I am trying to store any and all variables sent to the site in a single variable (just for logging purposes.)
So if a user goes to www.mysite.com and put on a ?id=4&auth=230984721839
I want to grab both of those GETs and store them in a variable such as $gets
I was trying:
$gets = print_r($_GET);
$posts = print_r($_POST);
But it did not work. Is this even possible? I don't want the user know I am capturing these.
I would also like to grab POSTs too!
You can add a flag to print_r to tell it to return the result instead of outputting it.
$gets = print_r($_GET, true);
$posts = print_r($_POST, true);
However, you may want to look into serializing the associative array instead.
Update
Based on your comments on your question I suppose you really want:
$gets = $_SERVER['QUERY_STRING'];
$posts = file_get_contents('php://input');
If you want both $_GETand $_POST as query strings, you can do this:
$gets = http_build_query($_GET);
$posts = http_build_query($_POST);
$_SERVER['QUERY_STRING']. See this.
This will give you unparsed query, so you can catch any invalid URLs which might be useful for logging purpose.
First of all, you might appreciate that all the parameters, both GET and POST ones, are collected in $_REQUEST.
Second, don't use print_r. That will print the variable out, and not give you any sensible result. Instead, just say
$params = $_REQUEST;
If you want the raw data, then you can get it as in #MichałŠrajer's answer (GET) and comment (POST). So,
$get = $_SERVER['QUERY_STRING'];
$post = file_get_contents("php://input");
By this code you can get any POST or GET values and then -maybe- put them into array for later use
foreach ($_REQUEST as $key => $value ) {
##Do what you want here - may be push values into array here
}
For storing purpose there is another possibility, and it is to serialize the $_GET array.
$data = serialize($_GET);
And then you store $data in your database.
For example, if your get string is ?foo=bar
you get this string a:1:{s:3:"foo";s:3:"bar";}
You can ever deserialize it with unserialize($data);
Related
I have a general question. I wrote the below code to add an array of arrays to the $_POST variable. I know the post variable is an array too. So, after adding my multidimensional array to the post variable one by one, I tried to print_r the data to view it but, only one array would print out.
why is it that only one array would print out?
$x = 0;
for($x; $x < count($return_auth); $x++){
$_POST = $return_auth[$x];
}
print_r($_POST);
Although nerdlyist answer is absolutely right, but I think it is not the right way, in short, you are modifying $_POST variable and since $_POST variable has a meaning attached to it that it contains all the parameters sent in that POST request. If you overwrite it that change will be affected throughout your application and other modules running in your application will see an additional post parameter which is not actually sent in that request in $_POST array which is not right IMO.
What you are doing is overwriting post. Based on what you have here you could do something like this:
$_POST[return_auth] = $return_auth;
Unless you have a reason to loop an array to create an array...
use this in your for loop
$_POST[] = $return_auth[$x];
Edit
this will work better
$_POST['something' . $x] = $return_auth[$x];
now you can access to (foo) for example
$_POST['somethingfoo'];
Is there no way of submitting a serialized parameter without ajax?
I want to access, like, an json encoded parameter when I process the POST from the form, something like: $params = json_decode($_GET['params']);
Any ideas, besides iterating each input and append it to a hidden one that will contain all parameters in an encoded form, ?
Update
I'm using codeigniter, so I would rather do something like
$search = json_decode($this->input->get('params'));
updateName($search['name']);
updateGender($search['gender']);
Than
updateName($this->input->get('name'));
updateGender($this->input->get('gender'));
Not sure if I am missing something here but you can only do a json_decode() on a json object/array.
$this->input->get() will return the whole $_GET array AS A PHP ARRAY, so you dont need to do anything JSON'ick with it to be able to use it as an array.
so would this not do what you want?
$search = $this->input->get();
updateName($search['name']);
updateGender($search['gender']);
If you want to pass it through the XSS filter first just use
$search = $this->input->get(NULL, TRUE);
I am having a little trouble with the print_r function. Undoubtedly something I am misunderstanding in its operation... Basically, I have an array of objects in a class like so:
public $fields = array();
Assigned like so:
$oField = new Field();
/* property assignments to $oField omitted for brevity */
$this->fields[$i] = $oField;
Now in the primary class, I am attempting to capture debug information:
$this->debuginfo = print_r($this->fields, true);
When outputting the value of $this->debuginfo, it simply says "Array" - basically not exploding the array. If I do a regular print_r($this->fields);, it gives the expected results.
This is my first time attempting to use print_r with it returning results versus outputting to the screen so I am sure I am just missing something, but in reading the php documentation, this is how it would seem to be implemented. What am I missing?
Thanks for any assistance!
Update:
print_r($var, true) does indeed return the "exploded" variable properly as I had it written. Thanks to dev-null for their comment which gave me some food for thought that lead me to my problem.
Try var_export() instead. var_export() gets structured information about the given variable.
example:
$this->debuginfo = var_export($this->fields, true);
Reference: http://php.net/manual/en/function.var-export.php
It may sound strange, but in my PHP application I need to check if the same variable name has been declared more than once in the query string or POST variables, and return an error value if this is the case. If my application doesn't return an error in this case, it fails a compliance check.
When accessing vars using $_GET, $_POST, etc, PHP only returns the last value given for each variable name. I can't find a way to tell if any variable appeared more than once.
I simply need to find out if the query string or the variables in the POST body contained the same variable name more than once, whatever the values.
Example
My application is supposed to return an error for this query string:
verb=ListIdentifiers&metadataPrefix=oai_dc&metadataPrefix=oai_dc
Note that "metadataPrefix" is defined twice.
My application should not return an error for this query string:
verb=ListIdentifiers&metadataPrefix=oai_dc
POST Requests
$input = file_get_contents('php://input');
(Or $HTTP_RAW_POST_DATA (docs))
GET Requests
$input = $_SERVER['QUERY_STRING'];
Processing
explode('&', $input) and maintain an array - $foundKeys - of keys (the part of each item from explode() before the = character). If you hit a key already defined in $foundKeys, throw the error.
For GET data, check out $_SERVER['QUERY_STRING']. But for POST data, you'll need to read the raw POST data from the php://input stream.
So something like this:
// GET data:
$raw = $_SERVER['QUERY_STRING'];
// Or for POST data:
$raw = file_get_contents("php://input");
if (substr_count('&'.$raw, '&metadataPrefix=') > 1)
die('Error');
print_r($raw); //post vars
PHP $_POST will always set only one value per variable unless the request variable name ends with [].
If you have no control over the variables that are sent, you may try using $_SERVER['RAW_HTTP_POST_DATA'] to get the original POST request data before parsed, then you can use the parse_str() function to parse that string.
Just be careful that PHP configuration may have disabled setting the RAW_HTTP_POST_DATA value. In that case, you cannot do anything to solve your problem.
Not completely foolproof but this might work
$occurrences = substr_count($_SERVER['QUERY_STRING'], 'metadataPrefix=');
If you expect multiple values named the variable with square brackets in the end. This way you get an array for that variable. If multiple values are set, the array will have multiple entries.
<input type="checkbox" name="my_var[]" value="a">
<input type="checkbox" name="my_var[]" value="b">
$_POST['my_var'] will be an array with either 'a' or 'b', both, or none depending on the checkboxes used.
I'm new to OOP and want to revamp this function to get rid of using globals.
function CatchListing() {
$parseform = array('itemnum','msrp','edprice','itemtype','box','box2','box25','box3','box4','box5','box6','box7','itemcolor','link');
foreach ($parseform as $globalName) {
$GLOBALS[$globalName] = mysql_real_escape_string($_POST[$globalName]);
}
}
I was told to use array_map & then extact, but I am not sure of how to structure this.
function CatchListing() {
$_POST['listing'] = array_map('mysql_real_escape_string', $_POST);
$nst = extract($_POST['listing']);
}
(listing is the form name btw)
Thanks
Be VERY careful about using extract with externally inputted values as from $_GET and $_POST.
you're much better off extracting the values manually to known values.
It's far too easy for an extract from _GET or _POST to clobber existing variables.
There are so many things to say and Jonathan makes a very good start. Every time the user has the opportunity to play with your internal data and you don't check them, there is a huge "opportunity" (depends on the view..) that something goes wrong. Here is another approach on how to "maybe" get where you want to go:
<?php
function Sanitize($string){
return mysql_real_escape_string(trim($string));
}
function CatchListing(){
foreach($_POST as $key => $value) {
$key = Sanitize($key);
$value = Sanitize($value);
if($key && $value && !$GLOBALS[$key]){ /* prevent overwriting existing globals*/
$GLOBALS[$key] = $value;
}
}
}
global $nice;
$nice = "working";
CatchListing();
print_r($GLOBALS);
?>
To be honest, it still has not really anything to do with OOP and furthermore should be seen as a procedural approach. Personally I would use an additional and reusable function to "sanitize" the input, because you never know, if someday you want to change your database or the "escape" function and then you exactly know where to look for possible changes. Ah one more thing: Are you certain that you don't know all the possible names of all the variables you have to expect? Maybe you can predetermine them and put them in another array and check each user supplied argument with in_array.
To completely get rid of the usage of globals in your code, and also to make it much better overall, you can do something along these lines:
stop using $_POST, as it's a superglobal. When code needs values from superglobals, pass them as parameters
don't store values into $GLOBALS. If you need to return more than one value, consider returning an object or an array
Here's how I think I would modify your code to improve it:
function CatchListings($listings) {
$filteredListings = array_map('mysql_real_escape_string', $listings);
//I assume you only need the values in the array in the original snippet,
//so we need to grab them from the parameter array and return only that
$requiredListings = array();
$requiredKeys = array('itemnum','msrp','edprice','itemtype','box','box2','box25','box3','box4','box5','box6','box7','itemcolor','link');
foreach($requiredKeys as $key) {
$requiredListings[$key] = $filteredListings[$key];
}
return $requiredListings;
}
To use this function, you simply do $result = CatchListings($_POST);. Same result, no globals used.
There is one thing to consider, though. It may not be best possible form to just pass a randomly filled array (ie. $_POST) to the function, and expect it to contain specific keys (ie. $requiredKeys array). You might want to either add logic to check for missing keys, or process the post array before passing it.