please i've been searching for a week now and i'm stuck .
I have a web app that send using xmlhttprequest in javascript to send value to be passed like a parametres in url like this :
xmlhttp.open("GET","http://127.0.0.1/filename/name.php?q="+value,true);
xmlhttp.send();
but if any one who get to know the url can change that value with any thing he want, I've allready implement the sql injection in the php files using : real_escape_string
but i need to crypt the value in the url , how can i do it ? i want to use ssl , but i didn't find aything on google , please dont give me a bad marks i really need answers
You can use POST.
Look here how to do that:
http://www.openjs.com/articles/ajax_xmlhttp_using_post.php
If the data is sensitive and shouldn't be accessible to the user, you shouldn't be using JavaScript to handle it. JavaScript runs on the client and so is at its mercy.
There's nothing you can do to stop people requesting a URL, so the only thing you can do is not display the content when people inevitably do. Put some logic in name.php that figures out whether the person requesting the file has access to download it. If they don't, simply display an error.
Related
my php script creates for some reason a super long new URL.
My original URL looks like this
http://someserveryoudon'tneedtoknow/index.php
And this is what I get after running the script.
http://someserveryoudon'tneedtoknow/index.php?vorname=and&nachname=andasd&ort=asd&email=asd&sonstiges=+Bitte+nur+ausfuellen+wenn+%27Sonstiges%27+ausgewaehlt+wurde+&sonstiges=&sonstiges=&sonstiges=&sonstiges=&sonstiges=
The script is about typing some data in some windows. And the weird words standing in the long URL are german words. Maybe important about them is that they are used in my script as messages standing in some textboxes. And some of them are variables.
Do you know what I can do to make php stop this? (At least I guess it's php's fault)
Yanakin
These are GET parameters. You should use POST to avoid this. POST is recommended anyway.
Reasons why you should use POST
It's secure
These parameters can be stored anywhere. POST doesn't store parameters in the URL. It sends the parameters in data. It can possibly stop some attacks.
GET /signup.php?username=john&password=johnny1234567890 HTTP/1.1
or
POST /signup.php HTTP/1.1
username=john&password=johnny1234567890
What seems better?
It's stored all on your computer. In your browsing history. Everywhere!
It's shorter
Not everyone wants to see https://example.com/signup.php?username=john&password=johnny1234567890&confidentialstuff=105650970950940 in the URL.
it looks like you pass data using get parameter. so that is why your url have a data like email is asd and so on..
I want to encode the URL including its path in PHP.
For eg: As of now,my path is www.yoursite.com/code/results/show.php?u=10&n="tom".
I want to encode this URL so that user should not be able to see the
"/code/results/show.php?u=10&n="tom".
Why I need this because
I do not want to expose my server data location to user
Keep my server safe.
Thanks in advance.
You will need to look into .htaccess files, from there you can perform url rewrites that will take a url of (for example) www.yoursite.com/code/results/show.php?u=10&n=tom and instead output www.yoursite.com/results/10/tom.
If the u=10&n=tom is important, it can't be removed entirely from the URL, however it can be masked in the above way, the alternative is to do everything with POST, which is not a good way to go.
Take a look at this link: http://www.addedbytes.com/articles/for-beginners/url-rewriting-for-beginners/
best way to hide critical information is to keep it secret, instead just use a reference and get the information from the database.
in general its no good sign if security depends on how user are sending requests.
Sending it with POST would hide it, but not really... there are various ways to get and manipulate post-data.
the problem is not with url, URL should be used to only identify resource, if you want to hide something then it should not reach (be part of URL) client in the first place.
I dont think it's possible directly, so I considered using javascript to access the anchors and pass that to PHP, but I don't know how.
Using jQuery:
$.post('getHash.php', {hash: window.location.hash});
Than in your getHash.php file
<?php
$hash = $_POST['hash'];
/* ... */
?>
Still, your question does not provide enough information for us to answer it corectly.
If you mean the hash portion of URLs (i.e. everything after #), that’s not sent to the server by web browsers. So you can’t access it from PHP.
Sounds like you’ve got the right approach for informing the server about hashes, i.e. using JavaScript. You can access the hash in browsers with window.location.hash. To send that to the server, you could use the XMLHTTPRequest object to POST it to the server.
HEllo I have this URL I need to get with PHP
http://www.domain.com/forum/#forum/General-discussions-0.htm
The problem is this is not a real URL, but this the mask created by the .htaccess.
I need to get the visible URL and not the real path of the file, because I need to compare it with some PHP variables I have.
In fact the real path will look like this:
http://domain.com/modules/boonex/forum/index.php
And in that way is totally useless for me.
How do I get the first URL as it is?
You can't get that from http://www.domain.com/forum/#forum/General-discussions-0.htm. Everything after the fragment (#) is not even send to the server, there is no way to retrieve it save for a delayed update with javascript. All you'll get it is http://www.domain.com/forum/ send to the server, and on the onload event of your document you can possibly load something in with javascript.
Look into the source code or it may not have real urls at all. The part is for ajax based navigation. It may mean that there are no real urls on that site and if there are then they should be extracted from <a href="someurl"> as they might masked using javascript.
With
file_get_contents();
for example. Neither user nor your server mind about .htaccess
It's server proccessing the request who have to direct you to correct address
however php does ignore everything after #, so in this case you have no chance to get it without real url
As #Wrikken said, there is no way to get url after # fragment
When using the $_GET[] in php, it searches for a variable e.g ?id=value
Is there a way to call the #value instead?
No, because the hash part of the url is client-side only and is not sent to the server.
When you enter an URL such as http://server.com/dir/file.php?a=1#something in your browser's URL textbox, the browser opens a connection to the server.com and then issues a HTTP command GET /dir/file.php?a=1 HTTP/1.1. This is the only data sent to the server.
Hence, the server never gets the #something part, and this means there is no script on server side you could write to read that value.
Similar question explained here: How to get Url Hash (#) from server side
I've been able to work around it by getting the fragment via javascript and sending an ajax request with the fragment as the $_GET contents.
Without knowing your whole case, I may be off track, but there is the possibility of sending the #something to the server via a simple GET type of xmlhttprequest.
Yeah there is a way. I think what you want to do is:
$arValues = array_values($_GET);
// whatever else you want to do with the values