I have a scenario where when I submit a form in PHP, sometimes the url would be something like this prior to submitting:
http://localhost/pre_school-schedules.php#ps-n2
What I want to do is set the url after submitting to be as follows:
http://localhost/pre_school-schedules.php
Currently I'm trying to do that with:
header('Location:http://localhost/pre_school-schedules.php');
But this is not working and prevents my custom messages such as Item inserted successfully. or there was a problem with... to show. Is there any other way to make the page after a post request remove any extra stuff from the URL?
as you don't define the post action, the current url is used, if it has a fragment (the bit after the #) that gets sent also. So simply hard code the action like so:
action="pre_school-schedules.php"
You should be able to remove the anchor and everything after it during your form processing with preg_replace, trim, or similar function.
$url = preg_replace('/#.*/', '', $url);
If you end up needing to redirect, save your needed data such as errors in a session then send them to the destination page.
Related
I have two files, the first is a form (signup.php) that posts user inserted fields (first name, last name, user name, email..etc) into another file containing an error handlers (Signup.chk.php) using post method. in case of error in the inputs, i wanted signup.chk.php to send back all the fields inserted by the user to the signup.php file using GET method to re-display the form with the errors and the user's inputs.
i'm expecting a URL that looks like below:
localhost/signup?signup=error&firstname=Joe&lastname=Doe&user=Jdoe1&email=Jdoe#abc.com
it works fine if the user didnt insert special chars as inputs.
if the user inserts $ or & as part of the inputs it will mess up the _GET function on the other page.
what is the best way to encode/decode the URL values to prevent XSS and also allow the signup.inc file to properly receive the url values and display it correctly in the form fields again (Even if containing <>$&%..etc)
To do what you want, you can use urlencode() and urldecode().
// To form the URL
$url = "localhost/signup?signup=error&firstname=" . urlencode($firstname);
// To get the value from the URL and decode it.
$firstname = urldecode(isset($_GET['firstname']) ? $_GET['firstname'] : "");
However, there is a security issue, user may add some code on the url to attack your website, so you need to do something to avoid it, eg restrict input length or avoid unnecessary specific characters.
I want to be able to test a website I am building using PHP that gets all its content from a database that uses point in time. I have a series of pages that I use to maintain the content and assign effective dates.
The live website will not have access to a session.
I simply want to hack the URL with a parameter like so:
mywebsite.com/current.php?asof=2016-01-01
But I want this parameter to appear on all subsequent pages.
I could use cookies I guess but I want the visual cue.
Finally, some of the pages I navigate to will have additional parameters.
Can this be done? If so, how?
EDIT:
Is there a way to edit the response by injecting URL parameters for any arbitrary response.
If navigation is done only via links and forms, and you have no session, you could try injecting the params into all links and forms before rendering the html.
// set the asof value once upon starting navigation
$_GET['asof'] = '2016-01-01';
// then on all pages onward
// grab all links and inject all $_GET params
$html = preg_replace('/(href="[^"]+)"/', '$1?'.http_build_query($_GET).'"', $html);
// the same for forms
$html = preg_replace('/(action="[^"]+)"/', '$1?'.http_build_query($_GET).'"', $html);
echo $html;
This gets all the data passed in the query string ($_GET) and injects it into all links and forms. So every click on a link will propagate the $_GET params. Keep in mind that this is a rough implementation. This doesn't take into account links that already have query strings or pasting the url.
Set your cookie and then for every link you can do something like the following:
<?php
$asof = (isset($_COOKIE['asof']) ? 'asof=' . $_COOKIE['asof'] : '');
?>
link
I have a listing with some filters which are applied on form submit, using GET as form method. So after submit, I get a url that looks like:
/listing?filter_1=a&filter_2=&filter_3=c
Notice that filter_2 is empty. How can I avoid showing it in the URL in this case? I would only need the URL to be like this:
/listing?filter_1=a&filter_3=c
I would not mess with $_GET and I wonder what is the right way to do it with Laravel 4.
Thank you
During making of url, you need to check the value of variables whether it has empty or null or have some value. Then add those varibale into the url, so that your url will be clean.
to achive this you will be required to use Laravel - pretty URls functionality and make some changes in Route::get function to remove empty parameters while construction url.
I've a very strange problem in my form and have no idea how to solve it. Tried a search but found nothing about it. I have a form which i receive the data with $get in a php page to process the data. Strangely, when i insert an # in a field like the email for example, the # is lost durring the process of sending data. I verified in the line before the redirection to the php page if the # was there and it was, so i don't know this character is lost in the next step of the process.
Any hints?
The redirection comes from a javascript function that i call when i click the submit form:
window.location.href = 'index.php?pagina=candidaturasB&'+ qstringA;
the "qstringA" contains all the data of my form, and if in some input i put an #, if i do alert(qstringA) before de redirection line, the # is there, after that, in the url, of the php page where i received the data there's no #.
ex: index.php?...&email="ren#something.com" appears on the url "index.php?...&email="rensomething.com".
Use urlencode() for each form data :
eg :
$url = "index.php?pagina=candidaturasB";
$url .= "&email=".urlencode($_GET['email']);
$url .= "&data="urlencode($_GET['data']);
And pass the result string to window.location.href
I am designing a site where external links form various are being shown on my page. I am using
$url=$_GET['url'];
$website_data = file_get_contents($url);
echo $website_data;
so essentially a user would click on a hyperlink which is something like www.test.com/display_page.php?url=http://www.xyz.com/article/2.jpg
My page, list_of_images.php, typically has a list of images with href for each image as above on the page and when any image is clicked it would go to display_page.php, which would show our banner on the top of this page, some text and then this image beneath that. This image could be from any website.
I am currently sending the url directly and grabbing it using GET. I understand that users/hackers can actually do some coding and send commands for the url variable and could break the server or do something harmful and so i would like to avoid this method or sending the url directly in the header. what is the alternate approach for this problem?
The safe approach is to use a fixed set of resources stored in either an array or a database, and the appropriate key as a parameter.
$ress = Array('1' => 'http://www.google.com/', ...);
$res = $ress[$_GET['res']];
I would make sure the url starts with http:// or https://:
if(preg_match("`^https?://`i", $_GET['url']))
// do stuff
You may also want to make sure it isn't pointing anywhere internal:
if(preg_match('`^https?://(?!localhost|127\.|192\.|10\.0\.)`i', $_GET['url']))
// do stuff
Rather than a big dirty regex, you could go for a more elegant host black-list approach, but you get my drift...
Try POST....
Try doing this using POST method