I have URL like this:
https://domain.com/myscript.php?par=<div>x12.l3 sdfa <div>
But when I make
var_dump($_REQUEST);
at start of my PHP script the parameter isn't listed (key "par" doesn't appear).
The value of par, is some html data including not escaped tags and spaces. Can this be the reason that par doesn't appear in var_dump ?
But when I run exactly the same script with same parameter in localhost:
https://localhost/myscript.php?par=<div>x12.l3 sdfa <div>
it works well.
I compared with tool both urls starting at "myscript.php", they match. So why I don't get the parameter on the server but in localhost?
Is maybe related to PHP configuration? It's the only thing I can think about that could be different.
Thanks in advance.
If you are using this script on a shared hosting server, or a server that someone else configured, then it is likely that there are some security measures in place to protect against GET variables such as the one you posted.
Measures could include mod_security, applicative firewalls and others.
Yes, it was different configuration of the server. In this specific case, allowed length of GET parameters (or URL, not sure).
change https://domain.com/myscript.php?par=<div>x12.l3 sdfa <div>
to https://domain.com/myscript.php?$par=<div>x12.l3 sdfa <div>
but $ before par.
hope this works :)
Related
I am trying to create a simple web service that will give a result depending on parameters passed.
I would like to use file_get_contents but am having difficulties getting it to work. I have researched many of the other questions relating to the file_get_contents issues but none have been exactly the situation I seem to having.
I have a webpage:
example.com/xdirectory/index.php
I am attempting to get the value of the output of that page using:
file_get_contents(urlencode('https://www.example.com/xdirectory/index.php'));*
That does not work due to some issue with the https. Since the requesting page and the target are both on the same server I try again with a relative path:
file_get_contents(urlencode('../xdirectory/index.php'));
That does work and retrieves the html output of the page as expected.
Now if I try:
file_get_contents(urlencode('../xdirectory/index.php?id=100'));
The html output is (should be): Hello World.
The result retrieved by the command is blank. I check the error log and have an error:
[Fri Dec 04 12:22:54 2015] [error] [client 10.50.0.12] PHP Warning: file_get_contents(../xdirectory/index.php?id=100): failed to open stream: No such file or directory in /var/www/html/inventory/index.php on line 40, referer: https://www.example.com/inventory/index.php
The php.ini has these set:
allow_url_fopen, On local and On master
allow_url_include, On local and On master
Since I can get the content properly using only the url and NOT when using it with parameters I'm guessing that there is an issue with parameters and file_get_contents. I cannot find any notice against using parameters in the documentation so am at a loss and asking for your help.
Additional Notes:
I have tried this using urlencode and not using urlencode. Also, I am not trying to retrieve a file but dynamically created html output depending on parameters passed (just as much of the html output at index.php is dynamically created).
** There are several folks giving me all kind of good suggestions and it has been suggested that I must use the full blown absolute path. I just completed an experiment using file_get_contents to get http://www.duckduckgo.com, that worked, and then with a urlencoded parameter (http://www.duckduckgo.com/?q=php+is+cool)... that worked too.
It was when I tried the secure side of things, https://www.duckduckgo.com that it failed, and, with the same error message in the log as I have been receiving with my other queries.
So, now I have a refined question and I may need to update the question title to reflect it.
Does anyone know how to get a parameterized relative url to work with file_get_contents? (i.e. 'file_get_contents(urlencode('../xdirectory/index.php?id=' . urlencode('100'))); )
Unless you provide a full-blown absolute protocol://host/path-type url to file_get_contents, it WILL assume you're dealing with a local filesystem path.
That means your urlencode() version is wrongly doing
file_get_contents('..%2Fxdirectory%2Findex.php');
and you are HIGHLY unlikely to have a hidden file named ..%2Fetc....
call url with domain, try this
file_get_contents('https://www.example.com/inventory/index.php?id=100');
From reading your comments and additional notes, I think you don't want file_get_contents but you want include.
see How to execute and get content of a .php file in a variable?
Several of these answers give you useful pointers on what it looks like you're trying to achieve.
file_get_contents will return the contents of a file rather than the output of a file, unless it's a URL, but as you seem to have other issues with passing the URI absolutely....
So; you can construct something like:
$_GET['id'] = 100;
//this will pass the variable into the index.php file to use as if it was
// a GET value passed in the URI.
$output = include $_SERVER['DOCUMENT_ROOT']."/file/address/index.php";
unset($_GET['id']);
//$output holds the HTML code as a string,
The above feels hacky trying to incorporate $_GET values into the index.php page, but if you can edit the index.php page you can use plain PHP passed values and also get the output returned with a specific return $output; statement at the end of the included file.
It has been two years since I used PHP so I am just speculating about what I might try in your situation.
Instead of trying fetching the parsed file contents with arguments as a query string, I might try to set the variables directly within the php script and then include it (that is if the framework you use allows this).
To achive this I would use pattern:
ob_start -> set the variable, include the file that uses the variable -> ob_get_contents -> ob_end_clean
It is like opening your terminal and running the php file with arguments.
Anyway, I would not be surprised if there are better ways to achieve the same results. Happy hacking :o)
EDIT:
I like to emphasize that I am just speculating. I don't know if there are any security issues with this approach. You could of course ask and see if anyone knows here on stackoverflow.
EDIT2:
Hmm, scrap what I said last. I would check if you can use argv instead.
'argv' Array of arguments passed to the script. When the script is run on the command line, this gives C-style access to the command line parameters. When called via the GET method, this will contain the query string. http://php.net/manual/en/reserved.variables.server.php
Then you just call your php script locally but without the query mark indicator "?". This way you can use the php interpreter without the server.
This is likely to be the most general solution because you can also use argv for get requests if I am understanding the manual correctly.
I'm designing a web application that can be customized based on which retail location the end user is coming from. For example, if a user is coming from a store called Farmer's Market, there may be customized content or extra links available to that user, specific to that particular store. file_exists() is used to determine if there are any customized portions of the page that need to be imported.
Up until now, we've been using a relatively insecure method, in which the item ID# and the store are simply passed in as GET parameters, and the system knows to apply them to each of the links within the page. However, we're switching to a reversible hash method, in which the store and item number are encrypted (to look something like "gd651hd8h41dg0h81"), and the pages simply decode them and assign the store and ID variables.
Since then, however, we've been running into an error that Googling extensively hasn't found me an answer for. There are several similar blocks of code, but they all look something like this:
$buttons_first = "../stores/" . $store . "/buttons_first.php";
if(file_exists($buttons_first))
{
include($buttons_first);
}
(The /stores/ directory is actually in the directory above the working one, hence the ../)
Fairly straightforward. But despite working fine when a regular ID and store is passed in, using the encrypted ID throws this error for each one of those similar statements:
Warning: file_exists() expects parameter 1 to be a valid path, string given in [url removed] on line 11
I've had the script spit back the full URL, and it appears to be assigning $store correctly. I'm running PHP 5.4.11 on 1&1 hosting (because I know they have some abnormalities in the way their servers work), if that helps any.
I got the same error before but I don't know if this solution of mine works on your problem you need to remove the "\0" try replace it:
$cleaned = strval(str_replace("\0", "", $buttons_first));
it worked on my case.
Run a var_dump(strpos($buttons_first,"\0")), this warning could come up when a path has a null byte, for security reasons. If that doesn't work, check the length of the string and make sure it is what you'd expect, just in case there are other invisible bytes.
It may be a problem with the path as it depends where you are running the script from. It's safer to use absolute paths. To get the path to the directory in which the current script is executing, you can use dirname(__FILE__).
Add / before stores/, you are better off using absolute paths.
I know this post was created on 2013 but didn't saw the common solution.
This error occurs after adding multiple to the file submit form
for example you are using files like this on php: $_FILES['file']['tmp_name']
But after the adding multiple option to the form. Your input name became file => file[]
so even if you post just one file, $_FILES['file']['tmp_name'] should be change to $_FILES['file']['tmp_name'][0]
I'm working with a very simple mock-up application to query a DB and display the results on a map. The application sends a GET httprequest to a server which returns a serialized array of value. The basic structure of the httprequest is:
httpRequest.open("GET","handle-query.php?query=" + queryJs)
and, on the other side:
$queryPhp = $_GET["query"];
When the query looks like this...
["SELECT%SUM(commit)%FROM%financialdata%WHERE%region='Centre'", "SELECT%SUM(commit)%FROM%financialdata%WHERE%region='Kara'", "SELECT%SUM(commit)%FROM%financialdata%WHERE%region='Maritime'", "SELECT%SUM(commit)%FROM%financialdata%WHERE%region='Plateaux'", "SELECT%SUM(commit)%FROM%financialdata%WHERE%region='Savanes'"]
...then it is passed to the server properly, and generates a response. However, when the query looks like this...
["SELECT%SUM(commit)%FROM%financialdata%WHERE%prefect='Sotouboua'", "SELECT%SUM(commit)%FROM%financialdata%WHERE%prefect='Tchamba'", "SELECT%SUM(commit)%FROM%financialdata%WHERE%prefect='Tchaoudjo'", "SELECT%SUM(commit)%FROM%financialdata%WHERE%prefect='Assoli'", "SELECT%SUM(commit)%FROM%financialdata%WHERE%prefect='Bassar'", "SELECT%SUM(commit)%FROM%financialdata%WHERE%prefect='Bimah'", "SELECT%SUM(commit)%FROM%financialdata%WHERE%prefect='Doufelgou'", "SELECT%SUM(commit)%FROM%financialdata%WHERE%prefect='Keran'", "SELECT%SUM(commit)%FROM%financialdata%WHERE%prefect='Kozah'", "SELECT%SUM(commit)%FROM%financialdata%WHERE%prefect='Golfe'", "SELECT%SUM(commit)%FROM%financialdata%WHERE%prefect='Lacs'", "SELECT%SUM(commit)%FROM%financialdata%WHERE%prefect='Vo'", "SELECT%SUM(commit)%FROM%financialdata%WHERE%prefect='Yoto'", "SELECT%SUM(commit)%FROM%financialdata%WHERE%prefect='Zio'", "SELECT%SUM(commit)%FROM%financialdata%WHERE%prefect='Amou'", "SELECT%SUM(commit)%FROM%financialdata%WHERE%prefect='Haho'", "SELECT%SUM(commit)%FROM%financialdata%WHERE%prefect='Kloto'", "SELECT%SUM(commit)%FROM%financialdata%WHERE%prefect='Ogou'", "SELECT%SUM(commit)%FROM%financialdata%WHERE%prefect='Wawa'", "SELECT%SUM(commit)%FROM%financialdata%WHERE%prefect='Oti'", "SELECT%SUM(commit)%FROM%financialdata%WHERE%prefect='Tone'"]
...then the server receives an empty string. Both of the strings are generated by the same function, and both work perfectly on my virtual server (WAMP). If anyone has any ideas it would be greatly appreciated.
(P.S. After reading I realize that I should be using a framework with better sanitization, etc., but this is just a demo that will need to live online for maybe 2 hours, and it would be better to fix this small thing than start over. It works perfectly on my localhost.)
To actually answer your question, you're sending a get parameter as query (handle-query.php?query=) and then pulling it off as queryJS (queryJs).
$_GET['query'] // instead of $_GET['queryJs']
should do it.
(And as everyone has pointed out, don't send SQL in the clear or otherwise over the wire, unless you plan on not actually executing the SQL, and you just like to advertise your db structure, maybe it is that pretty.)
I'm trying very simple in PHP and not very sure what to search here or on google.
Problem is -
In PHP function I want to call/get a URL
http://www.example.com/message?Name=MyNameIsX
and like to read the return value (body) at this URL (which may contain "Your Name is MyNameIsX")
I tried
$data = file_get_contents($url)
This is timing out; although I'm able to open the $url in the browser.
Yes, file_get_contents normal use for files on this server and base on support and setting this perhaps is not allow.
See PHP CUrl http://php.net/manual/en/curl.examples.php or example
http://php.net/manual/en/curl.examples.php, http://php.net/manual/en/curl.examples-basic.php
You could use cUrl as suggested by FIG-GHD742 but I find the HTTP extension a lot easier to use. It's newer and has a neat OOP api.
Another method is that you can actually do an include/require with these, but it's generally a bad idea to do so if you don't control the source from which the data is coming
It sounds like you need to enable loopback calls on the server (self-calls). It would be better to get the data on the backend if you need it on the same server. Via a PHP API or calls to a database.
**
This will help you lot : http://php.net/manual/en/curl.examples.php
http://php.net/manual/en/curl.examples.php,
http://php.net/manual/en/curl.examples-basic.php
**
Yes the above answers is right. some hosting providers disable it for security purpose. You may also try fopen(php) if you are not looking for Curl way. Read documentation here http://php.net/manual/en/function.fopen.php
I wish to write the response of hitting a given url into the href attribute of an anchor tag using PHP. How can I do this?
Here's an example of what I excpect to happen
mylink.com/getdoc?name=documentA
returns a string as a response:
mylink.com/document2012-03-15.pdf
I need to write this response (using PHP into the href attribute as shown below:
Open Document A
(so the above will be the final source of my page.
I think there are a few ways to do what you want. Not all of them will work exactly as you ask for, but the end result should be the same.
Solution one
My first possible solution was already posted by #shanethehat. You could use file_get_contents to call your PHP script via HTTP and get the response.
Solution two
Another possible solution was suggested in the comments of the post by #YourCommonSense. You could simply include the getdoc script in the PHP script that is generating your HTML file, like this:
$_GET["name"] = "documentA";
echo " Open Document A ";
Solution three
Or you could change the way the getdoc script works. You could use a script more like this:
header("Content-type:application/pdf");
header("Content-Disposition:attachment; filename=\"{$_GET["name"]}\"");
readfile($_GET["name"]);
And you keep your link like this: Open Document A . When getdoc.php is called, it will get the specified file and start a file download.
NOTE: you should probably do some input sanitization with this method (removing slashes, making sure the file ends in .pdf, etc) to make sure someone doesn't try to get a file they're not allowed to get.
That's all I'm coming up with at the moment. There might be a more clever way to do it, but hopefully one of these solutions will do it for you. I would try solution 2 or 3 first, and if they don't work out for you, then go with solution 1.
<?php
//get output from URL
$myfile = file_get_contents('http://mylink.com/getdoc?name=documentA');
?>
Open Document A
How to write response to file using php
Noway.
PHP do not process HTTP requests.
You have to set up your web server to do the rewrite.
There are 100500 questions under mod_rewrite tag, you will find the solution easily.
Note that you may wish to rewrite your url to /getdoc.php?name=document2012-03-15.pdf, not one you mentioned in your question