I'm all in a security funk right now so I'm going through making everything as secure as possible. I got a login going and I'm referencing this:
http://www.addedbytes.com/writing-secure-php/writing-secure-php-1/
The first example is that of a login and if you say ?authorization=1 you get in. But if I wrap my code around a if($_POST) then the user MUST make a post. Can a user fake a $_POST? How do I go about faking a $_POST?
A user can simply create a file on their local machine with:
<form action="http://yoursite.com/login.php" method="post">
<input type="text" name="username" value="hahaha faked it!" />
<input type="text" name="password" value="hee hee you can't tell this is fake" />
<input type="submit">
</form>
and boom, "fake" post. In other words, you have to assume that anything and everything the user sends is potentially fake.
Two ways, make a curl request, or actually set the post variable on top of the php. E.g:
$_POST['var'] = "WHAT I WANT";
Yes they can.
With cURL and other HTTP clients, anybody can fake this.
Watch this
<form method="post" action="http://yoursite/index.php">
<input type="text" name="authorization" value="1" /><input type="submit">
</form>
Then user saves this as .html in their computer, opens in theirbrowser. Then posts the form.
You can use cURL in PHP to POST like so:
$ch = curl_init();
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_setopt($ch,CURLOPT_POST, 1);
curl_exec($ch);
curl_close($ch);
The $_POST superglobal variable is populated from the query string that's contained in the body of an HTTP POST request. Since the user/client is the one who initiates the HTTP (POST & others) requests to the HTTP server, then yes - the client can "fake" a $_POST array's values & keys.
Refer:
POST (HTTP) # wikipedia.org
Methods GET and POST in HTML forms - what's the difference?
Tamper Data - Firefox add-on # addons.mozilla.org
In whatever page where the HTML is. Do this very first thing.
<?php
session_start();
/** Generate some random numbers */
$wipit = rand(0,999999999);
/** Store the WIPIT Generators value in the SESSSION */
$_SESSION["WIPIT"] = $wipit;
?>
And do this in whatever page you are doing the POSTING validation and other things.
<?php
session_start();
/** Check for the REQUEST TYPE and SESSION WIPIT */
if( isset( $_SERVER['REQUEST_METHOD']) == "POST" and isset($_SESSION["WIPIT"]) and !empty($_SESSION["WIPIT"]) ){
/* Rest of your code goes here... */
}
?>
...yes a user can "fake" a post (whatever that means). Try tamper data on for size.
If your website has the problem of not escaping all text properly, it is an XSS weakness that can be exploited by a third party by injecting a (javascript-)script into the page which can use AJAX to send post requests with the users cookies and authority, with the least worst effect being that it could for example log out the user.
Related
Below is my code using curl and it's not really redirect like HTML form :
$curl = new \Curl\Curl();
$curl->setHeader('Content-Type', 'application/x-www-form-urlencoded');
$curl->setOpt(CURLOPT_FOLLOWLOCATION,true);
$curl->setOpt(CURLOPT_POST,true);
$curl->setOpt(CURLOPT_RETURNTRANSFER,true);
$curl->post('http://localpay.sample.test/make-payment',$params);
Hi guys,above are the sample code that I made using php package : curl/curl ,
but don't worry,I'm looking forward for any answer,answer using pure curl also can and any other answer also can as long it's working with php language.
What I'm trying to achieve is how to do an API call works exactly the same like HTML form. Why I want to achieve this ? because in the HTML form we need to click the submit button,I know javascript can do the trigger but I'm trying to build my own package with totally back-end language.
I already tried search for the questions on the internet, but none was what I expected.
And below is my simple html form and it does redirect to the desired url :
<form id="payment_confirmation" action="http://localpay.sample.test/make-payment" method="post"/>
Payer ID : <input type="text" name="payer_acc_id"><br>
Payee ID : <input type="text" name="payer_acc_id"><br>
<input type="hidden" name="signature" value="somePhpFunction()">
<button type="submit" value="Submit"> Submit</button>
</form>
Above is the sample working HTML form and it's redirect to that action url path but in curl I fail to achieve it, so how do I achieve this by using curl or any other ways also can.
setting the Content-Type header does not dictate which format curl will use to send the post data. if you give CURLOPT_POSTFIELDS an array then curl will send the data using the multipart/form-data format, regardless of what you put in the Content-Type header. most likely your curl code sends the data in the Multipart/form-data format and $params is an array, and because you tell the server this is application/x-www-form-urlencoded, the server ties to parse the multipart/form-data data as application/x-www-form-urlencoded,
(which is a completely incompatible format), and doesn't understand the data at all. if you want to convert an array of post data to the application/x-www-form-urlencoded-format, use the http_build_query function, eg
$curl->post('http://localpay.sample.test/make-payment',http_build_query($params));
I found the answer for POST redirect using curl :
$params = ['payee_id' => 1 , 'amount' => 300];
$curl = curl_init('http://someurl.com/silent/pay');
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($curl, CURLOPT_CUSTOMREQUEST, "POST");
curl_setopt($curl, CURLOPT_POSTFIELDS, json_encode($params));
curl_exec($curl);
curl will follow the redirect for POST method, if you guys want more explanation,go here.
you can find a similar question here PHP Post Request inside a POST Request but this is not working in my context.
I have a form (reservation form for a tour website) and when the form is submitted, the values are processed in a script like validation and calculation of values and sending email.
after processing the variables, i want to send it to a page for payment and this page will post payment details to paypal.
My question is after the reservation form is submitted, after processing values retrieved from reservation from, how can i redirect the page in such a way that the variables will be passed as post variables. (I am not looking from response from the other form, i want to redirect to the other form).
To create a POST request, open a up a TCP connection to the host using fsockopen(), then use fwrite() on the handler returned from fsockopen() with the same values you used in the header functions in the OP. Alternatively, you can use cURL.
<?php
if(isset($_POST['Name'])) $Name = $_POST['Name'];
if(isset($_POST['Email'])) $Email = $_POST['Email'];
if(isset($_POST['Message'])) $Message= htmlentities($_POST['Message']);
$Curl_Session = curl_init('http://www.yoururl.com/script.php');
curl_setopt ($Curl_Session, CURLOPT_POST, 1);
curl_setopt ($Curl_Session, CURLOPT_POSTFIELDS, "Name=$Name&Email=$Email&Message=$Message");
curl_setopt ($Curl_Session, CURLOPT_FOLLOWLOCATION, 1);
curl_exec ($Curl_Session);
curl_close ($Curl_Session);
?>
Where $Message would be your variables.
EDIT: i answered this long ago maybe i did forget to reference from php.net but here is the link per comment http://www.askapache.com/htaccess/sending-post-form-data-with-php-curl.html as Reference
You can't. HTTP makes no provisions for redirecting with anything in the request body (which is where POST data goes). You can only redirect with a GET request. So the typical way to do this is to take the user to a second page that has a button to "Continue to PayPal", or something of that nature. That button POSTs all the data to PayPal as normal.
For what it's worth, if this is for the PayPal "Buy Now" button, they actually (even if not documented) allow sending all those form variables in the GET request, via the URL. We do this in one of our applications where we "track" the start of the payment process and then redirect to a PayPal URL containing all the form fields as a query string, then "complete" the transaction as the user returns.
Well, I suppose that if you are talking about keeping data in your own website between pages you need to use PHP's session functions
To start the session just do session_start();
and to add session vars just use the superglobal array $_SESSION['myvar'] = $value;
you can then read them through the same means print_r($_SESSION[]);
However if you are talking about sensing data with the paypal API I highly recommend looking at their developer API manual.
Hope that helps,
RayQuang
I have a html form with action="script1.php"
In script1 I need write all data to the database and redirect to
script2.php, but I need all parameters posted to script1 to be sent to script2.
mod_rewrite is on
How I can redirect using PHP with all data come through POST ?
if i do like that this disgusting practice but
<SCRIPT LANGUAGE="JavaScript" TYPE="text/javascript">
<!--
function Search(){
wpc_form.submit();
}
// -->
</script>
</HEAD>
<BODY onload='Search()'>
<form name=wpc_form method="post" action="/script2/">
<?php
foreach($_REQUEST as $name => $value)
echo '<input type="hidden" name="'.$name.'" value="'.$value.'">'
?>
</form>
Impossible.
But you don't need it. Because you have all this data already. Just read it from the database in script2.php
A redirect doesn't allow you to do this unless you have custom client-side code running in the browser to extract state from the response message body in order to populate your form fields. This is advanced usage and probably not what you really want to do.
If you really do need to transmit state between your forms then you can use the session to do this. The form in the browser won't have access to the data, but your PHP script running on the server can store values between requests. Here's a link to a tutorial on sessions in PHP which might be of use to you. This approach is often used for maintaining application state between requests and redirects to third-party services such as OpenID providers etc.
You can use the cURL library (or similar) to send a separate POST request from your local script to the external service.
// assemble data from your post here:
$data = array('formfield' => 'data', 'otherfield' => 'otherdata');
// and then send it off somewhere else
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'http://somewhere.else');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_exec($ch);
I ran into an interesting issue today when I was working on an application I'm developing. Hopefully someone knows why this is happening / how to adjust my work flow for it!
Background:
I'm writing an application that helps students at universities get in touch with each other. The basic workflow is as follows:
User registers for the service
The application uses CURL to poll the university directory for their name
Store their contact info in a database table
My test site is the Rutgers University directory (http://www.acs.rutgers.edu/directory)
I can access the service fine through my browser (Posts to http://www.acs.rutgers.edu/pls/pdb_p/Pdb_Display.search_results), but if I try to post the same information via CURL, I get a 404 error.
Note: I get the same error if I open that url directly from a browser and don't use their form to submit the data.
Code:
Here is the code they use on the directory site:
<fieldset>
<legend>Search For People</legend>
<div style="width:50%;margin-left:auto;margin-right:auto;">
<form method="post" action="http://www.acs.rutgers.edu/pls/pdb_p/Pdb_Display.search_results" name="thisform" onkeyup="highlight()" onclick="highlight()">
<p>
<label for="p_name_last">Last Name: [Required]</label><br>
<input tabindex="1" accesskey="L" class="required" type="text" id="p_name_last" name="p_name_last" size="25" maxlength="23">
</p>
<p>
<label for="p_name_first">First Name: [or initial]</label><br>
<input tabindex="2" accesskey="f" type="text" id="p_name_first" name="p_name_first" size="25" maxlength="23">
</p>
<input tabindex="3" type="submit" value="Search">
</form>
</div>
And here is the code I am using to CURL the service:
<?php
$p_name_last = "doe";
$p_name_first = "";
$curlPost = 'p_name_last=' . urlencode($p_name_last) . '&p_name_first=' . urlencode($p_name_first) . '&SUBMIT=Search';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'http://www.acs.rutgers.edu/pls/pdb_p/Pdb_Display.search_results');
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $curlPost);
if( ! $result = curl_exec($ch))
{
trigger_error(curl_error($ch));
}
curl_close($ch);
echo "<pre>";
print_r($result);
?>
Any thoughts or suggestions would be greatly appreciated!
Thanks,
Mike
Web servers can choose what response to send after processing the request. That'll be why you are seeing the 404 - there's a resource there but it's responding in a unintuitive manner.
Anyway, I can post with curl to this page and get a response;
curl http://www.acs.rutgers.edu/pls/pdb_p/Pdb_Display.search_results --data-urlencode p_name_last=test --data-urlencode p_name_first=test
If I post with your SUBMIT=... param I get a 404. Try it with just the two name parameters.
Update: in fact, you can send just the last name parameter so long as the first name parameter is present - the first name parameter can be empty.
The problem seems to be that the form's input element
<input tabindex="3" type="submit" value="Search">
contains no name attribute, hence is not sent along in the POST data in the form SUBMIT=search, or at least it shouldn't be, according to http://www.w3schools.com/tags/att_input_name.asp, where it is stated that
"Only form elements with a name attribute will have their values passed when submitting a form."
I suppose your attempt resulted in a 404 response because the script accepting your request never expects a SUBMIT variable, and that's why the accepted solution works.
check your browser proxy setting.
I had the same problem. It turned out it was caused by my proxy setting, which directed the request to the proxy server.
Indeed page http://www.acs.rutgers.edu/pls/pdb_p/Pdb_Display.search_results do not exists.
You have redirection to New Address: http://eas.rutgers.edu, browser can follow redirection but CURL might have a problem with it.
The web page you are trying to reach has moved!
New Address: http://eas.rutgers.edu
Please remember to update your bookmarks.
This page will automatically redirect in 10 seconds.
If redirect fails, click http://eas.rutgers.edu to continue.
The web page you are trying to reach has moved!
New Address: http://eas.rutgers.edu
Please remember to update your bookmarks.
This page will automatically redirect in 10 seconds.
If redirect fails, click http://eas.rutgers.edu to continue.
I have a website in which I have a several php forms that I would like to fill out with auto generated content (for the purposes of exercising different content the user could submit). I would like to write a client side application that enables me to do so.
Is there any way either using webtoolkit, java script etc of doing this?
If you are already familiar with php, why not use php on the "client side" as well? You can use the Client URL package to submit POST data to a web form. Example:
<?php
$ch = curl_init();
$data = array('name' => 'phpnoob', 'address' => 'somewhere');
curl_setopt($ch, CURLOPT_URL, 'http://localhost/url/to/your/php/form.php'); // use the URL that shows up in your <form action="...url..."> tag
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_exec($ch);
?>
It would probably be better, more stable and more efficient to mock a submission by sending data directly into your application. PHPUnit is a great framework for unit testing PHP applications.
But yes, it would be possible to write a client side submission too. You could also write Selenium tests, which use JavaScript to interact with your page.
if you name your form using the id attribute, you can call the javascript function
document.myform.submit();
where myform is the name of that form.
You could have an onload event attached to the body element which would submit the forms automatically.
<body onload="document.form1.submit();document.form2.submit();">
<form id="form1" action="url" method="post">
</form>
<form id="form2" action="url" method="post">
</form>
</body>
Of course this would be completed better using jQuery or another API.
IF you are php programmer then you might not want any javascript answer. the best solution to this is
1.USE A PROXY like paros or HTTP analyser they will give u the insight how site's form is structued
2.notE down the forms POST OR GET VALUE and their SYNTAX FROM THE HTTP analyzer or paros proxy.
read this tutorial it is the best tutorial out there
http://www.html-form-guide.com/php-form/php-form-submit.html
4.change the content of $_post or $_get according to their structure which you have noted down in
paros or HTTP analyser