I want to pass an id from one page to another when user clicks a url. There can be multiple url each corresponding to a separate id. Based on url clicked, I want to pass corresponding id and an action. Currently I am using following approach:
<a href="Process.php?action=del&id='.$id.'">
However both action and id are visible in url. Is there any way to hide this information in url and not passing it through url?
Also if I pass them using hidden fields, they can be accessed using browser dev tools. I want to make them secure so they can't be read or modified at all.
I would like to hide this for security purpose so no any user can see this
In HTML only, you'll not able to pass "hidden" variables through $_GET.
If you really want to hide some variables when a user click on a link, you can use Javascript with an auto-submitted form to use $_POST variables.
Example
<form method="POST" action="yourpage.php" id="yourform" style="display:none;">
<input type="hidden" name="hiddenfield" value="__" />
</form>
<a href="" onclick="document.getElementById('yourform').submit();return false;" />
Now, in yourpage.php, you'll be able to obtain the $_POST['hiddenfield'] value.
Edit:
I don't think it can be possible to really hide the values from dev tools. Btw, you can maybe use sessions, it will be more "secure"..
Example:
// page1.php
session_start();
$_SESSION['yourname'] = 'yourvalue';
// page2.php
session_start();
$_SESSION['yourname']; // Contains 'yourvalue'
The best way to hide id(if you mean security) is to encrypt it. You should use MCRYPT function to encrypt the id. You can encrypt both ID and your ACTION in one string and just pass this string to URL and then when you want to use it you can decrypt parameter and split it. When you connect it with MOD_REWRITE in htaccess you can get url like:
<a href="Process,Some title of yourpage,í,eHGxC•z»#”“§``"> to make it more "pretty" you can use base64 on this string.
or with base64, mcrypt and mod_rewrite
<a href="Process,SWRlYW">
to decrypt string you should use base64_decode(), mcrypt_decrypt()
You can use base64 for this (if security is really a big concern). Before passing it to the URL,
you can encode it first and then in the receiving end, you can decode it.
Check this URL : http://www.webtoolkit.info/javascript-base64.html
EDIT:
Please ignore the line above in the bracket.
Based on the comments below, base64 is really not responsible for security. Better approach is to use a server sided language to encrypt/decrypt values. Using base64 through javascript is not a good idea. Thanks Bobby.
Related
I have a form which I want to validate with PHP. The poster upload from Uploadcare's widget is part of that form.
Sometimes users have to go backward in the form to fix stuff - an incorrect email, etc. I want to have the chosen upload file persist within that form.
This works when the back button is clicked, but I cant rely on that. I'm using PHP POST variables to reload and repopulate the form.
My question: can I use a POST variables with the Uploadcare input button to make it "remember" and reload the chosen picture the user has previously uploaded?
My current code.
<input type="hidden"
role="uploadcare-uploader"
data-preview-step="true"
data images-only="true"
name="adposter"
style="display: inline-block;" />
Is it possible to do something like:
<input type="hidden"
role="uploadcare-uploader"
data-preview-step="true"
data-images-only="true"
name="adposter"
style="display: inline-block;"
value="<?php print isset($_POST["adposter"]) ? htmlspecialchars($_POST["adposter"]) : ""; ?>"
/>
As one would with other fields? Obviously the Uploadcare input widget has its own way of doing things, hence the query.
As the documentation says:
The value of [role=uploadcare-uploader] input is either empty or CDN link with file UUID.
If you externally set the value of the input and trigger the DOM change event, it will be reflected in the widget. For example, setting it to a file UUID or a CDN link will show that file as uploaded in the widget. You can do this on a live widget or even before it's actually loaded.
So your second snippet should work correctly.
You may also want to know the way to set widget's value via JS:
var widget = uploadcare.Widget('[role=uploadcare-uploader]');
widget.value("https://ucarecdn.com/e8ebfe20-8c11-4a94-9b40-52ecad7d8d1a/billmurray.jpg");
Sorted this. It can be done with Value. Great!
https://uploadcare.com/documentation/widget/#input-value
You can use $_POST to pass on variables from the one form to another just as you described using hidden fields. But this is not very efficient and as you write the information back to the client, they could change that.
A better way to save these kind of variables is to make use of $_SESSION:
The session support allows you to store data between requests in the
$_SESSION superglobal array. When a visitor accesses your site, PHP
will check automatically (if session.auto_start is set to 1) or on
your request (explicitly through session_start()) whether a specific
session id has been sent with the request. If this is the case, the
prior saved environment is recreated.
http://php.net/manual/en/intro.session.php
So after the image was uploaded you store the image id in a $_SESSION:
session_start();
$_SESSION['imageid'] = 123456;
Then even forms later you can access the imageid simply by using the $_SESSION variable again:
session_start();
var_dump($_SESSION['imageid']);
int 123456
See the php documentation for more information on sessions: http://php.net/manual/en/book.session.php
My Html links has extra attributes, like:
<a cat-data="175" rt-data="154" href="index.php?view=item"></a>
<a cat-data="775" rt-data="134" href="index.php?view=item"></a>
<a cat-data="575" rt-data="174" href="index.php?view=item"></a>
In this code is to see: cat-data="" and rt-data=""
If i click on this link and go to next page, can i request this data? cat-data="" and rt-data=""
Adding arbitrary attributes to an <a> element will not transfer them as part of the URL. So no, at least not as it stands.
You can encode them in the URL in the first place:
href="index.php?view=item&rt=174&cat=575"
and they will be accessible through $_GET.
You could also use JavaScript to modify the href attribute based on the other attributes, but that is needlessly complicated and dependant on JavaScript, so it is not recommended.
Note that adding arbitrary attributes to an element will make your HTML invalid and is not recommended. HTML 5 allows custom attributes if the name starts with data-, which might be what you are trying to use here, but you are using data as a suffix when it must be a prefix.
the data attribute uses for jquery and javascript and you can't have them in the next page, or on servers side, you can add the data to the url and then get them as get or post,
you can also store data on cookies and get the cookies on the next page
please use the next url : href="index.php?view=item&cat-data=175&rt-data=154
I have various links in my website that point to a specific form.
Whenever someone fills out the form, I want to be able to know what link led them to the form.
I want to do this without having to create an individual line of PHP code for every link I create in the. Instead, I want to have some PHP code that picks up something from that link, and maybe inserts it into a hidden text box that gets its value or text from something that I tag in the link.
For example:
User clicks a link.
That link directs them to a form.
The link carries an identification that activates PHP code
When I recieve the form, I know what link was clicked to get to that form.
I want it to work with links in emails I send out as well.
Based on the information in your post, it sounds like you just want to send a token/ id.
Goto Form
Now on the form you can grab the token:
$token = $_GET['token']; // use proper testing first
Then use a switch or if statements to run whichever code you need.
<input type="hidden" value="<?php echo $token; ?>">
Additional:
As the //use proper testing first comment indicates, you should make sure the token being passed is valid and sanitized in case of attack. One option is to have tokens stored in a database when generated and then compared when validating. Also look into htmlspecialchars() and even strip_tags() for sanitizing.
If the token fails to validate, you should not output and should even have a warning message/redirect that there was an error.
You can use HTTP Referer to achieve this. In PHP, you can use
$referer = $_SERVER['HTTP_REFERER']
Use this for example :
if (isset($_SERVER['HTTP_REFERER']))
{
$ref = $_SERVER['HTTP_REFERER'];
}
then in your form something like:
<input type="hidden" value="<?php echo htmlspecialchars($ref, ENT_QUOTES); ?>" name="ref" />
I'm trying to store the redirect URL for use a few pages later but I'm having trouble figuring out how to get it from one place to another.
Usually I'd just pass a variable thru the URL, but since my redirect URL contains URL variables itself, this doesn't exactly work.
To give you a better idea of what I'm trying to do, here's the structure.
PAGE 1: User can click a link to add content on PAGE 2
PAGE 2: User enters text. Submitting the form on this page calls "formsubmit.php" where the MySQL data entries are handled. At the end of this I need to redirect the user to PAGE 1 again. The redirect URL needs to exactly match what was originally on PAGE 1
Does anyone have any suggestions on how to go about this?
You should use $_SESSION to store the variable in session memory. As far as specifics go with how to handle this in particular, you should be able to figure it out (store the variable, check if it exists later, if so redirect etc etc) but $_SESSION is going to be much more efficient / less messy than trying to pass things back and forth in query strings.
To declare a session variable you would do something like this:
$_SESSION['redirUrl'] = "http://www.lolthisisaurl.com/lolagain";
And then to reference it you just do
$theUrl = $_SESSION['redirUrl'];
Here is some material to get you started: http://php.net/manual/en/reserved.variables.session.php
I would recommend either using session variables, or storing the redirect url in a hidden form parameter. Session variables are pretty simple; just initialize the session (once, at the top of each page), and then assign variables to the $_SESSION global var:
<?php
session_start();
...
$_SESSION['redirect_url'] = whatever.com;
...
Hidden form parameters work by sending the data from page to page as form data. On the backend, you would add code that would put the URL to be stored in a form variable:
<input type='hidden' name='redirect_url' value='<?php echo $redirect_url; ?>';
On each page, you can take the URL out of the $_POST or $_GET variable (whichever is appropriate) and insert it into a hidden form in the next page.
You can use urlencode and urldecode to pass a string that contains elements that would otherwise break a url in a url query.
I can see two possible solutions :
get the previous page from document.referrer ([edit] find more info on this SO thread : getting last page URL from history object - cross browser?)
store the previous url via a session variable ([edit] MoarCodePlz pointed this out in his answer)
Regards,
Max
You can add this hidden field in to your form:
<input type="hidden" name="referer" value="<?php echo $_SERVER['HTTP_REFERER']; ?>">
Then use header() to redirect to this page:
header('Location: '. $_POST['referer']);
I've never really thought about this, but it helps with some security of something I'm currently working on. Is it possible to submit GET data without an actual input field, and instead just getting it from the URL?
If so, how would I go about doing this? It kind of makes sense that it should be possible, but at the same time it makes no sense at all.
Perhaps I've been awake too long and need some rest. But I'd like to finish this project a bit more first, so any help you can offer would be appreciated. Thanks
Yes. If you add some query-string to yourl url, you can obtain that in php using $_GET without form submitting.
Going to this URL adress http://yoururl/test.php?foo=bar cause echoing foo (if there will be no foo query string, you'll get warning).
# test.php
echo $_GET['foo'] # => bar
Is this what you mean?
Link
// page.php
echo $_GET['type']; // foobar
This is what I understand of your question:
You have a <form method="get" action="foo.php">-like tag on your page
You have a series of <input type="text" name="bar"/> in your page
You want to pass additional GET parameters that are not based on an input from the form
If so, it is possible, but I hardly see how it could help with security. Input from a client cannot be trusted, so even if you hardcode the GET value, you have to check it serverside against SQL injection, HTML injection/XSS, and whatnot.
You have two ways:
Use a hidden input: <input type="hidden" name="myHiddenGetValue" value="foobar"/>
Add the GET parameter to the form action: <form method="get" action="foo.php?myHardcodedGetValue=foobar">
If what you meant is that you want to have a GET request without a form, you just need to pass all the GET parameters to the href of a link:
Click here!
Yes it's possible. Just append the GET data to the link.
For example:
<a href="main.htm?testGet=1&pageNo=54>Test</a>
You can also use Javascript to build the url.
If you happen to be using jQuery and want to build the GET data dynamically you can do this:
var getParams = { testGet:1, pageNo:54 };
$(".myLink").attr("href", url + "?" + $.param(getParams));