I have a form with an input field that accepts url.
Everything works fine until someone tried submitting a url with url encoded elements. The url looks something like that
http://example.com/a=xx&b=%23yy
I am receiving this string as http://example.com/a=xx&b=#yy
Even before any form verification, $this->input->post('url') decoded the url encoded elements. I need to receive it exactly as entered.
I tried with a regular and multipart form.
Any idea what is causing that?
Did you put XSS filtering to TRUE globally in application/config.php?
$config['global_xss_filtering'] = TRUE;
If so you can disable the filtering by setting the optional parameter like this:
$this->input->post('url', FALSE)
Also check to see if the "Allowed URL Characters" in application/config.php is sane.
I would also play around with URLEncode/decode both client- and serverside.
Maybe CodeIgniter's input class have some magic in it. Try to print_r your $_POST directly. Does that url get unaffected there?
Related
I have a URL with a query param like: www.example.com?src=%27};alert(1);a={%27%27:%27. I want to clean up the URL when the request gets made and return it to the browser without the javascript alert evaluating. By "clean up" I mean: remove html tags, invalid characters, and characters that can potentially evaluate in the user's browser.
This is what I'm thinking and please correct me if I'm thinking about this incorrectly: when the request is made, catch it in the middleware and then send back a cleaned up version of the query params (maybe redirect the user).
I'm not sure if PHP supports this? I thought I could override the query params in $_GET and assign the src param with the cleaned up value but that doesn't seem to be working. I've also tried overriding $_SERVER['QUERY_STRING'] but that also doesn't work.
What's the best way to handle something like this in PHP?
I have a listing with some filters which are applied on form submit, using GET as form method. So after submit, I get a url that looks like:
/listing?filter_1=a&filter_2=&filter_3=c
Notice that filter_2 is empty. How can I avoid showing it in the URL in this case? I would only need the URL to be like this:
/listing?filter_1=a&filter_3=c
I would not mess with $_GET and I wonder what is the right way to do it with Laravel 4.
Thank you
During making of url, you need to check the value of variables whether it has empty or null or have some value. Then add those varibale into the url, so that your url will be clean.
to achive this you will be required to use Laravel - pretty URls functionality and make some changes in Route::get function to remove empty parameters while construction url.
I'm kind of a noob at this stuff.
But I've been browsing around and I see sites that are kind alike this
www.store.com/product.php?id=123
this is really cool. but How do I do it?
Im stuck using something like this
www.store.com/product/product123.php
If you could tell me how I can go about do this it would be awesome!
What you're looking at is a $_GET argument.
In your PHP code, try writing something like this:
$value = $_GET['foo'];
Then open your page like this:
hello.php?foo=123
This will set $value to 123.
You need to use the $_GET here.
if you use the following:
?id=123
then this will be how to use it and the result
$_GET['id'] (returns the 123)
You can use as many $_GET arguments as you need, for example:
?id=123&foo=bar&type=product
$_GET is an array of what parameters are in the url, so you use it the same way as an array.
Create a file called product.php with this code:
<?php
echo "The argument you passed was: " . $_GET['id'];
?>
Now run this URL in your browser:
http://<yourdomain>/product.php?id=123
and you will understand how $_GET works.
Those are called URL parameters (what they're contained in is called a query string), and they're not unique to PHP but can be accessed in PHP using the $_GET superglobal.
Similarly, you can get POST parameters using the $_POST superglobal, though in POST requests, these parameters are not appended to the URL.
Note: Generally, for usability purposes (and thus also SEO purposes), you want to avoid using query strings as much as possible. These days, the standard practice is to use URL rewriting to display friendly URLs to the user. So your application might accept a URL like:
/products.php?id=32
But the user only sees:
/product/32
You can do this by using mod_rewrite or similar URL rewriting capabilities to turn the friendly URL into the former query string URL internally, without having the user type out the query string.
You might want to have a look at the documentation at www.php.net, especially these pages: http://www.php.net/manual/en/reserved.variables.php
Specifically, have a look at $_GET and $_POST, which are two frequently used ways to transmit information from a browser to the server. (In short, GET-parameters are specified in the URL, as in your question, while POST-parameters are "hidden from view", but can contain more data - typically the contents of forms etc, such as the textbox you posted your question in).
I'm using Zend Framework and it has a controller formatted to be accessed like this: url/search/Steve where Steve is a $_GET variable(name=keyword). It parses it correctly.
Now, the big question is: how can I have an url like that after the form is submitted? Instead of having ?keyword=Steve.
Thanks
have a look at the getParam method for Zend_Controller_Request
Something like this...
$var = Zend_Controller_Request::getParam('keyword');
$url = 'url/search'.$var;
If you var_dump($var) in between the two lines of code above you can test what values your application is returning.
This is all part of Zends Request object
Remember you can still use the $_GET superglobal with zend so the above becomes
$var=$_GET['keyword'];
$url = 'url/search'.$var;
I'm unsure of what you really want to have done.
If you have forms then what you should do in your case is to put method="POST" so that the fields don't end up in the URL at all in your case.
Or you need to do some JavaScript trickery to change the action="" of the form whenever the field you mention is changed. However, I've found this to be a bit unreliable as some browsers doesn't really like this for some reason.
Or, perhaps better, you could do a redirect after the form is submitted, where you redirect to the new "prettier" URL.
It all depends on your purpose.
I have a html form that his action is for "exmaple.com/mail.php?name=dan" for example.
How can I pass this parameter to Codeigniter's controller?
the 'action' in codeigniter is going to - example.com/mail, can't I do exmaple.com/mail?name=dan, right? so what can I do? (And.. I can't use Ajax for this :-))
There are several solutions. You can do it like this $name=$this->input->get("name"), but if you want to preserve the Codeigniter's philosophy you can use Javascript to change the action url of the form to /mail/dan. In that case you can access the data with this: $name=$this->uri->segment($number). $number in your case is 2, becouse "dan" is in the second URI's segment.
NOTE: If you use the second aproach, keep in mind that codeigniter's default behaviour is to automatically call controller/method from first and second segment of URI. (http://domain.com/controller/method ) In order to prevent this behaviour you can edit application/config/routes.php file. For detailed instructions refer to oficial guide.
You can emit the GET parameter as a hidden input element, i.e.:
<input type=hidden name="name_of_parameter" value="value_of_parameter" />
HOWEVER, there are two very important things to keep in mind when doing this:
You absolutely MUST sanitize the CGI argument that you are going to emit on the page (failure to do so can result in XSS vulnerabilities).
As with any other parameter, you cannot trust that this value has not been altered (so, don't use 'name=dan' to authenticate dan!).
Since I'm inferring from your example that you are using this to identify and authenticate the user, I strongly recommend you use a browser cookie for this (as well as a digital signature that encodes the checksum of this data, so that if it is altered, you can easily identify that it is invalid).
You should also set querystring variables to true:
In your CodeIgniter config;
$config['enable_query_strings'] = TRUE;
But keep in mind that this changes the way your codeigniter app behaves. See more here
Why can't you simply add a hidden field inside that HTML form and send it along with the form as POST data?
<input type="hidden" name="name" value="dan" />
Of course you would replace the value part dynamically with whatever value you currently have.