Let's say I have an address http://example.org/articles/children/title. Now, mod_rewrite translates it into http://example.org?type=article&category=children&id=title.
Now, most users only read the first part, ignoring anything that's after question mark. And they should be safe to do so. But if someone links to me using http://example.org/articles/title?something=long_meaningless_string&type=adult&title=othertitle my app sees $type == "adult" when clicking reader believes he went to a children section.
Any safe and sure way to prevent abuse like that? It's especially problematic with well known CMS systems, where attacker knows get variable names and can use it to hit site's reputation.
One way would be to rename your keys, so that they have a [] at the end, like so:
http://example.org?type[]=article&category[]=children&id[]=title
This will result in a $_GET-Array like this:
Array
(
[type] => Array
(
[0] => article
)
[category] => Array
(
[0] => children
)
[id] => Array
(
[0] => title
)
)
If someone appends more type[]-Entries to the query-String as in http://example.org?type[]=article&category[]=children&type[]=adult, it will look like this:
Array
(
[type] => Array
(
[0] => article
[1] => adult
)
[category] => Array
(
[0] => children
)
)
So you can still get the first entry.
If you don't want to append the [] to your keys, you would have to parse the Query-String, which you can get via $_SERVER['QUERY_STRING'], yourself.
Determine a canonical URI for each page. When the page is requested, check if the URI matches the canonical one. If it doesn't, issue a 301 redirect. (e.g. like this (although that isn't PHP)).
Related
I have an array such as:
$var = array('hi','ho',rand(2,5));
What I would like to echo is the entire array, exactly as written.
Normally when you try a print_r, it shows as:
Array (
[0] => hi
[1] => ho
[2] => 3
)
But I want:
Array (
[0] => hi
[1] => ho
[2] => rand(2,5)
)
You can get this with file_get_contents, but is there any way to do so within the actual PHP file?
I don't think it's possible because when array is created, random value is assigned to element with index 2 and you cannot check how this value was created.
I don't think it's possible, since the rand is already evaluated as soon as you set the array to some variable.
A workaround would be the hold the expression as a string and then eval it when you need it. Like this:
$varStr = "array('hi','ho',rand(2,5))";
echo $varStr;
// when you actually need it
$var = eval($varStr);
However, this is almost never a good idea. Providing a use-case where you need this might help come up with a better solution.
I was trying to create some syntax for my application that uses $operator.$columnField as elements of an array for SELECT WHERE clause - something like selecting all ids less than 41 would have been
$parameters['where'] = array('<id'),
$parameters['fields'] = array(':id' => '41')
Then I would have parsed all ['where']s in order to determine the operator from the field itself. The main idea here is not if my way is a good way, given the fact that I can do it in a lot of different approaches. I am interested in the fact that it seems '<' plays some specific role if at the beginning of an array element of type string.
I noticed that there were some errors, so I started testing. Now can anyone tell me why
print_r(array('alfa', '<beta', 'gamma'));
echoes
Array (
[0] => alfa
[1] => gamma
)
Thanks in advance.
Later Edit: If the '<' character is followed by a space, the same does not apply any longer. It simply outputs
Array (
[0] => alfa
[1] => < beta
[2] => gamma
)
It actually works.. The < tag is intrepreted by the browser and it is hiding it from you.
Click Ctrl+U to view the source. You will see this..
Array
(
[0] => alfa
[1] => <beta
[2] => gamma
)
Well , if you want it for display purposes.. Do like this..
<?php
print_r(array_map('htmlentities',array('alfa', '<beta', 'gamma')));
I am attempting to implement TrialPay/Offerwall/Dealspot on a Facebook app. In their documentation they give an example of what the JSON looks like that they send you:
{"order_id":9006316682257,"buyer":409697,"app":107032282669135,"receiver":409697,
"amount":1,"time_placed":1322622026,"update_time":1322622027,"data":"",
"items":[{"item_id":"0","title":"3 Fred Currency","description":"Make it rain!",
"image_url":"http:\/\/external.ak.fbcdn.net\/safe_image.php?d=AQDldsPcWsejAJdC&url=http\u00253A\u00252F\u00252Fwww.etftrends.com\u00252Fwp-content\u00252Fuploads\u00252F2011\u00252F10\u00252Fcurrency-trading.jpg",
"product_url":"","price":1,"data":"{\"modified\":{\"product\":\"URL_TO_APP_CURR_WEBPAGE\",
\"product_title\":\"Fred Currency\",\"product_amount\":3,\"credits_amount\":1}}"}],"status":"placed"}
They say if you json_decode it as an array you should get this:
Array (
[order_id] => 9006316682257
[buyer] => 409697
[app] => 107032282669135
[receiver] => 409697
[amount] => 1
[time_placed] => 1322622026
[update_time] => 1322622027
[data] =>
[items] => Array (
[0] => Array (
[item_id] => 0
[title] => 3 Fred Currency
[description] => Make it rain!
[image_url] => http://external.ak.fbcdn.net/safe_image.php?d=AQDldsPcWsejAJdC&url=http%3A%2F%2Fwww.etftrends.com%2Fwp-content%2Fuploads%2F2011%2F10%2Fcurrency-trading.jpg
[product_url] =>
[price] => 1
[data] => {"modified":{"product":"URL_TO_APP_CURR_WEBPAGE","product_title":"Fred Currency","product_amount":3,"credits_amount":1}}
)
)
[status] => placed
)
It doesn't though, data actually looks like this:
[data] => "{"modified":{"product":"URL_TO_APP_CURR_WEBPAGE","product_title":"Fred Currency","product_amount":3,"credits_amount":1}}"
The JSON being inside the string is causing it to be invalid JSON. Is there is a straightforward way to remove those quotes?
First off, it looks like you need to finish configuring your app on Trialpay's site, hence the URL_TO_APP_CURR_WEBPAGE. The issue here may be that you have not completed your app configuration to the extent needed to produce valid JSON.
If that's not the answer however, if you still get invalid JSON (which I agree, that's invalid) I would suggest contacting your Trialpay representative. They're usually pretty responsive and we did unearth a few issues w/ their product during our game development.
Good luck - post back here if/when you find more info.
Cheers
Developer at TrialPay here. We might have a typo in our doc sites, and I'll send a note around to double-check that.
In the meantime, I've verified that the actual JSON that Facebook is passing to the server-side callback on completion of an offer-based order for in-app currency should be valid, and decodes properly to the desired result above.
If you encounter any further problems outside the scope of this thread, feel free to ping me directly.
Edit:
After copying your code and validating against JSONLint, I encountered a problem right away at the point you mentioned. However, after removing the bad line break before \"product_title\", I was able to validate correctly. Example PHP snippet included below:
<?php
$order_details = '{"order_id":9006316682257,"buyer":409697,"app":107032282669135,"receiver":409697,"amount":1,"time_placed":1322622026,"update_time":1322622027,"data":"","items":[{"item_id":"0","title":"3 Fred Currency","description":"Make it rain!","image_url":"http:\/\/external.ak.fbcdn.net\/safe_image.php?d=AQDldsPcWsejAJdC&url=http\u00253A\u00252F\u00252Fwww.etftrends.com\u00252Fwp-content\u00252Fuploads\u00252F2011\u00252F10\u00252Fcurrency-trading.jpg","product_url":"","price":1,"data":"{\"modified\":{\"product\":\"URL_TO_APP_CURR_WEBPAGE\",\"product_title\":\"Fred Currency\",\"product_amount\":3,\"credits_amount\":1}}"}],"status":"placed"}';
$order_details_decoded = json_decode($order_details, true);
$order_details_decoded['items'][0]['data'] = json_decode($order_details_decoded['items'][0]['data'], true);
print_r($order_details_decoded);
As I mentioned early, if anything else comes up outside the scope of this thread, feel free to ping me directly.
Did you try json_decode($json_string, true); that will convert it into an associative array.
I'm probably missing something quite basic, but I'm getting very confused (and frustrated) with the results I get from my SOQL queries to the Salesforce API.
My query:
Select Id, FirstName, LastName FROM contact
The resulting object (as rendered by print_r):
stdClass Object
(
[done] => 1
[queryLocator] =>
[records] => Array
(
[0] => stdClass Object
(
[type] => Contact
[Id] => Array
(
[0] => 0032000000cPd7uAAC
[1] => 0032000000cPd7uAAC
)
[any] => BuzzAldrin
)
[1] => stdClass Object
(
[type] => Contact
[Id] => Array
(
[0] => 0032000000cPt1zABC
[1] => 0032000000cPt1zABC
)
[any] => RonnieVanZant
)
[2] => stdClass Object
(
[type] => Contact
[Id] => Array
(
[0] => 0032000000cPb60AA
[1] => 0032000000cPb60AA
)
[any] => PollyJeanHarvey
)
)
[size] => 3
)
The first thing I don't get is why "Id" is an array. A strange quirk, but a workaround is not too hard.
The second thing bothers me endlessly more, though: I select for FirstName and LastName and what happens is they get concatenated and returned as a single string value for a field called "any". To avoid the "split it on uppercase letters" advice I already got from my colleagues, I provided an example with both a two-capital first name and a two-capital last name, and anyhow, in reality I need many more (and more formally unpredictable) fields, and they all get added to this "any" property.
Does anyone see what I'm doing wrong? Assuming it's not such a badly written API, that is?
Edit:
Said developer will now go sit in a corner for a few hours, repenting for not having checked for more recent versions of PHP Toolkit. Seems I was using 11.0, whereas there's already a version 20.0. Shame on me, shame on me indeed. Sorry for wasting your time.
The behavior you are seeing is mostly because of how PHP's SoapClient interprets the results from the API. If you call getLastResponse() on your API connection after you make the query() calls above, you'll see what the actual SOAP messages look like coming back from Salesforce.
As far as the Id array -- its not really an array, but it is listed twice per record (once for the record itself and once as a field), but PHP turns it into an array because it sees it twice. As far as the any, that's happening because PHP is not understanding the namespaced field tags correctly.
As it looks like you found, using the PHP Toolkit can help with these oddities and return sensible objects for you to work with. You might also want to consider looking at Salesforce's REST API, whose results can be directly consumed by json_decode(). For making the HTTP calls to Salesfore, you might be interested in this simple (almost standalone) REST client in a project of mine.
I'm getting a PHP array from a web page (as a string).
It looks like :
Array
(
[k1] => Array
(
[a] => Array
(
[id] => 1
[age] => 60
)
[b] => Array
(
[id] => 2
[age] => 30
)
)
[k2] => v2
)
I want to parse it in python.
Does anyone have an idea how to do this?
Thanks,
Rivka
Edit:
This is really not a json, like a few people commented.
Thanks for the comments, and I updated the question.
That's not JSON, that's just how PHP prints arrays. If you want to create JSON of the array, check out json_encode for PHP. Then use Python's JSON library (or here for py3) to read it.
If I understood you correctly, you are using print_r on array to get that output. This is a visual representation of array only, you can't really parse it. For example:
array('Array'.PHP_EOL."\t(".PHP_EOL." [0] => test".PHP_EOL."\t)")
will look exactly like
array(array('test'));
You should use some real serializing function to do what you want(json,serialize etc.);