how to secure your passing variables between the two pages via url? Let's assume i have a TEST variable in one page and i want to pass on that variable to test2.php page in the secure method?
How to convert test variable into Hash Method and pass on test2.php page via url?
for example
$test=$_POST['test'];
echo $row['test'];
Test
OR
Test
test2 Page
$test=$_REQUEST['test'];
By secure if you mean that you want the variable to be visible but you want to prevent users from changing the variable you can simply pass a hash along with the variable.
I.e.
$variable = 'abc';
$salt = 'your secret key';
$hash = md5($salt.$variable);
Page 2
On the second page you can rehash to see if the value has changed or not.
$variable = $_REQUEST['variable'];
$salt = 'your secret key';
$hash = md5($salt.$variable);
if($hash == $_REQUEST['hash']){
//do staff
}
However this will not hide the variables from URL, you can use other suggested answers for that.
It's not secure at all, because URLs (incl. GET arguments) are usually stored in httpd logs. So use POST for this, use SSL for transmission. If you need to use GET you can try to encrypt your data but mind that some web browsers got limits on max length of URL used, so too much data in GET may make them confused
Secure hash functions are one way, so no good for passing values. The most secure way to do this would be to use SSL, and POST your variables so they aren't displayed in the querystring/address bar.
Use SSL (for encrypted traffic - see here) and POST (see here).
The answer is simple.
either you need that variable in the url to identify the particular page and it's content
or it's internal site variable, like authorization information - it have to be passed via session.
For the first case you shouldn't "secure" this variable at all.
Related
How to get the full URL including the string parameter after hash tag? I try to echo
$url = $_SERVER['REQUEST_URI'];
echo $url;
the string after the hash tag wont read.
Pekka's comment should be an answer. The string parameter after the hash tag is not sent to the server, it's for the browsers eyes only.
This means that serverside code (PHP, in your case) does not have this info. The clientside code (the browser, javascript, ...) does.
Ideally,
the part after the ? is info for the server. Put everything your
server needs here
the part after the # is info for the client. Put everything your
client needs here. It's called the Fragment Identifier (Thanks Tim).
Historically, the part after the # was most often used to have your browser quicky scroll to a defined anchor on the page. Nowadays, it is more often used to hold state information for the client.
You could have javascript send this info to the server, or perform different actions based on this info. AJAX is your friend.
The hash (the string including the #) never gets passed to the server, it is solely a behavioural property of the browser. The $_SERVER['REQUEST_URI'] variable will contain the rest however.
If you really need to know what the hash is, you will have to use the document.location.hash JavaScript property, which contains the contents of the hash (you could then insert it in a form, or send it to the server with an ajax request).You can pass up the full URL, including the anchor (the part after the #), using a Javascript onload function that sends that URL to an Ajax endpoint.
You can also take a look here Get entire URL, including query string and anchor
use urlencode() and urldecode() functions
In this short example, I will show you how to pass Hash value to the server and make it redirect to the hash value.
Firstly encode the Hash value in the link button
redirect to Link1
Now to redirect to the link from the server
mylink.php
if ($_GET["redirect"] != null )
{
header("location: urldecode($_GET["redirect"]);
}
I'm using these docs to integrate a certain level of protection against session hijacking (bottom of page).
While I can understand the basics of what the article explains, I'm still new to all this and I'm just not able to pin-point what I should do.
I get how this would work:
<?php
session_start();
if (isset($_SESSION['HTTP_USER_AGENT']))
{
if ($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT']))
{
/* Prompt for password */
exit;
}
}
else
{
$_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
}
?>
... and I kinda understand how this can make the above more secure:
<?php
$string = $_SERVER['HTTP_USER_AGENT'];
$string .= 'SHIFLETT';
/* Add any other data that is consistent */
$fingerprint = md5($string);
?>
However, I'm stuck at combining the two into one working script. The docs state:
we should pass this fingerprint as a URL variable.
What does that mean? Do I need to pass the fingerprint in the URL and then use $_GET on each page? Anyone who can help me combining these two snippets of code into one file that I can include in all my PHP files?
yes, you'd need to add this token to any urls and then check it on every page.
Basically what you're trying to accomplish is what cryptographers call a NONCE
(number used once). The idea is to generate the NONCE using the params and then validate that the params haven't been tampered with.
Ideally this should be a hash salted with something random
and used once. There are many libraries that will take care of it for you.
Remember that hashes are not symmetric, i.e you can't un-hash request variables to see that it's the same thing.
What you can do is take a hash of the parameters and compare the hashes. It's important to remember about salts, because without them you'd be susceptible to rainbow tables.
Also if you use $_REQUEST rather than $_GET you can reuse the same logic for both $_POST and $_GET
You can take a look at this library for example, http://fullthrottledevelopment.com/php-nonce-library
you can also borrow the nonce generating code from Wordpress
How can I hide ?ref string from users but pass it to php code so it will grab it?
For example, visitor visits this page:
http://mysite.com/?ref=ref+string
In browser URL I want to hide it, so user will see"
http://mysite.com/
But I want to grab content of ref string via this:
$ref = $_GET['ref'];
Is it possible?
No, if you want to use GET variables, they will always be in the url.
However, you can use an alternative, like $_SESSION or $_POST variables.
You could try something like this at the top of your PHP script:
session_start();
if (isset($_GET['ref'])) {
$_SESSION['ref'] = $_GET['ref'];
header('Location: /');
exit();
}
You would have to use $_SESSION['ref'] to access the value from then on, however.
This is not how the http protocol works with query strings. If you have information that needs to be in the query string that you want to hide or obfuscate from the user, I would recommend a simple encryption to change it. If you're attempting to get rid of this information for aesthetic reasons, you will need to pursue a different method of generating the header or storing the information (session/cookies/etc).
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
PHP Pass variable to next page
Here is my current code:
$search = $_POST['s'];
$search = strtoupper($search);
$search = strip_tags($search);
$search = trim($search);
$search = mysql_real_escape_string($search);
I need to be able to carry on the $search variable to my second, third, etc, pages.
I'm a beginner in php and i'm sort of stuck here
It would appear that sessions are your friend here. In the simplest form, sessions will just put data in cookies that are sent to and from the user's browser. Make sure you call session_start() before you do anything with the session, this will start or resume the user's sessions. After that, you can use $_SESSION as a global associative array that will persist between pages.
Xander has already linked you to the docs, Here are some simple examples. Make sure you understand session_start() otherwise you'll have some bugs.
N.B. Do not use this basic session format for sensitive data. Look into using something like memcache to store the data and simply put the memcache key into $_SESSION. Also, consider encrypting the sessions. Those are more advanced things you should think about when dealing with user authentication/login
Assuming it is a search string, there is only sane method:
First, change the form's method to GET
Next, just pass your search variable in the query string using GET method.
The only modification you have to apply is urlencode()
So, the code should be
$query_string = 'search='.urlencode($_GET['search']);
echo "<a href='?page=2&$query_string'>page 2</a>";
producing an HTML code
page 2
so a user can click this link and you will have your search string back
While $_SESSION has been suggested, another option is to use a hidden field (with the same name and filled with the appropriate value) on subsequent generated pages. Then, when those pages are posted back, they too will have the field available in $_POSTS (this time supplied by the hidden field, not the original text field).
Advantages:
"Bound to the current page"; really good for some page context-sensitive stuff! (The session is scoped to the browser, not the page.)
Avoids the need for session/cookies (which is a non-issue if the session is already required for other purposes).
Disadvantages:
"Bound to the current page": value will be lost when navigated away from outside of back/next context. (As Bert notes, a slight modification can use this "breadcrumb" approach to alter the URL and use GET parameters, which can make the data universally persistent, at the expense of a "less pretty" URL.)
Data must be treated as untrusted and insecure, just like the original post.
Requires population of additional [hidden] fields.
Happy coding.
Use session_start() in each of the pages you want to access the search varaible
in the first page
$search = $_POST['s'];
$search = strtoupper($search);
$search = strip_tags($search);
$search = trim($search);
$search = mysql_real_escape_string($search);
set a session variable as
$_SESSION['searchStr']=$search
then in everyother page
session_start(); // at the very begining
if(isset($_SESSION['searchStr'])) {
$search=$_SESSION['searchStr']
}
I have a doubt about how I can check an URL like this:
http://your.url/set_new_password.php?userid=564979&code=54c4a2767c2f485185ab72cdcf03ab59
I need to check if the userid exists in the database and if the userid is associated to the hash in the link.
I Read that it is not possible check the url within php. If so, is it possible to solve this problem? I need to verify if the hash and userid present in the link exist in the database.
Any other alternatives?
The variables userid and code in the URL are made available to PHP in an array called GET:
echo $_GET['userid']; // 564979
If you have a hash (or fragment) in your URL, this won't get back to PHP:
www.mysite.com?val=1#part2
In the above, PHP can see the domain and the val variable, but not #part2. Sites that use the hash to significantly change the page (eg GMail) use javascript to pull in new content when the hash changes.
Be sure to sanitize your variables before using them, to avoid malicious users being able to hack into your system. This is a big topic, but read up on the following:
Data Filtering
PHP Data Objects
Sanitize and Validate Data with PHP Filters
If you don't sanitize, someone could change your url so that the variable is set to:
;DELETE * FROM mytable;
When you query your db without sanitising your inputs, you could lose all your data.
use the $_GET variable in php
$_GET['userid']
see tutorial here
In PHP, the $_GET array has the url parameters. So in this case, you'd use $_GET['userid'] and $_GET['code']
See Server consist of apache , php , mysql . When you access this url through your browser it is first send to apache which forwards your request to php . Php takes full controle from there on . A request made by client browser consist of various data which can be divided into types cookies , headers , post , get request . All these data can be access in there respective suprglobal variables in php $_GET , $_POST and so on . In your case you need to access $_GET . so do $_GET['userid'] to access userid , and $_GET['code'] to access code . Lastly you would connect ot MYSQL and do querly like "Select * from users where 'userid' = $_GET['userid'] and 'code' = $_GET['code'] " ;