How can I post some known queries (hard-coded) together with user input?
For example, if I did not need user input, the query would look like this:
$post = "userid=11&token=abcdef&action=set&name=cf_1&value=UserInput";
But, since I need the value from users, I make something like this:
<form action="submit.php" method="post>
Insert cf_1: <input name='value' type='text'>
<input value="submit" type="submit">
</form>
And the php script:
<?php
$url = someurl;
$post = "userid=11&token=abcdef&action=set&name=cf_1";
$options = array( CURLOPT_URL => $url,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS, $post
);
$ch = curl_init();
curl_setopt_array($ch, $options);
curl_exec($ch);
curl_close($ch);
?>
However, using the above form and php script, the user input couldn't be submitted to the server
$post .= '&value='.$_POST['value'];
Make sure you do the necessary cleaning of the $_POST value, though.
Related
I'm using this crappy API, and it gives you an apptoken as part of the URL to use in the action bit of a form. The method is post. What I want to do is try and hide the apptoken from being in the source code (it's not really necessary but now I want to know if what I'm trying to do is even possible.) So my idea was to set the form action to an HTML form to be a function.php and have function.php be the one doing the posting of the form's action to the http://domain.com/apptokenxxxxxxxxx
function.php would not be publicly readable therefore hiding the apptoken sort of like a content management systems config file.
Is this even possible? Or am I chasing a rabbit down the wrong hole... I just need to be pointed in the right direction.
EDIT:
HTML Form:
<h2>Client Tracker: Sample Clients</h2><form name=qdbform method=POST onsubmit='return validateForm(this)' encType='multipart/form-data' action=https://sample.quickbase.com/db/bdrsrxjnrr?act=API_AddRecord&apptoken=cwfcy7gdzsjeo6556ebi2bn4u4kr>
<input type=hidden name=fform value=1>
<table>
<tr><td class=m>Company</td>
<td class=m><input type=text size=40 name=_fid_5 ></td></tr>
<tr><td class=m>Contact</td>
<td class=m><input type=text size=40 name=_fid_10 ></td></tr>
<tr><td class=m>Comments</td>
<td class=m><textarea name=_fid_12 rows=6 cols=40></textarea></td></tr>
</table><input type=hidden name=rdr value='http://bbc.co.uk'>
<input type=submit value=Save>
</form>
<script lang=javascript>
function validateForm(theForm)
{
}
</script>
So - the bit here: action=https://sample.quickbase.com/db/bdrsrxjnrr?act=API_AddRecord&apptoken=cwfcy7gdzsjeo6556ebi2bn4u4kr> I want to be hidden from someone just seeing by doing a view source. The way that I thought of doing it is having the webserver handle it server side so that the web user never gets to see where the data is actually being sent to, other than the function.php or whatever I call it.
Okay, since you don't have enough real code, let me give you a simple example to walk through the problem and the solution.
First of all, create a new page, like secondpage.php to process your form. Also, you don't have to add any hidden input fields in your form, the server side PHP page and cURL library will take care of those, which are explained in later point(s). So let's say your form is like this:
<h2>Client Tracker: Sample Clients</h2>
<form action="secondpage.php" method="POST" name="qdbform" onsubmit="return validateForm(this)" enctype="multipart/form-data">
<table>
<tr><td class="m">Company</td>
<td class="m"><input type="text" size="40" name="_fid_5" /></td></tr>
<tr><td class="m">Contact</td>
<td class="m"><input type="text" size="40" name="_fid_10" /></td></tr>
<tr><td class="m">Comments</td>
<td class="m"><textarea name="_fid_12" rows="6" cols="40"></textarea></td></tr>
</table>
<input type="submit" name="submit" value="Save">
</form>
Look at the action attribute, instead of sending the form directly to the API server, send the form data to secondpage.php page which will process your form and send the appropriate data(including the token) to the API server.
Now on secondpage.php page, process your form and send data(including the API token) to the API server using cURL library. Using this library you can send the data to the API server via HTTP POST, that too without using any <form>. So assuming the fact that you also want to send _fid_5, _fid_10 and _fid_12 field values to the API server, the code on the secondpage.php page would be like this:
if(isset($_POST['submit'])){
$url = "https://sample.quickbase.com/db/bdrsrxjnrr?act=API_AddRecord&apptoken=cwfcy7gdzsjeo6556ebi2bn4u4kr";
$data = array('_fid_5' => $_POST['_fid_5'], '_fid_10' => $_POST['_fid_10'], '_fid_12' => $_POST['_fid_12']);
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
$response = curl_exec($ch);
curl_close($ch);
}
There are few points to note here,
Set CURLOPT_RETURNTRANSFER to true to return the transfer as a string of the return value of curl_exec() instead of outputting it out directly.
CURLOPT_SSL_VERIFYPEER can be used to verify peer's certificate. If we specify it as false, it will accept any server(peer) certificate.
CURLOPT_POST is used to do regular HTTP POST. This POST is the normal application/x-www-form-urlencoded kind, most commonly used by HTML forms.
CURLOPT_POSTFIELDS is used to specify full data we want to submit with this POST request. The $data array should be converted to URL-encoded query string using http_build_query() function, so that it could be sent as application/x-www-form-urlencoded.
You could do this without curl using the following snippet. Just populate the data array with your information.Then you'll be able to post without revealing your api or action urls.
$url = 'ENTER_ACTION_HERE';
$data = array('key1' => 'value1', 'key2' => 'value2');
// use key 'http' even if you send the request to https://...
$options = array(
'http' => array(
'header' => "Content-type: application/x-www-form-urlencoded\r\n",
'method' => 'POST',
'content' => http_build_query($data)
)
);
$context = stream_context_create($options);
$result = file_get_contents($url, false, $context);
if ($result === FALSE) { /* Handle error */ }
var_dump($result);
In broad terms here's what you do. You have your form submit to send.php:
<form name="qdbform" method="post" onsubmit="return validateForm(this)" action="send.php">
In send.php you use curl or another library to post data to the url:
$token = "cwfcy7gdzsjeo6556ebi2bn4u4kr";
$api_url = "https://sample.quickbase.com/db/";
// whatever library you use will allow you to set parameters
// and perform a post action to the endpoint
Here's how to send your request and receive the response:
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => $url,
CURLOPT_POST => true,
// or this for a custom HTTP method
// CURLOPT_CUSTOMREQUEST => $method,
// i.e. ['Content-Type: application/json']
CURLOPT_HTTPHEADER => $headers,
// send your POST data here; if it's an array use urlencode around it
CURLOPT_POSTFIELDS => $body,
// executing the cURL operation returns a string containing the full response
CURLOPT_RETURNTRANSFER => true,
// retrieve the headers too
CURLOPT_HEADER => true,
// you may or may not want this; some servers have problems
CURLOPT_SSL_VERIFYPEER => true,
CURLOPT_CONNECTTIMEOUT => 5,
]);
$response = curl_exec($curl);
if(empty($response)) {
throw new Exception(curl_error($curl), curl_errno($curl));
}
Information on how to parse the response can be found here:
Can PHP cURL retrieve response headers AND body in a single request?
I'm trying to pass some data (JSON) to another page by scanning a QR code.
The page where the data is send to, contains a HTML form. I want to use that form as a last chance to correct the data before sending it to the database.
I found here at S.O. a way to pass the data using cURL: (https://stackoverflow.com/a/15643608/2131419)
QR code library:
http://phpqrcode.sourceforge.net
I use the QR code execute this function:
function passData () {
$url = 'check.php';
$data = array('name' => 'John', 'surname' => 'Doe');
$ch = curl_init( $url );
# Setup request to send json via POST.
$payload = json_encode($data);
curl_setopt( $ch, CURLOPT_POSTFIELDS, $payload );
curl_setopt( $ch, CURLOPT_HTTPHEADER, array('Content-Type:application/json'));
# Return response instead of printing.
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true );
# Send request.
$result = curl_exec($ch);
curl_exec($ch);
curl_close($ch);
# Print response.
return $result;
}
Create QR code:
QRcode::png(passData(), $tempDir.'007_4.png', QR_ECLEVEL_L, 4);
echo '<img src="'.$tempDir.'007_4.png" />';
Check.php
<?php $data = json_decode(file_get_contents("php://input"), true); ?>
<form method="post" action="handle.php">
<input type="text" name="name" value="<?php echo $data['name'];?>" /><br />
<input type="text" name="surname" value="<?php echo $data['surname'];?>" /><br />
<input type="submit" />
</form>
Problem:
I can pass the data to check.php, but it's returning plain text instead of a useable HTML form.
Hope someone can help!
EDIT
Some clarification:
What I actually want is, to scan the QR code, which executes the passData() function. Then the 'QR code scanner app', needs to open a browser, which shows check.php with the form AND the passed data as the values of the input fields.
Now, I get only the response of check.php (plain text).
When I pass an URL instead of the passData() function like:
QRcode::png("http://www.google.com", $tempDir.'007_4.png', QR_ECLEVEL_L, 4);
The app asks if I want to go to http://www.google.com.
QR codes cannot execute code. The only executable type of data you can put in a QR code is a URL. That is why using google.com as a URL opens a web browser to that URL. The QR code itself does not render anything.
What your code is doing is fetching the check.php page when the QR code is generated and then storing the output as the raw data. It isn't a webpage, it is a string like you are seeing in your question. You may be able to pass a javascript URL similar to a bookmarklet but its execution would depend on the QR code reader being used.
bookmarklet example
<?php
function passData() {
// javascript code in a heredoc, you may need to url encode it
return <<<JS
javascript:(function() {
//Statements returning a non-undefined type, e.g. assignments
})();
JS;
}
A better way to do it would be to have your QR code generate a URL like: http://your-site.com/check.php?name=John&surname=Doe and host check.php on your machine. You can use the $_GET data to populate your form and then use javascript to automatically post it as Jah mentioned.
Not the best way but you can do something like this.
Check.php:
<?php
$data = '<form method="post" action="handle.php">
<input type="text" name="name" value="name" /><br />
<input type="text" name="surname" value="surname" /><br />
<input type="submit" />
</form>';
$html = str_replace(PHP_EOL, ' ', $data);
$html = preg_replace('/[\r\n]+/', "\n", $html);
$html = preg_replace('/[ \t]+/', ' ', $html);
$html = str_replace('> <', '><', $html);
?>
<div id="placeholder">
Write HTML here
</div>
<script type="text/javascript">
function write_html(id,data){
var formHtml = data;
document.getElementById(id).innerHTML = formHtml;
}
</script>
I know this is bad form, but we can't change the hidden input name as it is set by SalesForce. I have a form with an input like this:
<input type="hidden" name="00N5000000XXXXX" value="Demo_Account" />
and my PHP to post to them via cURL
$00N5000000XXXXX = $_POST['00N5000000XXXXX'];
which obviously won't work as it has number for a variable name.
When I change the name to:
$Foo = $_POST['00N5000000XXXXX'];
the back end doesn't work because it is expecting the form to submit a value with a name of 00N5000000XXXXX, not Foo or whatever I want to call it.
Obviously, Im not a PHP developer but need some advice on how to get around this.
Thank you.
You don't have to save it to a variable first:
<?php
$transferPostFields = array(
'00N5000000XXXXX'
);
$postFields = array();
foreach ($_POST as $key => $value) {
if (in_array($key, $transferPostFields)) {
$postFields[$key] = $value;
}
}
$curlHandle = curl_init();
curl_setopt_array($curlHandle, array(
CURLOPT_URL => 'http://api.salesforce.com/whatever/urls/they/use',
CURLOPT_RETURNTRANSFER => true,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query($postFields)
));
$output = curl_exec($curlHandle);
echo 'The output we received from SalesForce was: ' . $output;
?>
If you want to transfer all post fields, simply change the top part (anything above $curlHandle = curl_init() to:
$postFields = $_POST;
If you don't need to go past your own server first, then simply change your form:
<form method="post" action="http://api.salesforce.com/whatever/urls/they/use">
What I am trying to achieve is:
I have a web site to which I have full source code access. The pages in this web site has been created using velocity templates and I have a page with the following form.
<h3>form data</h3>
<form action="$portalPath/test" method="post">
<input type="text" name="text" value="$!self.getTextFromFormData()" />
<input type="submit" />
</form>
Now from another application written in php, I want to make an http request to this page and get a file downloaded. (Which is an html file). To do that, I wrote following code from the other web application :
$url = 'http://localhost/portal/default/test';
$data = array('filename.html');
$options = array(
'http' => array(
'header' => "Content-type: application/x-www-form-urlencoded\r\n",
'method' => 'POST',
'content' => http_build_query($data),
),
);
$context = stream_context_create($options);
$result = file_get_contents($url, false, $context);
var_dump($result);
But the result shows the html source of the template I access(i.e. test) and not the html file I want to download. What I want to do is to make an http request to auto enter the file name to the form and make the form auto submit the request and process it and get the required html file downloaded as the result. I don't know if this is possible or if possible whether this is the correct way. If this can be done using curl, that's better. Any idea will be highly appreciated.
See: how can I post an external form using PHP?
So, from the referenced URL:
<?php
$url = 'http://localhost/portal/default/test';
$fields = array(
'text'=>urlencode($value_for_field_text),
);
//url-ify the data for the POST
foreach($fields as $key=>$value) { $fields_string .= $key.'='.$value.'&'; }
rtrim($fields_string,'&');
// Initialize curl
$ch = curl_init();
//set the url, number of POST vars, POST data
curl_setopt($ch,CURLOPT_URL,$url);
curl_setopt($ch,CURLOPT_POST,count($fields));
curl_setopt($ch,CURLOPT_POSTFIELDS,$fields_string);
//execute post
$result = curl_exec($ch);
// Results of post in $result
?>
Suppose i have many values here with form method POST
$_POST["value1"]
$_POST["value2"]
$_POST["value3"]
$_POST["value4"]
$_POST["value5"]
$_POST["value6"]
$_POST["value7"]
and i want to send them to nextpage.php
any function to do that? Besides using
<form method="POST" action="nextpage.php">
<input type="hidden" name="value1" value="value1 />
</form>
Passing without session
If there is no security concern and your post data contains something like search parameters . For example $_POST has
array('query'=>'keyword', 'orderby' => 'name', 'range' => '4-10' )
You can generate a query string from that data using http_build_query and create anchor tag for user to click and pass on that data to next page along with url.
$url = 'nextpage.php?' . http_build_query($_POST);
it will generate a url like nextpage.php?query=keyword&orderby=name&range=4-10 that you can use in html anchor tag and in next page you can get it from $_GET.
Using session
Alternatively you already have the option you storing it in $_SESSION and after using destroy the session in order to keep your site performance up.
store all your values in $_SESSION and use it in next page, or you can create URL using these values and redirect your page to nextpage.php
For passing post values to next page store the complete $_POST superglobal array variable into session and then on next page you can access those values using $_SESSION variable
Alternatively you can use curl to send HTTP request to next page using POST method
Then those variables will be accessible using $_POST variable on next page
Please refer the code snippet mentioned below as an example for sending HTTP request using post method through curl
$url='http://203.114.240.77/paynetz/epi/fts';
$data = array('login' => '11','pass' => 'Test#123','ttype' =>'NBFundTransfer','prodid'=>'NSE','amt'=>50,'txncurr'=>'INR','txnscamt'=>0,'clientcode'=>007,'txnid'=>uniqid(),'date'=>date('d/m/Y H:i:s'),'custacc'=>'123456789');
$datastring = http_build_query($data);
//die($url.'?'.$datastring);
$ch=curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_TIMEOUT, 180);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $datastring);
$output = curl_exec($ch);
//echo $output; die;
curl_close($ch);
you can use Session or cookie to access to other page
Use this code.
<!DOCTYPE HTML>
<html>
<head>
<title>First page</title>
</head>
<body onload="document.getElementById('send').submit()">
<form id="send" action="next_page.php" style="display: none;">
<?PHP
foreach($_POST as $key => $val)
{
echo '<input type="hidden" name="'.$key.'" value="'.$val.'" />';
}
?>
</form>
</body>
</html>