I got a theoretic question.
If I use a form with GET method that is leading for an external PHP file (test.php),
I suppose anyone can find out what would be the result simply by viewing the source page, getting the variables (e.g., action="test.php" name="do" value="hello"), and then typing the URL with these variables:
....test.php?do=hello
I mean, he wouldn't have to actually click the button on the original page in order to find out what happens.
However, is there anyway to know what would be the result of a POST method button, without clicking it?
Your question has two possible meanings.
One is discover what the page does, what is the result of processing. That can be found by almost anybody with enough knowledge and tools to send a post request. There are a bunch of tools that allow you to do that. You can do it with plugins for your browser, security analysing tools like webscarab, programming languages using cURL, etc.
The second meaning is determining how the result was achieved. That, is not possible to know unless the source code of the processing file is accessed and analysed.
Related
I looked for answers to this question, and it seems that most people have a specific problem. I'm looking for a more general answer. I have a text box where a user will type in their name and I would like to have PHP constantly monitor the text box and change the value of the $name as it is typed or edited.
I would also like to do the same with buttons, and as different buttons are clicked, the content of a variable would change to match that which the button represents. Basically, is there a way to get PHP to constantly run on the page and gather information from a user as it is changed?
It seems like it should be possible, but my experience with PHP is limited, and I'm not sure how to begin, so I don't have any code to really show.
This sounds to me like you require an ajax script checking for input changes(eg/ keystroke, on_blur or on_click for your buttons) and sending back to a php script that will update your variables/tables and return the new variables to the ajax script once they are updated.
1 - Ajax checking for changes on the page, and firing off to a php script on server.
2 - Have a method in your js that waits for the action to be completed and load the new variables into the HTML document.
Basically look up Ajax/PHP - Check username availability, Then adapt to your specific needs.
:)
Simple ajax script will be what your after, there are many scripts available for checking username availability --- As for a lone PHP script, this will not be possible as the PHP code has already ran on the server before the html document is rendered to the browser.
My first answer so my wording may not be perfect comment back if i have confused you more.
It seems like it should be possible, but my experience with PHP is limited, and I'm not sure how to begin, so I don't have any code to really show.
Yes, it's possible, but most likely only due to the nature that the browser (e.g. Firefox) and PHP itself are Free Software.
A proof of concept is missing so far, so you really need to start at a very basic level.
You can download these software packages and modify them to your needs, e.g. make the browser interactively corresponding to the DOM and DOM events process PHP scripts that you embed like script tags inside HTML.
But well, as you wrote, you're starting, so I guess, you don't want to start with rewriting the browser and the PHP interpreter, so even if possible, it's perhaps best to stick that interactive part inside the browser to Javascript and some HTTP request / response programming on the server with PHP.
I recently created an image that automatically changes depending on the time thanks to a PHP script. I'm now thinking about doing something but I'm not sure if it's possible.
I do have restrictions. I need this to work on a forum board so it means I have to have all scripting on a different server. I would Google how to do this but I'm not sure what to search hence the broad title. If someone could possibly tell me if it's possible and show a small example to get me on the right track, that'd be appreciated.
What I need to do is print text out onto the page. As I stated above, all the scripting needs to be on a different server as the forum doesn't allow for php and only basic HTML (similar to here). This means I can't use include 'file.php';.
IMHO You have two options
Use HTML iframe element to embeed the external content (just give the external URL and the browser will handle the rest)
Call ajax request from javascript and inject the result into the DOM tree of the board.
Now that Your decision what suits You more.
I real beginner and try to understand how things work more then to develop stuff, and now i can't move forward till someone gives me an accurate answer about a little detail of following issue.
Let's assume there's a page with php code http://example.com/blablabla and link on it like http://example.com/blablabla?file=number_1 which's used to modify some parts of this page
What i really don't know is what happens with the already loaded script from http://example.com/blablabla when there's a request from this page -http://example.com/blablabla?file=number_1
The questions actually are:
Is code from the already loaded page processed every time when requesting ?file=number_1?
For me it seems very strange, 'cause if with the first http://example.com/blablabla via php i selected for example a huge size of data from database and only want to modify small part of page with ?file=number_1 and why do i need server to process request to the database one more time.
My experience says me that server do process again already loaded code,
BUT according to this i have a very SLIGHT ASSUMPTION, that i'm not really sure about this, but it seems very logical:
The real trick is that the code in the first page has one VARIABLE and its value is changed
by the second request, so i assume that server see this change and modifies only that part of the code with this VARIABLE - for example the code in http://example.com/blablabla looks like this
<?
/* some code above */
if (empty($_GET['file'])) {
/* do smth */
} else {
/* do smth else */
}
/* some code below */
?>
with the request http://example.com/blablabla?file=number_1 the server processes only part of the original code only including changed $_GET['file'] variable.
Is it totally my imagination or it somehow make a point?
Would someone please explain it to me. Much appreciated.
HTML is a static language. There is php and other similar languages that allows you to have dynamic pages but because it still has to send everything over as html you still have to get a new page.
The ?file=number_1 just gives a get request to the page giving it more information but the page itself had to still be rerun in order to change the information and send the new static html page back.
The database query can be cached with more advanced programming in PHP or other similar languages so that the server doesnt have to requery the database but the page itself still had to be completely rerun
There are more advanced methods that allows client side manipulation of the data but from your example I believe the page is being rerun with a get request on the server side and a new page is being sent back.
i believe this is what your asking about.
Yeah, thanks you guys both. It certainly clarified the issue that every script (clean html or generated by php) runs every time with each request, and only external types of data like image files and, even as it follows from the previous answer, mysql results can be cached and be used via php to output necessary data.
The main point was that I mistakenly hoped that if the page is loaded and consequently cached in computer memory, the appended QUERY STRING to this URL will send, of course, new get request, but retrieved respond will affect this page partly without rerunning it completely.
Now i have to reconsider my building strategy – load as much data as it’s required from each requested URL.
If you are looking for a way to edit the page dynamically, use JavaScript.
If you need to run code server side, invisibly to the client, use PHP.
If you need to load content dynamically, use AJAX, an extension of JavaScript.
I hope that helps.
This is my first question on this site, so I'm going to try to be as specific as i can... By the way, excuse me for my perfect knowledge of English... which isn't perfect at all..
So what I was wondering is: do php variables persist if you change your page's content, using AJAX methods?
Let me explain: I want to code a web app which has to contain a main layer, containing a few tabs. The user has to be able to write stuff into text areas in one tab, switch the tab, and if he wants so, come back to the first tab to complete what he wrote before (also the app has to keep the php variables that it created previously right?). The app also has to put all the data, entered in all the different tabs, in one or many databases, when a summit button is clicked; so it has to access all the variables created before.
I just don't have any code at this moment, but I want to do a specification file before starting to code, because what I am about to do is kinda massive app, so i hope you will be able to explain me this point.
I still thank you for your help.
You would be best to consider the PHP script as a one-off thing. It does what it is asked to, then terminates. Nothing is preserved.
However, if you NEED to preserve something to pass back with an AJAX call, you can do it by including:
<INPUT type='hidden' id='my_variable' value='my_value'>
This can be referenced by the javascript that calls your AJAX PHP page and thus be passed back.
For what you require, as #AlexP said, you can simply change the visibility of each tab content area with:
<SPAN onclick='toggle(this.id)' id='tab_1'>Tab Name</SPAN>
or similar. Your JS function might include something like:
for(n=1;n<=numberOfTabs;n++)
{
document.getElementById("div_"+n).style.display="none";
}
document.getElementById("div_"+passedid).style.display="block";
though there are other ways of doing it.
Perhaps what you REALLY want to do is save the entered data into a database field frequently (or even continuously).
<form action="/path/hello.php" name='myForm' method='post'>
<!-- onChange="ajaxFunction();" -->
<input type= "text" name="user" id= "txtname" /><br />
<!-- <input type="text" name="user2" id="txtname2" /> -->
<input type='submit' name = "click" />
</form>
Noweveryone who looks at my html source code will know where this php file is located and will know how to call it. How can i stop this ?
If you handle the POST request to /path/hello.php properly, it shouldn't matter whether someone accesses it manually. Just make sure you are checking for things like the existence of $_POST['click'] and any other POST data you expect to exist, clean it, and proceed as normal.
If someone were to call /path/hello.php with spoofed POST data, then how would that be any different than them submitting your own form? There's no need to modify the script's visibility.
Furthermore, if your fear is that someone would be able to view the source of your PHP scripts--don't. The only thing a user would be able to see if they made an HTTP request to your PHP script would be the rendered HTML.
However, even if they could--why wouldn't you want someone to see your source (of course, barring situations where you might have sensitive configuration data within a PHP file)
You can't stop it. If you're going to tell the browser where the form is, you have to put the address in the HTML somewhere and once you do that anyone can see it.
It really shouldn't make any difference though, as your script should be able to cope with whatever values are sent to it. You can't blindly trust the data from the client in any case, so you need to verify the data sent is what you're expecting - no matter whether that's data sent by filling in your form as normal or someone calling it directly.
I can give a good example for why you would want to do this. You may have a service and offer it to a 3rd party, however in order to make this work there is some important configurable data that may come exposed. Here is an example
You own a website and let's say you want to create some type advertising campaign on your website but your "client" wants to advertise this the same thing on their website but the data needs to go into your email database.
you may not want them to know who you use
those services may require you to add account number or some type of identifying parameter towards your account.
May not be a big deal but still could be a security risk. So if you divert or mask it can prevent some of it.
There is no way to avoid this other than leave off action all together. The form will then submit to the current URL.
In any case, why are you worried about someone accessing the script? If you've written it correctly, no information should be exposed, and, no, they will not know how to "call" it - unless by calling it you mean simply accessing it in the browser. If by simply accessing it in the browser, sensitive information is displayed, you've got some serious problems on your hands.
I think your question is that by showing these paths that people will be able to actually view the source of the php file. That is not possible because it is being rendered by the php engine you are using. You have nothing to fear here.
Sorry, this isn't an answer, but a general observation on this same subject...
I have also experienced this and, seem to know where the OP is coming from...
I have seen a number of large CMS where form "actions" don't show the script... almost as if it points to a "friendly" URL...
Such as <form name="contactform" method="post" action="http://example.com/contact/send-contact">
As can be seen the extension is missing but the form is processed correctly...
I guess the htaccess could hide the extensions but some have a mix of visible URLs for standard pages and some "friendly" URLs for other content (including forms).
I'm not sure how these work...
It is sometimes considered best practice to keep .php files above the root directory to protect against the rare occurrence of php being configured incorrectly on the server and displaying php code to the client.
All you have to do is create a proxy script and post to that. I store the action in a hidden field so that I don't need multiple proxy scripts. I can't post the source code because I would be duplicating my answer on another post. You can find it here: https://stackoverflow.com/a/36941336/2452680
you can first give an action to page1 and in page 1 you can get the data and redirect and post the data to page2.
if you are using phpin page1 you can use curl and options to put data and execute it.