I want to read URL parameters from URL and I have used $_Get["parametername"]. And it works fine.
However, for URL like :
http://myserver.com/getcrawledimage.php?key=XXXXXXXXXX
&url=https://www.google.co.in/search? q=read+json+in+mysql&aq=f&oq=read+json+in+mysql&aqs=chrome.0.57j0l3j62l2.7010j0&sourceid=chrome&ie=UTF-8#hl=en&sclient=psy-ab&q=parsing+json+in+mysql&oq=parsing+json+in+mysql&gs_l=serp.3..0j0i22i30l3.138180.199873.3.200144.44.28.10.5.6.2.824.5388.1j22j1j1j1j0j2.28.0...0.0...1c.1.12.psy-ab.6dwtA9Be9BY&pbx=1&bav=on.2,or.r_qf.&bvm=bv.46340616,d.bmk&fp=cb8cca45920a2be6&biw=1920&bih=979&devicetype=retina.
it doesn't work.
I am tracking key, url and devicetype here.
It returns key=XXXXXXXXXX , url=https://www.google.co.in/search?q=read json in mysql.
Nothing for devicetype.
Can someone help me where am I wrong ?
you cant sent by url value like // or & so you can use urlencode for value like this
url=<?php echo urlencode('https://www.google.co.in/search? q=read+json+in+mysql&aq=f&oq=read+json+in+mysql&aqs=chrome.0.57j0l3j62l2.7010j0&sourceid=chrome&ie=UTF-8#hl=en&sclient=psy-ab&q=parsing+json+in+mysql&oq=parsing+json+in+mysql&gs_l=serp.3..0j0i22i30l3.138180.199873.3.200144.44.28.10.5.6.2.824.5388.1j22j1j1j1j0j2.28.0...0.0...1c.1.12.psy-ab.6dwtA9Be9BY&pbx=1&bav=on.2,or.r_qf.&bvm=bv.46340616,d.bmk&fp=cb8cca45920a2be6&biw=1920&bih=979
&devicetype=retina.') ; ?>
Related
I'm trying to write a script which accepts a url such as rfile.php?url=https://example.com/file.php?alias=midlands how ever I want to be able to pass vairables over so it becomes rfile.php?url=https://example.com/file.php?alias=midlands?type=src how ever $type=$_GET['type']; comes up as null.
I having checked $url=$_GET['url']; returns the full url string of rfile.php?url=https://example.com/file.php?alias=midlands?type=src
Clearly I can fix this but seperating the features I planned to use via the type vairable but I thought I would ask if any one knows a way to pull in that url including the ?alias=midlands but stop at ?type=src ?
Example url - rfile.php?url=https://example.com/file.php?alias=midlands?type=src
<?php
/*
*/
header("Pragma: No-Cache");
// Initialise variables
$url=NULL;
$type=NULL;
// Check auth is set
if (!isset($_GET['url']))
{
echo "Could not service your request. url was not set";
}
// Check auth is set
if (!isset($_GET['type']))
{
echo "Could not service your request. type was not set";
}
$url=$_GET['url'];
$type=$_GET['type'];
echo $url;
echo $type;
?>
Thanks
Terran
I'm pretty sure that what you want is to pass parameters and their values into your URL and grab them with $_GET method.
If this is what you are looking for, then you are having a typo in your example URL. The ? tells the URL where to start looking for parameters. Each pair of parameter-value must be separated with character &. This means that the correct format of your URL in order to retrieve all those parameters is this one:
rfile.php?url=https%3A%2F%2Fexample.com%2Ffile.php%3Falias%3Dmidlands&type=src
Since you want to have a url as a parameter of the original url you should try to urlencode the parameter as above.
Probably your results will be:
$_GET['url'] => https%3A%2F%2Fexample.com%2Ffile.php%3Falias%3Dmidlands
and
$_GET['type'] => src
Then u will have to run urldecode again on your $_GET['url'] to grab the nested parameters. Hope I've helped.
I am using CodeIgniter 3.x.
User have this data : %7B%5C%22uid%5C%22%3A%5C%221234%5C%22%2C%5C%22uname%5C%22%3A%5C%22kishor%5C%22%7D
User send me the request and pass the data as parameter in url. The last parameter in url is nothing but the users data.
http://localhost/codeigniter/myproject/myfunction/%7B%5C%22uid%5C%22%3A%5C%221234%5C%22%2C%5C%22uname%5C%22%3A%5C%22kishor%5C%22%7D
The encoded data nothing but a json string which he want to encode and then send me the request. If I parse it using php then it yields this : '{"uid":"1234","uname":"kishor"}'
But it is not accepted in url, it gives me Object not found! error in browser.
Object not found!
The requested URL was not found on this server. If you entered the URL manually please check your spelling and try again.
If you think this is a server error, please contact the webmaster.
Error 404
I tried changing $config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';, but it doesn't work for me.
Assuming that your CodeIgniter is set up properly and routing things correctly then I recommend sending the JSON as a $_GET parameter:
http://localhost/codeigniter/myproject/myfunction/?json=%7B%5C%22uid%5C%22%3A%5C%221234%5C%22%2C%5C%22uname%5C%22%3A%5C%22kishor%5C%22%7D
So in CodeIgniter, you should be able to simply:
json_decode( $this->input->get( 'json' ) );
If you pass the below way than you have to pass argument in function.
http://localhost/codeigniter/myproject/myfunction/%7B%5C%22uid%5C%22%3A%5C%221234%5C%22%2C%5C%22uname%5C%22%3A%5C%22kishor%5C%22%7D
like this
function myfunction($param = ''){ echo $params; }
The way you are passing is not a proper way. If you need to get and decode that value, use following way in your controller function
i dont know which one is controller & function in your code, I guess myproject is a controller. So, i'm passing 3rd parameter Number 3 in segment
// it will return %7B%5C%22uid%5C%22%3A%5C%221234%5C%22%2C%5C%22uname%5C%22%3A%5C%22kishor%5C%22%7D
$json_value = $this->uri->segment(3);
$json_value = (array) json_decode(stripslashes(urldecode($json_value)));
var_export($json_value);
output
array (
'uid' => '1234',
'uname' => 'kishor',
)
I am trying to sanitize my GET variables but Accuntrix is still complaining for some reason.
So I visit a page and the URL contains parameters. I pass these parameters between pages. To do this I do
something like the following
<a class="navbar-brand" href="https://someDomain/someFolder/someFile.php?WT.var1=<?php echo $_GET['WT_var1']; ?>&var2=<?php echo $_GET['var2']; ?>&var3=<?php echo $_GET['var3']; ?>&var4=<?php echo $_GET['var4']; ?>" title="logo"><img src="logo.png"></a>
I have lots of links like this on the page, and when I first ran the page it was vunerable to cross site scripting because
I was not sanitizing the GET requests. So at the top of the page, I put
<?php
$_GET['WT_var1'] = htmlspecialchars($_GET['WT_var1']);
$_GET['var2'] = htmlspecialchars($_GET['var2']);
$_GET['var3'] = htmlspecialchars($_GET['var3']);
$_GET['var4'] = htmlspecialchars($_GET['var4']);
?>
Initially, this seemed to work. But I have recently run another scan, and every single link like the above shows up as a high.
The details look something like this
URL encoded GET input WT.var1 was set to 1}body{acu:Expre/**/SSion(prompt(926954))}
The input is reflected inside a text element.
And the exploit looks like this
/someFolder/someFile.php?WT.var1=1%7dbody%7bacu:Expre/**/SSion(prompt(941830))%7d&var2=&var3=&var4=
Is that not showing a sanitized url though? Is this something I need to fix or is it a false/negative?
Thanks
htmlspecialchars() encodes your variable for output as content in an html page. If you need to pass your variables through the url, you need urlencode(().
So for example:
...someFolder/someFile.php?WT.var1=<?php echo urlencode($_GET['WT_var1']); ?>&var2...
I have a URL like given below
http://mydomain.com/wrt/search.php?org=125&assignedto[]=NULL&Search=req_assigned_to&state[]=New&state[]=Pending%3A+Installation&state[]=Pending%3A+More+Info&state[]=Assigned&state[]=Working&orgs[]=125
i need to get the values of other required variables which results from accessing the above URL given in PHP..
Actually i should use this above mentioned link to access the form varaible values which will be displayed in that form resulted by execution of some queries using the parameters passed through the link given above..i wont be using form concepts such but can use this link alone,as i dont have access to the required database so this link is the base to retrieve values ...
Please suggest how it can be done.Its of high urgency.
You can access URL parameter via $_GET, when you have this URL try for example:
echo $_GET['Search']; should output req_assigned_to.
I'm not quite sure what you are trying to do but if I'm right you are looking for:
echo $_GET['org'];
This will echo 125. replace org with any other parameter in your url.
Read up on: http://www.php.net/manual/en/reserved.variables.get.php
I'm trying to write some code which shares a page on Facebook and twitter.
The problem I'm facing is that the page I'm trying to share has a big query string like:
http://domain.com/see.php?c=3&a=123&v=1
But it seems that Facebook and Twitter don't like that big query string.
I also tried using tiny url with following method in which I passed the URL to a PHP function to get the tiny URL:
var a = $("#Link").val();
I get the correct value of **a**. After that I pass this value to a PHP file:
$.post("ShortLink.php?value="+a
In that PHP file I got the following value:
http://domain.com/see.php?c=3
All the values after 3 is deleted.
Thanks
When POSTing to your ShortLink.php file, you should make sure to URL encode the value of a beforehand. Otherwise you're calling ShortLink.php?value=http://domain.com/see.php?c=3&a=123&v=1, i.e., sending:
value = http://domain.com/see.php?c=3
a = 123
v = 1
What you want is ShortLink.php?value=http%3A%2F%2Fdomain.com%2Fsee.php%3Fc%3D3%26a%3D123%26v%3D1, thus sending:
value = http://domain.com/see.php?c=3&a=123&v=1
This can be achieved via encodeURIComponent():
$.post("ShortLink.php?value=" + encodeURIComponent(a));
See also How do I pass a URL with multiple parameters into a URL? and How to encode a URL in Javascript?.
Why don't u just use an url shortener API for that, like Google url shortener. That way, you can leave your code the way it is, but for site's like Facebook and Twitter, it is nicely short.
Try this:
$.post("ShortLink.php?value=" + escape(a));