I have a URL like given below
http://mydomain.com/wrt/search.php?org=125&assignedto[]=NULL&Search=req_assigned_to&state[]=New&state[]=Pending%3A+Installation&state[]=Pending%3A+More+Info&state[]=Assigned&state[]=Working&orgs[]=125
i need to get the values of other required variables which results from accessing the above URL given in PHP..
Actually i should use this above mentioned link to access the form varaible values which will be displayed in that form resulted by execution of some queries using the parameters passed through the link given above..i wont be using form concepts such but can use this link alone,as i dont have access to the required database so this link is the base to retrieve values ...
Please suggest how it can be done.Its of high urgency.
You can access URL parameter via $_GET, when you have this URL try for example:
echo $_GET['Search']; should output req_assigned_to.
I'm not quite sure what you are trying to do but if I'm right you are looking for:
echo $_GET['org'];
This will echo 125. replace org with any other parameter in your url.
Read up on: http://www.php.net/manual/en/reserved.variables.get.php
Related
I am trying to sanitize my GET variables but Accuntrix is still complaining for some reason.
So I visit a page and the URL contains parameters. I pass these parameters between pages. To do this I do
something like the following
<a class="navbar-brand" href="https://someDomain/someFolder/someFile.php?WT.var1=<?php echo $_GET['WT_var1']; ?>&var2=<?php echo $_GET['var2']; ?>&var3=<?php echo $_GET['var3']; ?>&var4=<?php echo $_GET['var4']; ?>" title="logo"><img src="logo.png"></a>
I have lots of links like this on the page, and when I first ran the page it was vunerable to cross site scripting because
I was not sanitizing the GET requests. So at the top of the page, I put
<?php
$_GET['WT_var1'] = htmlspecialchars($_GET['WT_var1']);
$_GET['var2'] = htmlspecialchars($_GET['var2']);
$_GET['var3'] = htmlspecialchars($_GET['var3']);
$_GET['var4'] = htmlspecialchars($_GET['var4']);
?>
Initially, this seemed to work. But I have recently run another scan, and every single link like the above shows up as a high.
The details look something like this
URL encoded GET input WT.var1 was set to 1}body{acu:Expre/**/SSion(prompt(926954))}
The input is reflected inside a text element.
And the exploit looks like this
/someFolder/someFile.php?WT.var1=1%7dbody%7bacu:Expre/**/SSion(prompt(941830))%7d&var2=&var3=&var4=
Is that not showing a sanitized url though? Is this something I need to fix or is it a false/negative?
Thanks
htmlspecialchars() encodes your variable for output as content in an html page. If you need to pass your variables through the url, you need urlencode(().
So for example:
...someFolder/someFile.php?WT.var1=<?php echo urlencode($_GET['WT_var1']); ?>&var2...
I've made it so when you click on a certain link it changes the url to mywebsite.com/page.php#certainusername
How can I make it so when the url contains someone's certain username, an object containing
data="http://www.twitch.tv/widgets/live_embed_player.swf?channel=certainusername"
will change certain username to the username in #?
Check out the parse_url function. You should be able to get the fragment (hashmark thing) from that.
Not sure what kind of change you are talking about... So here are 3 different types of methods to access the "#certainusername"
CSS
:target {
background: yellow;
}
(Source)
PHP
parse_url($url, PHP_URL_FRAGMENT)
// or
parse_url($url)['fragment']
// then do stuff ...
(Source)
JavaScript
window.location.hash
(Source)
For the question, I assume that you're not working with any framework. Given this, I'll give you a simple answer.
Steps:
1 - Get the username out of the URL.
2 - Generate the view dynamically.
Explanation:
1 - I would recommend using a query string of the following format: mywebsite.com/page.php?username=certainusername (instead of using a #)
Then you can use $_GET to obtain the username (Please, read more about the security implications: http://php.net/manual/en/reserved.variables.get.php).
2 - If you're using PHP to generate the HTML code directly, the only thing that you need to do is:
... HTML in here ...
data="http://www.twitch.tv/widgets/live_embed_player.swf?channel=<?php echo $username; ?>"
... more HTML ...
(Assuming that the variable $username contains the username obtained from the URL).
This is a very simple scenario and there are a lot of other things to consider that are out of the scope of the question.
I am new to PHP.
I need a help regarding the methods of extracting DB name and table name from the given URL name.
For example, let's say, I have an URL like the one below:
/test.php?db=...&table=.../
How to extract the DB name and table name from this URL using PHP and use the result for other query purposes.
If you mean how to parse an existing URL for it's parameters:
parse_url() and parse_str() will help you strip the components of the url. You will primarily be looking at the following
$elements = parse_url($url);
$kvps = $elements->query;
$db = parse_str($kvps['db']);
$table = parse_str($kvps['table']);
But, if you mean how to GET variables from the current page before render:
<?php
$dbname = $_GET['db'];
$tablename = $_GET['table'];
?>
And yea, there are major security risks involved in opening up 'direct' access to your database this way. Best to obfuscate / encapsulate / wrap your functions in tasks like index.php&addUser=tim instead of index.php&insert=tim&db=boofar&table=users&dbuser=root&dbpassword=secure.
If you're just learning, what you're doing is fine, as long as you realize why it's wrong. If you're coding for production, you really need an alternate solution.
There are two ways to pass variables or data to another page.
GET (via the URL)
and
POST (usually a form submission)
You can alway get via
$_GET
http://php.net/manual/en/reserved.variables.get.php
or
$_POST
http://nl.php.net/manual/en/reserved.variables.post.php
I'm doing a website. There's a pagination, you click on links and they take you to the page you need, the links pass $_GET variable ( a href="?pn=2" ) and that works fine.
However when i add the category links (also contain $_GET variable
(a href="?sort=english") on the same page, which kind of sort the content on the page, and click it, the system simply overrides the url and deletes all the previous $_GET's.
For example, I'm on page 2 (http://website.com/index.php?pn=2)
and then I click this sorting link and what I'm expecting to get is this (http://website.com/index.php?pn=2&sort=english), but what I get is this:
(http://website.com/index.php?sort=english). It simply overrides the previous $_GET, instead of adding to it!
A relative URI consisting of just a query string will replace the entire existing query string. There is no way to write a URL that will add to an existing query. You have to write the complete query string that you want.
You can maintain the existing string by adding it explicitly:
href="?foo=<?php echo htmlspecialchars($_GET['foo']); ?>&bar=123"
Try using this:
$_SERVER['REQUEST_URI'];
On this link you can see examples. And on this link I have uploaded test document where you can try it yourself, it just prints out this line from above.
EDIT: Although this can help you get the current parameters in URL, I think it's not solution for you. Like Quentin said, you will have to write full link manually and maintain each parameter.
You could create a function that will iterate through your $_GET array and create a query string. Then all you would have to do is change your $_GET array and generate this query string.
Pseudocode (slash I don't really know PHP but here's a good example you should be able to follow):
function create_query_string($array) {
$kvps = array();
for ($key in $array) {
array_push($kvps, "$key=$array[$key]");
}
return "?" . implode("&", $kvps);
}
Usage:
$_GET["sort"] = "english";
$query_string = create_query_string($_GET);
You need to maintain the query parameters when you create the new links. The links on the page should be something like this:
Sort by English
The HTTP protocol is stateless -- it doesn't remember the past. You have to remind it of what the previous HTTP parameters were via PHP or other methods (cookies, etc). In your case, you need to remind it what the current page number is, as in the example above.
I'm trying to write some code which shares a page on Facebook and twitter.
The problem I'm facing is that the page I'm trying to share has a big query string like:
http://domain.com/see.php?c=3&a=123&v=1
But it seems that Facebook and Twitter don't like that big query string.
I also tried using tiny url with following method in which I passed the URL to a PHP function to get the tiny URL:
var a = $("#Link").val();
I get the correct value of **a**. After that I pass this value to a PHP file:
$.post("ShortLink.php?value="+a
In that PHP file I got the following value:
http://domain.com/see.php?c=3
All the values after 3 is deleted.
Thanks
When POSTing to your ShortLink.php file, you should make sure to URL encode the value of a beforehand. Otherwise you're calling ShortLink.php?value=http://domain.com/see.php?c=3&a=123&v=1, i.e., sending:
value = http://domain.com/see.php?c=3
a = 123
v = 1
What you want is ShortLink.php?value=http%3A%2F%2Fdomain.com%2Fsee.php%3Fc%3D3%26a%3D123%26v%3D1, thus sending:
value = http://domain.com/see.php?c=3&a=123&v=1
This can be achieved via encodeURIComponent():
$.post("ShortLink.php?value=" + encodeURIComponent(a));
See also How do I pass a URL with multiple parameters into a URL? and How to encode a URL in Javascript?.
Why don't u just use an url shortener API for that, like Google url shortener. That way, you can leave your code the way it is, but for site's like Facebook and Twitter, it is nicely short.
Try this:
$.post("ShortLink.php?value=" + escape(a));