I have this page which contains a form. The values are POSTed over to the next page(check_values.php) which manipulates these values. Now I want to add a captcha. but it requires you to redirect the form to a verify.php which seems to clear out the posted variables when i redirect to check_values.php. I dont want to use session variables in this case. Are there any other method(s) to accomplish this.
You can use query strings too
In your verify.php page, add a query string to the location i.e.,
header('Location: check_values.php?captcha='.$postedValue.'');
Then in check_values.php, you can use $_GET to capture that value.
$value = $_GET['captcha'];
But make sure you sanitize all data coming from the query string
Yep, POST won't persist after a page request. You'll have to resend them somehow.
If you want to stick with POST, inside the validate page you could populate a form with the POSTed variables, and submit it using a Javascript. Something like
<form id='blah' method='post' action='check_values.php'>
<input type='hidden' value='<?php echo $_POST['var1']; ?>' />
<input type='hidden' value='<?php echo $_POST['var2']; ?>' />
</form>
<script type='text/javascript'>
document.getElementById("blah").submit();
</script>
Another option is stream_context_create, where you can send a redirect header with POST data. But this may only be useful for opening a stream, and the redirect could be difficult.
Of course, the easy way is just use a redirect header and send the data using GET, as #asprin explains.
The following works perfectly
http://www.jquery4u.com/forms/setup-user-friendly-captcha-jqueryphp/
Related
I want to send POST variables from a form to be played around with in a PHP file and then have the PHP file redirect the user back to the original site the form was submitted. How could I reference the form's original URL from the PHP file so that I could use the same PHP file for multiple websites?
You would want to use something like
$_SERVER['HTTP_REFERER']
But this is controlled by the client side / browser.. So should not be trusted as such. A more preferred method for myself is to either include the url as a hidden input or have something like sessions store the last page.
<form method="POST" action="someurl.php">
<input type='hidden' name='sent_from' value='<?php echo $_SERVER['PHP_SELF']; ?>' />
<!-- Normal form data from this point -->
</form>
someurl.php
<?php
echo $_POST['sent_from']; // This will contain the page that posted to this file.
?>
I have something like this (short version):
index.php:
<?PHP
echo "<form action='process_form.php?action=do_something' method='post'>";
echo "<input type='hidden' name='return_url' value='index.php?".$_SERVER['QUERY_STRING']."'>";
?>
and now in process_form.php I have processed that form and at the end of it I put this:
<?PHP
$return_url = $_POST['return_url'];
header ("location: $return_url");
die();
?>
My question is - am I doing it right? Is it right way of processing POST forms data and redirecting back? Thing is that my return url can be anything, but I want users be redirected exactly to where they submitted that form.
Is there some security concern I should pay special attention to?
Thanks
I would use this:
index.php
<form action="process_form.php" method="post">
<input type="hidden" name="action" value="do_something" />
<input type="submit" value="Submit" />
</form>
process_form.php
<?php
header('Location: ' . $_SERVER['HTTP_REFERER']);
?>
I don't see any problem. A hacker would gain nothing by tinkering with the POST variable. He's just messing with the HTTP response he himself is going to get. Since the request is a POST, a caching server would not save the response. Response splitting is not a potential attack vector here.
What you're doing is correct. If instead of $_POST, you were to redirect off a $_SESSION variable, then there would be multiple vulnerabilities.
Using $_POST anywhere in your code without filtering has a potential to cause unwanted behaviour; in your case, you should be aware of response splitting attacks.
The good news is that since PHP 5.1.2 it's no longer possible to unknowingly set multiple headers in a single header() call.
That said, you could still check out the various input filters that typically ship with PHP - e.g. FILTER_VALIDATE_URL.
I have a simple php test page as follows
<?php
if(isset($_POST['hitme']))
{
echo "hello world";
}
?>
I'm hitting this page as, http://www.abc.com/page.php?hitme=true but this is not echo'ing anything. Is something wrong with this?
Use $_GET['hitme'], not $_POST, since you passed the value in the query string. $_POST would hold values sent via a <form action='post'>, but not values passed in the query string.
if(isset($_GET['hitme'])) {...}
It's recommended to read about the differences between PHP's superglobal arrays.
$_POST only contains variables which are posted to the page as part of an HTTP POST request. If you are typing the address into your browsers address bar, you're issuing a GET request, not a POST request, and no variables will be set in $_POST. Even if you are issuing a POST request, variables specified on the query string will still only be available inside $_GET, so for this example your using the wrong array either way.
You must use $_GET instead of $_POST when it's in the URL
If it's in the URL, e.g. http://example.com/index.php?hitme=true, it's in $_GET.
However, if you want it to be in $_POST, you'd have to do something like this (very basic example):
<form method="post" action="page.php">
<input type="checkbox" name="hitme" value="true" />
<input type="submit" value="Post data!" />
</form>
This script will allow the user to check it if wanted, and then click "Post data!".
However, it won't be in $_POST as long the user didn't click the button.
As for $_GET, it will be there as long as it's in the URL.
Or you can use $_REQUEST['hitme'], this one will check both $_POST['hitme'] and $_GET['hitme']
I understand that I am able to use the POST method for URL parameters to display data according to a specific variable, I know how to make use of the GET method - but I am told that the POST method can be used to hide the part of the URL that is like this.
/data.php?parameter=1234
What is the actual difference of the two methods in terms of URL parameters?
Below is some code that fetches data from a database according to the id of a specific link
<?php
//This includes the variables, adjusted within the 'config.php file' and the functions from the 'functions.php' - the config variables are adjusted prior to anything else.
require('configs/config.php');
require('configs/functions.php');
//This is the actual interaction with the database, according to the id.
$query = mysql_query("SELECT * FROM table WHERE id=" .$_GET['id'] . ";") or die("An error has occurred");
//This re-directs to an error page the user preventing them from viewing the page if there are no rows with data equal to the query.
if( mysql_num_rows($query) < 1 )
{
header('Location: 404.php');
exit;
}
//Here each cell in the database is fetched and assigned a variable.
while($row = mysql_fetch_array($query))
{
$id = $row['id'];
$title = $row['title'];
$month = $row['month'];
$day = $row['day'];
$photo = $row['photo'];
$text = $row['text'];
}
?>
On a separate page I generate links to the data.php file according to the ID like so:
<?php echo $content['title']; ?>
Forgetting that there are potential SQL injections that can occur through the above code, how would I go about making use of the POST method in order to hide the URL parameters, or at least not display them like this:
http://example.com/data.php?id=1
In order to use POST, you will need to use a <form> tag, and depending on how you are pulling up these URLs, it could be easier to use javascript to help out. Here's a basic example:
<form method="post" action="data.php">
<input type="hidden" name="parameter" value="1234" />
<input type="submit" value="Go" />
</form>
The Go button would POST the form data, and now in data.php you will be able to retrieve the value from $_POST['parameter']. Note that when using POST, you will probably want to redirect (HTTP 302) back to a page so that when a user hits the back button, the browser doesn't prompt to resubmit the form.
Using javascript, you could set the parameter input to a different value before posting the form.
Use method "POST" for your form. I had the same issue, just adding POST to the form removed the parameters from the URL
<form id="abc" name="abc" action="someaction.php" method="post">
<input type="text" id="username" name="username"/>
<input type="password" id="password" name="password"/>
<input type="submit" id="submit" name="submit" value="submit"/>
</form>
To POST values, a browser would have to use a form with method="post", or javascript simulating a form. Various developer tools (fireug, etc) can convert GET forms to POST forms, but generally, a form is what is required.
In theory GET requests should not have any side effects, and "should" be consistent from request to request. That is, the server should return the same content. In todays world of just about everything being dynamic, this might be of little practical design significance.
Whether you use GET or POST, the parameters will appear in $_REQUEST. The critical difference is that using POST allows the variables NOT to appear in URL history. This decreases the visibility of data such as passwords which you do not want to show up in URL history. To use POST instead of GET, simply produce <form method="POST" ...> in the document.
Even better is to store sensitive values (like user ids) in cookies, so that they don't appear in $_REQUEST at all. Since the contents of cookies are provided in extra HTTP request headers, not in the content, they are generally not stored as part of the history.
In order to use POST instead of GET, you would need to use an HTML form tag in your html, like so:
<form method="POST" action="/data.php">
<input type="hidden" name="parameter" value="1234" />
<button type="submit">Submit</button>
</form>
When submitted, your URL will just be /data.php and parameter=1234 will be in your (hidden) post buffer.
Make sense?
To do a POST, you have to use a form, or some javascript/ajax trickery. An <a> will only ever cause a GET request.
Note that POST requests can still have query parameters in the URL. It's not "normal" to have them, but they are allowed. The main difference being that with a GET request (ignoring cookies), the URL is the ONLY way to send parameters/data to the server. With POST, you can use both the URL, and the body of the POST request, which is where POSTed form data is normally placed.
Near the top of my page, I have this:
<?php $id = $_GET['id']; ?>
Then I have some form check conditionals that read from POST:
if (isset($_POST['completeSubmit'])) {
//code
}
And finally, I have an HTML form which looks like this:
<form action="<?php echo $_SERVER['PHP_SELF']."?id=$id"; ?>" name="complete" method="post">
<input type="submit" id="textButton" name="completeSubmit" value="[mark as complete]">
</form>
The page is initially accessed by using GET with an id variable like this:
http://website.com/page.php?id=1
All subsequent form submissions (which get redirected to the same page) fail. I know you can't send both GET and POST in the same request, but seeing as my form is submitting to $_SERVER['PHP_SELF']."?id=$id" using POST shouldn't it work? This is my first time trying this so it is quite possible I've overlooked something trivial.
You can use get and post at the same time, but you shouldn't. If you want to continue to send the ID this is as simple as:
<form ...
<input type="submit" ...
<input type="hidden" name="id"
value="<?php echo htmlspecialchars($_GET['id'], ENT_QUOTES); ?>" />
</form>
Of course you can not use GET and POST methods simultaneously.
However you can use a query string while sending a form using POST method, which being used to populate $_GET array.
To find a certain error you have to provide more info. At least 2 things:
how does HTML form look
what do yo see in the query string after posting the form.
and errr...
do you use any header redirects in the form processing?