliable.
You should put a hidden field in your form and set its value to current page url.
Then you submit the form and get the value of hidden field.
Then you can redirect user to hidden field (which is actually a URL of the page where you are submitting form) by using javascript or php.
You can use the
$_SERVER["HTTP_REFERER"];
to get the original URL where the form was posted from.
Remember to escape it, if you use it however. ]
Alternatively, you can process the form using AJAX, send process things (redirection) client-side.
Note that form data can be changed and intercepted if you wish to send the URL of the page as form data.
I'm newbie in PHP.I want to know that,I taking data by html form and a .php file.
like:
<form id="form1" name="form1" method="post" action="show.php">
<strong>Please Enter the Unique id</strong><br/><br/>
Unique id:
<!-- name of this text field is "tel" -->
<input name="id" type="text" id="id" />
<p>
<input type="submit" name="Submit" value="Submit" />
</p>
</form>
</html>
Then,I used show.php file to get the 'id'.like:
$id=$_POST['id'];
Is there any way to take input by php code???
Update:
In "C" we take ant input by this way
scanf("%d",a);
is there any way to do so in PHP.I think now all you may be clear what I'm trying to say??
Thanks
Yasir Adnan.
What you are you trying to get is wrong!
HTML:- It is the communicator between the user and the browser. It displays the contents according to the user input or html code.It gets data from user or from html code.
Php :- It is the communicator between server and the browser. It has the capability of collecting from some where else other than the code like mysql data base and then uses html to display the content!
Here you are asking php to do html work which is not correct!!
the html
<input name="sb_id" type="text" id="sb_id" />
php
$id=$_POST['sb_id'];
Well, you do take the input by your php code. Your variable $id took the value of $_POST['id'] which contains the input of the textfield.
After this step you can work with the variable like any other
$id = $_POST["sb_id"]; ?
Remember that $_POST["field_name"] where field_name must be match the name attribute of your <input /> tag.
the id attribute of input tag is not sent to server inside the $_POST array. It`s typically used in client-side.
You can get data in your PHP code through GET and POST parameters. Those parameters are part of the HTTP request.
The GET parameters are in the url :
http://mywebsite.com/id=3&name=test
Then you get them using:
$id = $_GET['id'];
$name = $_GET['name'];
So you can get input data through this way when people visit the URL, call it in AJAX, or call the URL in another application (like a webservice). But no matter how it's called, it's the same for you on the PHP side.
The POST parameters are in the HTTP request, you can't pass them through the URL. You can do that by using an HTML form, or by creating the HTTP request yourself. If you are using Javascript to call your PHP code (and pass data to it), you can use AJAX to do that for example. You, in your PHP code, can get the variables this way:
$id = $_POST['id'];
$name = $_POST['name'];
If you want console-style I/O, you should probably check JavaScript/AJAX. The second one will allow you to write your own wrapper that will help you to process the input by your server "on air".
The problem is, you still need to use $_POST for AJAX. And, which is more important, it's easier (and cheaper for the server) to validate and process input by JS (and to validate and process it further on the server-side after submit).
And if the question is "how can I get the variable from the needed format?", the answer is: try using regexps/parsing the string.
Oh, btw: there IS scanf() in php, and it's called 'sscanf' ('fscanf' for files).