If the incoming PHP possible requests can be the following
1)http://wwww.test.com/api.php?device_id=xxxx&user_name=xxxx&pass_word=xxxx&num_request=xxxx&num_site=xxxx;
how do I extract the user_name field from the above in my api.php code?
Those values are passed via a standard GET request accessible like this:
$deviceid = $_GET['device_id'];
Be aware that this value is unsanitized and open to modification from the user which could ultimately end up with SQL injection depending on your usage of the value.
You can use the $_GET superglobal to acess querystring values
$user_name = $_GET['user_name'];
Related
I am trying some code to get value from URL through post method and search database table for that value and get info from the database and encode it into JSON response.
Here is my code :
<?php
//open connection to mysql db
$connection = mysqli_connect("localhost","root","","json") or die("Error " . mysqli_error($connection));
if (isset($_POST['empid'])) {
$k = $_POST['empid'];
//fetch table rows from mysql db
$sql = "select `salary` from tbl_employee where `employee_id` = $k ";
} else {
//fetch table rows from mysql db
$sql = "select `salary` from tbl_employee";
}
//fetch table rows from mysql db
$result = mysqli_query($connection, $sql) or die("Error in Selecting " . mysqli_error($connection));
//create an array
$emparray = array();
while($row =mysqli_fetch_assoc($result))
{
$emparray[] = $row;
}
echo json_encode($emparray);
//close the db connection
mysqli_close($connection);
?>
I used Postman extension on Chrome and pass the values but it is not returning. Instead it is returning the else part.
Postman Screenshot
Looking at your screen shot, you have not passed body key values, instead you passed params.
Click on Body Tab and then pass key & value pair.
As per your screenshot you are sending your empid through query parameter so you need to access that as follows
<?php
if (isset($_GET['empid'])) {
echo $_GET['empid'];
}else{
// else part
}
also for that you need to Request Url in Postman using GET method.
But as you have stated that you want to send empid through POST in postman, you have to send it through form-data in Postman and access it as $_POST["empid"];. following is the screenshot for your reference
else there is another option where you can send the POST data through body as row json and access it as
$rawPostData = file_get_contents('php://input');
$jsonData = json_decode($rawPostData);
and $post will contain the raw data. And you can send it through postman as in following screenshot.
You have to set the Body to "x-www-form-urlencoded" and adding the variables to be posted
Or try this SO question, its already been answered
I replicated the code and db on my system to figure out the problem. I also added some lines of code before if (isset($_POST['empid'])) { for diagnostics sake:
$method = $_SERVER['REQUEST_METHOD'];
echo $method."<br/>";
The application file is index.php deployed in json directory inside webroot.
When I send any request to http://localhost/json directory (either POST/GET), Apache redirects the request as a GET request to index.php (as configured in my Apache config file). I assume this is what you're experiencing.
But when I send the request to http://localhost/json/index.php, the request is accurately received and processed.
Therefore, I would say the solution is that you need to specify the php file and also set the empid parameter as part of the body in Postman (not as part of the url).
I think you should also check the post if emptyif (isset($_POST['empid']) AND ($_POST['empid']) != ""). to allow php to execute the line before else.Sometimes programming becomes unpredictable.
use if(isset($_REQUEST['empid'])) to test in POSTMAN...
Then use if(isset($_POST['empid'])) to test directly from app...
have a look Issue in POSTMAN https://github.com/postmanlabs/postman-app-support/issues/391
To get the value of a variable from the URL(query string), you need to use either $_GET or $_REQUEST.$_POST represents data that is sent to the script via the HTTP POST method.
So, in your code you just need to do this :
$_REQUEST['empid'] instead of $_POST['empid']
In POST method the data is sent to the server as a package in a separate communication with the processing script. Data sent through POST method will not visible in the URL.
Confirm that in postman Content-Type should be application/x-www-form-urlencoded in request header.
Postman reference doc : https://www.getpostman.com/docs/requests
Hey it sounds like you are just needing to do a GET request to your DB.
You are more than welcome to send in variables via a GET request as well.
GET http://localhost/json?empid=3
You can then get data from your GET request like so $_GET['empid']
I suggest a GET request because I see your not actually posting any data to your server, your just handing in a variable in which you want to use to query with.
I do understand that GET requests are less secure, but in your scenario your POST just doesn't seem to want to work. So a different tack might do you justice.
If you want a value from the URL, you need to use $_GET["empid"] instead $_POST["empid"]
Submitting a form through POST method
By post method of form submission, we can send number or length of data. Sensitive information like password does not get exposed in URL by POST method, so our login forms we should use POST method to submit data. This is how we collect data submitted by POST method in PHP
$id=$_POST['id'];
$password=$_POST['password'];
Collecting data submitted by either GET or POST method
If a page is receiving a data which can come in any one of the method GET or POST then how to collect it ? Here we are not sure how to collect the data. So we will use like this.
$id=$_REQUEST['id'];
$password=$_REQUEST['password'];
Looking at the URL you are requesting, you are sending a GET value within your POST request.
http://localhost/json?empid=3
As you can see here, the url holds the empid variable and so the is send to the server as beeing a GET variable ($_GET)
Use $_GET['empid'] to access this variable, while using $_POST to access the other variables.
You could also use $_REQUEST to access both GET and POST data by the same global.
http://example.com/retrieve1.php?Grade=&School=&Team=&Students=
How do i check multiple parameters in above URL ?I am using different search filters such as (Grade, School, Team, Students). So i would like to use the values of these filters from URL. I am not sure how to approach this, I would appreciate any help.
URL: http://example.com/retrieve1.php?Grade=&School=&Team=&Students=
Two HTTP Request Methods: GET and POST
Two commonly used methods for a request-response between a client and
server are: GET and POST.
GET - Requests data from a specified resource
POST - Submits data to be processed to a specified resource For your
For your url its a GET method.
You can store the url parameter value using the GET Method.
$Grade = $_GET['Grade'];
$School= $_GET['School'];
$Team= $_GET['Team'];
$Students= $_GET['Students'];
You can also store the url parameter value using the REQUEST Method.
$Grade = $_REQUEST['Grade'];
$School= $_REQUEST['School'];
$Team= $_REQUEST['Team'];
$Students= $_REQUEST['Students'];
Note: The variables in $_REQUEST are provided to the script via the
GET, POST, and COOKIE input mechanisms and therefore could be modified
by the remote user and cannot be trusted. The presence and order of
variables listed in this array is defined according to the PHP
variables_order configuration directive.
I am new to PHP.
I need a help regarding the methods of extracting DB name and table name from the given URL name.
For example, let's say, I have an URL like the one below:
/test.php?db=...&table=.../
How to extract the DB name and table name from this URL using PHP and use the result for other query purposes.
If you mean how to parse an existing URL for it's parameters:
parse_url() and parse_str() will help you strip the components of the url. You will primarily be looking at the following
$elements = parse_url($url);
$kvps = $elements->query;
$db = parse_str($kvps['db']);
$table = parse_str($kvps['table']);
But, if you mean how to GET variables from the current page before render:
<?php
$dbname = $_GET['db'];
$tablename = $_GET['table'];
?>
And yea, there are major security risks involved in opening up 'direct' access to your database this way. Best to obfuscate / encapsulate / wrap your functions in tasks like index.php&addUser=tim instead of index.php&insert=tim&db=boofar&table=users&dbuser=root&dbpassword=secure.
If you're just learning, what you're doing is fine, as long as you realize why it's wrong. If you're coding for production, you really need an alternate solution.
There are two ways to pass variables or data to another page.
GET (via the URL)
and
POST (usually a form submission)
You can alway get via
$_GET
http://php.net/manual/en/reserved.variables.get.php
or
$_POST
http://nl.php.net/manual/en/reserved.variables.post.php
Is it possible once I have retrieved a userid from a MySql database, for example, $userID, to then use that as a parameter in a HTML link, for example;
<href="http://www.site.com/?110938">
Thanks.
In PHP, anything you echo is sent to the browser. So you can simply echo that variable.
echo $userID;
Or to put it in the link:
<href="http://www.site.com/?<?php echo $userID ?>">
Of course that means you're trusting that $userID will contain valid data (and not some malformed HTML attempting to break your site and ruin your user's lives).
If it should always be a number, you can keep out potential bad data by forcing it to be an integer:
<href="http://www.site.com/?<?php echo (int) $userID ?>">
I believe what you are looking to do is use the GET method of retrieving data.
The GET method (as opposed to post) pulls all of the parameters out of the URL. For example, lets take a google maps search url:
http://maps.google.com/maps?q=Empire+State+Building,+NY&hl=en
Let us break down this URL:
http://maps.google.com/ - this is the location of the script
maps? - Maps is the name of the file that contains the script (if
they are using PHP); notice, there is a ? in the URL, indicating
that the GET method is being used. All information after the ?
pertains to the GET data.
q=Empire+State+Building,+NY& - this portion is the first GET
variable. They have decided to use the letter q as the name of
their GET variable, and the value is Empire+State+Building,+NY. The
& indicates that another variable will be specified.
hl=en - this is the second variable in their query.
If they were to use PHP to read these parameters, they would use the following code:
$var1 = $_GET['q']; //Has value Empire+State+Building,+NY as string
$vars = $_GET['hl']; //Has value en as string
If you wanted to have your user's ID be in the URL, and use that to interact with the database, the easiest way would be to use GET, such that your URL would look like this:
www.example.com/example.php?id=45828
Then in your script, you would use the following code to access that data and query the database with it:
$userid = $_GET['id'];
$query = "SELECT * FROM users WHERE userid=$userid;";
$query = mysql_escape_string( $query );
mysql_query( $query );
just pass the variable like <href="http://www.site.com/?var_name=<?php echo $userID;?>">
I'm creating a script on my main server and will use js/html to call it as an image source, passing the current tumblr page's referrer variable so I can integrate my blog's stats into my main stat-tracking db.
Anyone who looks at the source, of course, will be able to see that this script can accept a url variable via get. I'm not much of a security wonk, but I'm using the following checks on the input to this var, currently:
$previous_referrer = htmlspecialchars($_GET['ref']);
if (filter_var($previous_referrer, FILTER_VALIDATE_URL) && strpos($_SERVER['HTTP_REFERER'], $tumblelog_url)!== FALSE)
I'm guessing it isn't this simple. What other checks should perform to lock it down against injection attacks?
For inserting data safely in a database :
1) Before inserting in DB
Filter data :
Does my data had the expected type/patern (email,url ....)
The main purpose of filtering in first is to avoid processing useless data
Prevent from sql injection :
if inserting a number use function like intval(),floatval()
if inserting string use function like mysql_real_escape_string (for mysql only) or prepared statement.
2) After insertion , before display
Prevent Xss by using function like htmlspecialchars() or htmlentites().