I'm been stuck on this problem for a while and I'm pretty sure it must be something quite simple that hopefully someone out there can shed some light on.
So, I'm currently using jQuery UI's Autocomplete plugin to reference and external PHP which gets information from a database (in an array) and sends it to a JSON output.
From my PHP file (search.php) when I do this:
echo json_encode($items);
My output (when looking at the search.php file) is this:
["Example 1","Example 2","Example 3","Example 4","Example 5"]
Which is valid JSON according to jsonlint.com
The problem is that when I use jQuery UI's Autocomplete script to reference the external search.php file, Chrome just gives me the following error:
GET http://www.example.com/search.php?term=my+search+term 404 (Not Found)
I have tried inputting the JSON code straight into the 'Source:' declaration in my jQuery, and this works fine, but it will not read the JSON from the external PHP file.
Please can someone help?
Here's my code:
HMTL
<p class="my-input">
<label for="input">Enter your input</label>
<textarea id="input" name="input"
class="validate[required]"
placeholder="Enter your input here.">
</textarea>
</p>
jQuery
$(function() {
$( "#input" ).autocomplete({
source: "http://www.example.com/search.php",
minLength: 2
});
});
PHP
header("Content-type: application/json");
// no term passed - just exit early with no response
if (empty($_GET['term'])) exit ;
$q = strtolower($_GET["term"]);
// remove slashes if they were magically added
if (get_magic_quotes_gpc()) $q = stripslashes($q);
include '../../../my-include.php';
global $globalvariable;
$items = array();
// Get info from WordPress Database and put into array
$items = $wpdb->get_col("SELECT column FROM $wpdb->comments WHERE comment_approved = '1' ORDER BY column ASC");
// echo out the items array in JSON format to be read by my jQuery Autocomplete plugin
echo json_encode($items);
Result
In browser, when information is typed into #input
GET http://www.example.com/search.php?term=Example+1 404 (Not Found)
Update: the real PHP url is here: http://www.qwota.co.uk/wp/wp-content/themes/qwota/list-comments.php?term=Your
Please help!
UPDATE: ANSWER
The answer to my problem has been pointed out by Majid Fouladpour
The problem wasn't with my code but rather with trying to use WordPress' $wpdb global variable as (as far as I understand) it includes it's own headers, and anything outside of it's usual layout will result in a 404 error, even if the file is actually there.
I'm currently trying to get around the problem by creating my own MySQL requests and not using WordPress's global variables / headers.
PS. Majid, I'll come back and give you a 'helpful tick' once StackOverflow lets me! (I'm still a n00b.)
Are you sure the path source: "http://www.example.com/search.php" is correct?
You have to make sure that the target URL exists. If you are really using http://www.example.com/search.php then, wk, it simply does not exist, so this is why it does not work.
Update
Since you have a real URL that's working (I tested it!), here are a few steps you can take:
Make sure there's no typo. If there's one, fix it.
Make sure you can open that URL from your browser. If you cannot, then you might be having network access problems (firewall, proxy, server permission issues, etc.)
Try redirecting to another know URL, just to make sure. The 404 error is really a "not found" error. It cannot be anything else.
I think the include is the issue. As Majid pointed out... use the below include instead.
include("../../../wp-load.php");
Good luck!
Your apache server is sending wrong headers. Here is a pair of request and response:
Request
GET /wp/wp-content/themes/qwota/list-comments.php?term=this HTTP/1.1
Host: www.qwota.co.uk
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Cookie: __utma=142729525.1341149814.1305551961.1305551961.1305551961.1; __utmb=142729525.3.10.1305551961; __utmc=142729525; __utmz=142729525.1305551961.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
Response headers
HTTP/1.1 404 Not Found
Date: Mon, 16 May 2011 13:28:31 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
X-Pingback: http://www.qwota.co.uk/wp/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Mon, 16 May 2011 13:28:31 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Response body
["Bake 'em away... toys.","Content precedes design. Design in the absence of content is not design, it\u2019s decoration.","Hanging on in quiet desperation is the English way.","I'm a reasonable man, get off my case.","Look at me, Damien! It's all for you!","Never get out of the boat... absolutely god damn right.","That gum you like is going to come back in style.","The secret to creativity is knowing how to hide your sources.","Things could be different... but they're not.","Your eyes... they turn me."]
So, even though you receive back response from the server, it has HTTP/1.1 404 Not Found in the headers. Someone may be able to investigate this and provide a potential reason and solution.
Related
The following 'code' is sometimes (random) printed on a webpage after refresh.
>HTTP/1.1 200 OK
>Date: Fri, 18 Mar 2016 09:05:03 GMT
>Server: Apache
>X-Powered-By: PHP/5.3.6-pl0-gentoo
>X-Frame-Options: DENY
>X-XSS-Protection: 1; mode=block
>X-Content-Type-Options: nosniff
>Expires: Thu, 19 Nov 1981 08:52:00 GMT
>Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
>Pragma: no-cache
>Keep-Alive: timeout=15, max=86
>Connection: Keep-Alive
>Transfer-Encoding: chunked
>Content-Type: text/html
>5
(the last number, 5 in this case, is random, the rest is constant.
This is what I tried to solved this annoying 'bug?':
Removing HTML <head> contents
Removing HTML <body> contents
Removing AJAX (XHR) calls
Updating Smarty (engine that parses the templates)
PHP trim() around output to prevent unnessary spaces before or after <doctype> and <html> tags
Killing almost all PHP code (this is to much to explain here, but since I stripped it down complety I am 99% sure it is not the serverside (PHP) code)
Looking for PHP functions that are able to print these headers (greps for headers_list, getallheaders, apache_request_headers, etc.)
Tried multiple pages, same results, no matter its contents.
My customer sees the seem results on Microsoft Edge browser.
Updated other components, like browser detection
Added PHP ob_start();
Validated HTML
Made sure to clean Javascript console errors (now clean)
Gave a go on WireShark for Windows, to look at what headers are received, but this was to difficult for me. (should I retry?)
This problem sounds a lot like mine, but wasn't helping to fix mine: bugzilla DOT mozilla DOT org/show_bug.cgi?id=229710
Checked other Stack Overflow questions. Could not find a matching question/solution.
More, which I forgot :)
Notes:
The site is server over HTTPS with a valid certificate.
Here is the site link: https://www.10voordeleraar.nl
Attached screenshot links below.
The funny thing is, this only happens on Microsoft Edge, sometimes. It is behaving properly on all other browsers, so do my other sites.
Regards,
Laird
Screenshots:
Printed HTTP headers example on site top
Printed HTTP headers example in DOM inspect
I did R&D on prevention of CRLF injection in php, but i didn't find any solution in mycase, as I'm using a burp suite tool to inject some headers using CRLF characters like the below.
// Using my tool i put CRLF characters at the start of my request url
GET /%0d%0a%20HackedHeader:By_Hacker controller/action
//This generates an header for me like below
HackedHeader:By_Hacker
So i can modify all headers by doing just like above
This tool is just like a proxy server so it catches the request and gives the response and we can modify the response in the way we want.
So i'm just modifying the response by injecting some headers using CRLF characters. Now the Server responds to this request by injecting the CRLF characters in the response.
I'm just worried as header fields like Pragma, Cache-Control, Last-Modified can lead to cache poisoning attacks.
header and setcookie contain mitigations against response/header splitting, But these can't support me in fixing the above issue
Edit
When i request to mysite.com contact us page like below This is the request I captured in my tool like below
Request headers:
GET /contactus HTTP/1.1
Host: mysite.com
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
And i get the Response HTML for the above request
Now for the same request using the tool i'm adding custom headers just like below
Request Headers:
GET /%0d%0a%20Hacked_header:By_Hacker/contactus HTTP/1.1
Host: mysite.com
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Response Headers:
HTTP/1.1 302 Found
Date: Fri, 10 Jul 2015 11:51:22 GMT
Server: Apache/2.2.22 (Ubuntu)
Last-Modified: Fri, 10 Jul 2015 11:51:22 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Location: mysite.com
Hacked_header:By_Hacker/..
Vary: Accept-Encoding
Content-Length: 2
Keep-Alive: timeout=5, max=120
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
You can see the injected header Hacked_header:By_Hacker/.. in the above response
Is there anyway in php or apache server configuration to prevent such kind of headers' hack?
Not sure why all the down votes - infact, it is an interesting question :)
I can see that you have tagged CakePHP - which means your app is using Cake Framework... Excellent! If you are using Cake 3 , it is automatically strip off : %0d%0a
Alternatively, where you receive the response header, just strip off %0d%0a and you are good!
Where things like these could be applied - a 3rd party API response or say.... a Webhook response! or a badly sanitized way to handle intl.. example : lang=en to lang=fr where the GET param is directly set as response header... That would not be a wise move!
Ideally, the responses will be as GET and not in the header but either way just strip the %0d%0a and you are good.
Answering your edit.
You can see the injected header Hacked_header:By_Hacker/.. in the above response
That injected header cannot be controlled or stopped, mate. We do not have control over what the other server does.
The question is.. What do you do with the response header?
The answer is... You sanitize it, as ndm said you need to sanitize the input.. What you get as a response IS an input. As soon as you detect %0d%0a, discard the response.
Need code work?
<?php
$cr = '/\%0d/';
$lf = '/\%0a/';
$response = // whatever your response is generated in;
$cr_check = preg_match($cr , $response);
$lf_check = preg_match($lf , $response);
if (($cr_check > 0) || ($lf_check > 0)){
throw new \Exception('CRLF detected');
}
I am trying to use the Google Flight RPC but am having trouble building a json array to post to it. The only documentation I've found is here. It describes what needs to be sent but doesn't explain how to construct the json array. Specifically, using PHP, I'm not sure how to build and post a json array using the following example from part 1 of the linked documentation.
[,[[,"fs","[,[,[\"SJC\"]\n,\"2012-04-05\",[\"EWR\",\"JFK\",\"LGA\"]\n,\"2012-04-12\"]\n]\n"]
]
,[,[[,"b_ca","54"]
,[,"f_ut","search;f=SJC;t=EWR,JFK,LGA;d=2012-04-05;r=2012-04-12"]
,[,"b_lr","11:36"]
,[,"b_lr","1:1528"]
,[,"b_lr","2:1827"]
,[,"b_qu","3"]
,[,"b_qc","1"]
]
]
]
The above does not appear to be properly formatted to be put into a json array. Additionally, HTTP request headers are needed. I assume these are set via cURL? I'm not clear on the documentation on how to do this.
I've tried several attempts and I don't get back any of the responses that are shown in the documentation.
Edit: Awesome, I got a Tumbleweed badge for this question! I would appreciate help. Thanks.
I was not able to find any documentation either.
However, if you go to https://www.google.com/flights/, open chrome console or firebug, click the network tab, then run a search, you will see that headers and body it makes for the RPC POST.
Sample Headers from the transfer:
Request URL:(I BROKE THE LINK) GOOGLE(dot)com /flights/rpc
Request Method:POST
Status Code:200 OK
Request Headers
:host:(I BROKE THE LINK) GOOGLE (dot) com
:method:POST
:path:/flights/rpc
:scheme:https
:version:HTTP/1.1
accept:/
accept-encoding:gzip,deflate,sdch
accept-language:en-US,en;q=0.8
content-length:169
content-type:application/json; charset=UTF-8
cookie:PREF=ID=f472fc4bbb95bc2b:U=9da5b7e4c1d04bda:FF=0:LD=en:TM=1390684154:LM=1390749713:GM=1:S=orUAMb3qaxBh99PJ; HSID=AHlw351sj7B7Om0t_; SSID=AKycPxLzyXkc4_tZJ; APISID=xKH5zAdc9vfBtiDy/Ab5TlD_Z4w2nP64Wl; SAPISID=7awo9qDssc3wr-fN/AQYOdvCN-I-UwtXQ1; NID=67=XnUn_DGdQDaeczlvXe-qTy9vy8gnQwhFwfRi52TRFS-_Dg-J58CgTGUY6Tkn3cCJYCcVJhK8unOrdffpgzeKed2jPqSazVI4Xplo5fW8-6wXoNi97L2gdoaOms0dKj4iOODoZpzd4DG_8YdQQcH6fl5xY__N929CJr8pdcAUwgnKf8X_mI8sLSB7CKVyS4ZvbGMCAiMLwIs1gJJz-UbppSj; S=travel-flights=5OJmMrbJoqLfOFzkZy285A; SID=DQAAAM0AAAAIGD56aXyxAxrRCSROmPy8AEtV3DaEwKT48aaZ98S35Nss09ishDZ3RxNT6ksikfAOJo-MLYVodF3jr-6imwzC8tRd7cxe-OoyafCZiGaf0qhp-yza4VZlAMInxGPhVae7wSXCRXlqb-wbYHBCHUSz_K5kYpvKwqC8pWuQ_6AUZa3WWqB6OmYpxuihxn3UxSve95zpkziyaDX0JFzUjyWX-0O_iIWZiEztywwyKVWCVv27ByGjIYTYV1G2byExt5M9-kEFpE_v0x8KgU7vleT
dnt:1
origin:(I BROKE THE LINK) SSL GOOGLE(dot)com
referer:(I BROKE THE LINK) SSL GOOGLE(dot)com flights
user-agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36
x-gwt-cctoken:ADS25WMm8S7W0MlpX1-Lf_yNzQCrke7t6OvH2kFLkBJIH_Q-YTuu8VSHmgIxzFtGaL87SsM5PcZECRBP7IqMCbM5QKFVdWrw9hRIkHoL5oiyCzEu2ZCnKuhqvv2sUKcg4Z_HnajCZmM7aQ9nYsVMQnFxqrkgB2Cz7rAIP47zPJ_rakoyxlGE4yJvcuUeiQ
x-gwt-module-base:https://www.google.com/flights/static/
x-gwt-permutation:C8210E5F468630F84E578D8EDE10A1A0
Request Payload
[,[[,"no","[]","1531191655318648",11]],[,[[,"b_al","no:74"],[,"b_ahr","no:s"],[,"b_ca","103:34541"],[,"b_pe","4F2F79B9E3FB0.A40E22A.71A7"],[,"b_qu","0"],[,"b_qc","1"]]]]
Response Headersview source
alternate-protocol:443:quic
cache-control:no-cache, no-store, max-age=0, must-revalidate
content-encoding:gzip
content-length:75
content-type:application/json; charset=utf-8
date:Sat, 22 Feb 2014 05:00:17 GMT
expires:Fri, 01 Jan 1990 00:00:00 GMT
pragma:no-cache
server:GSE
status:200 OK
version:HTTP/1.1
x-content-type-options:nosniff
x-frame-options:SAMEORIGIN
x-xss-protection:1; mode=block
So, what you will likely have to do to get this to work correctly is to make a GET on the path /flights and read the headers, then put the headers in your POST request. (I have had to do similar things in the past). In order to figure out what fields are what I would play around with selecting different fields and seeing what changes in the JSON data that it posts.
I'm trying to submit a (java servlet) form using CURL in PHP, but it seems like there is a problem with the parameters. I cant really understand why its happening since I'm testing the CURL with a identical string parameters that is being used by the browser.
After some research in diverse forums I wasn't able to find a solution to my particular problem.
this is the POSTFIELDS string generated by the browser (and working):
submissionType=pd&__multiselect_PostCodeList=&selectedPostCode=01&selectedPostCode=02&selectedPostCode=03&__multiselect_selectedPostCodes=
and I'm using and identical (for testing) string in the PHP script but it im getting a HTML file as a answers telling "Missing parameters in search query".
I believe that the form
__multiselect_PostCodeList=
&selectedPostCode=01
&selectedPostCode=02
&selectedPostCode=03
&__multiselect_selectedPostCodes=
is quite wired (never see before this) and I'm wondering that it can be the reason of why the post is not working from CURL.
The form seems to be successfully submitted since I'm getting this header
HTTP/1.1 200 OK
Date: Wed, 07 Aug 2013 08:02:56 GMT
Content-length: 1791
Content-type: text/html;charset=UTF-8
X-Powered-By: Servlet/2.4 JSP/2.0
Vary: Accept-Encoding
Content-Encoding: gzip
Connection: Keep-Alive
Note: I tried submitting the same form from Lynx and I'm also getting the same result ("Missing parameters in search query"). So it seems like its only working with browsers like Mozilla or Chrome.
Please some help will be really appreciated, I don't have any more ideas at this point.
Thanks!
Oscar
I'm trying to edit and tweak someone else's REST server in PHP. It's based on the REST Server written by Phil Sturgeon. Pretty much got my head around all of it, but my requests aren't working as expected.
In the server constructor is the code
switch ($this->request->method)
{
case 'post':
$this->_post_args = $_POST;
$this->request->format and $this->request->body =
file_get_contents('php://input');
break;
}
I know that php://input can only be read once, so doing var_dump(file_get_contents('php://input')) before setting the variables shows that my XML data is being read correctly from the input stream but obviously the variables aren't set right.
But doing var_dump($this->request->body) only outputs NULL! Is there a special technique to storing the contents of php://input in a variable?
EDIT:
I'm using API Kitchen to send the POST request and the headers that it sends are
Status: 200
X-Powered-By: PHP/5.3.2-1ubuntu4.11
Server: Apache/2.2.14 (Ubuntu)
Content-Type: application/xml
Date: Fri, 10 Feb 2012 11:00:43 GMT
Keep-Alive: timeout=15, max=100
Content-Length: 936
Connection: Keep-Alive
I can't see from this what the encoding is.
EDIT 3:
The encoding is application/x-www-form-urlencoded which could be where the problem lies!! How do I specifically say what this should be?
EDIT 2:
$this->request->method contains 'post'
Thanks for all the help, it turns out that in order to work, the content type of the request must be application/xml, not application/x-www-form-urlencoded as it was.
if $this->request->format evaluates to false or NULL or 0, the later part of and operator does not execute.
$this->request->format and $this->request->body = file_get_contents('php://input');
^
|
+--- this part wont execute
You should have written it like
if($this->request->format){
$this->request->body = file_get_contents('php://input');
}
This helps in debugging.