I have a doubt about how I can check an URL like this:
http://your.url/set_new_password.php?userid=564979&code=54c4a2767c2f485185ab72cdcf03ab59
I need to check if the userid exists in the database and if the userid is associated to the hash in the link.
I Read that it is not possible check the url within php. If so, is it possible to solve this problem? I need to verify if the hash and userid present in the link exist in the database.
Any other alternatives?
The variables userid and code in the URL are made available to PHP in an array called GET:
echo $_GET['userid']; // 564979
If you have a hash (or fragment) in your URL, this won't get back to PHP:
www.mysite.com?val=1#part2
In the above, PHP can see the domain and the val variable, but not #part2. Sites that use the hash to significantly change the page (eg GMail) use javascript to pull in new content when the hash changes.
Be sure to sanitize your variables before using them, to avoid malicious users being able to hack into your system. This is a big topic, but read up on the following:
Data Filtering
PHP Data Objects
Sanitize and Validate Data with PHP Filters
If you don't sanitize, someone could change your url so that the variable is set to:
;DELETE * FROM mytable;
When you query your db without sanitising your inputs, you could lose all your data.
use the $_GET variable in php
$_GET['userid']
see tutorial here
In PHP, the $_GET array has the url parameters. So in this case, you'd use $_GET['userid'] and $_GET['code']
See Server consist of apache , php , mysql . When you access this url through your browser it is first send to apache which forwards your request to php . Php takes full controle from there on . A request made by client browser consist of various data which can be divided into types cookies , headers , post , get request . All these data can be access in there respective suprglobal variables in php $_GET , $_POST and so on . In your case you need to access $_GET . so do $_GET['userid'] to access userid , and $_GET['code'] to access code . Lastly you would connect ot MYSQL and do querly like "Select * from users where 'userid' = $_GET['userid'] and 'code' = $_GET['code'] " ;
Related
I want to be able to get hash parameters variable from client side URL and send to server and store in session for echo later in php
URL format in client side Browser:
domain.com/Betatest/#response_uri=https%3a%2f%2flogin.online.com%2ferror%3fcode%3d700AB8&state=email%40domain.com
I want to get the variable of state which is email%40domain.com encoded and uncoded means email#domain.com
I want to get the variable and save to session then echo later the variable using php
Hash values are not sent to the server in a HTTP request. You need to put your data in the querystring, not hash, e.g.
domain.com/Betatest/?response_uri=https%3a%2f%2flogin.online.com%2ferror%3fcode%3d700AB8&state=email%40domain.com
That will give you two parameters (response_uri and state) which you can find in the PHP $_GET array, e.g. $_GET["response_uri"] and $_GET["state"]
I have two files, the first is a form (signup.php) that posts user inserted fields (first name, last name, user name, email..etc) into another file containing an error handlers (Signup.chk.php) using post method. in case of error in the inputs, i wanted signup.chk.php to send back all the fields inserted by the user to the signup.php file using GET method to re-display the form with the errors and the user's inputs.
i'm expecting a URL that looks like below:
localhost/signup?signup=error&firstname=Joe&lastname=Doe&user=Jdoe1&email=Jdoe#abc.com
it works fine if the user didnt insert special chars as inputs.
if the user inserts $ or & as part of the inputs it will mess up the _GET function on the other page.
what is the best way to encode/decode the URL values to prevent XSS and also allow the signup.inc file to properly receive the url values and display it correctly in the form fields again (Even if containing <>$&%..etc)
To do what you want, you can use urlencode() and urldecode().
// To form the URL
$url = "localhost/signup?signup=error&firstname=" . urlencode($firstname);
// To get the value from the URL and decode it.
$firstname = urldecode(isset($_GET['firstname']) ? $_GET['firstname'] : "");
However, there is a security issue, user may add some code on the url to attack your website, so you need to do something to avoid it, eg restrict input length or avoid unnecessary specific characters.
how to secure your passing variables between the two pages via url? Let's assume i have a TEST variable in one page and i want to pass on that variable to test2.php page in the secure method?
How to convert test variable into Hash Method and pass on test2.php page via url?
for example
$test=$_POST['test'];
echo $row['test'];
Test
OR
Test
test2 Page
$test=$_REQUEST['test'];
By secure if you mean that you want the variable to be visible but you want to prevent users from changing the variable you can simply pass a hash along with the variable.
I.e.
$variable = 'abc';
$salt = 'your secret key';
$hash = md5($salt.$variable);
Page 2
On the second page you can rehash to see if the value has changed or not.
$variable = $_REQUEST['variable'];
$salt = 'your secret key';
$hash = md5($salt.$variable);
if($hash == $_REQUEST['hash']){
//do staff
}
However this will not hide the variables from URL, you can use other suggested answers for that.
It's not secure at all, because URLs (incl. GET arguments) are usually stored in httpd logs. So use POST for this, use SSL for transmission. If you need to use GET you can try to encrypt your data but mind that some web browsers got limits on max length of URL used, so too much data in GET may make them confused
Secure hash functions are one way, so no good for passing values. The most secure way to do this would be to use SSL, and POST your variables so they aren't displayed in the querystring/address bar.
Use SSL (for encrypted traffic - see here) and POST (see here).
The answer is simple.
either you need that variable in the url to identify the particular page and it's content
or it's internal site variable, like authorization information - it have to be passed via session.
For the first case you shouldn't "secure" this variable at all.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
PHP Pass variable to next page
Here is my current code:
$search = $_POST['s'];
$search = strtoupper($search);
$search = strip_tags($search);
$search = trim($search);
$search = mysql_real_escape_string($search);
I need to be able to carry on the $search variable to my second, third, etc, pages.
I'm a beginner in php and i'm sort of stuck here
It would appear that sessions are your friend here. In the simplest form, sessions will just put data in cookies that are sent to and from the user's browser. Make sure you call session_start() before you do anything with the session, this will start or resume the user's sessions. After that, you can use $_SESSION as a global associative array that will persist between pages.
Xander has already linked you to the docs, Here are some simple examples. Make sure you understand session_start() otherwise you'll have some bugs.
N.B. Do not use this basic session format for sensitive data. Look into using something like memcache to store the data and simply put the memcache key into $_SESSION. Also, consider encrypting the sessions. Those are more advanced things you should think about when dealing with user authentication/login
Assuming it is a search string, there is only sane method:
First, change the form's method to GET
Next, just pass your search variable in the query string using GET method.
The only modification you have to apply is urlencode()
So, the code should be
$query_string = 'search='.urlencode($_GET['search']);
echo "<a href='?page=2&$query_string'>page 2</a>";
producing an HTML code
page 2
so a user can click this link and you will have your search string back
While $_SESSION has been suggested, another option is to use a hidden field (with the same name and filled with the appropriate value) on subsequent generated pages. Then, when those pages are posted back, they too will have the field available in $_POSTS (this time supplied by the hidden field, not the original text field).
Advantages:
"Bound to the current page"; really good for some page context-sensitive stuff! (The session is scoped to the browser, not the page.)
Avoids the need for session/cookies (which is a non-issue if the session is already required for other purposes).
Disadvantages:
"Bound to the current page": value will be lost when navigated away from outside of back/next context. (As Bert notes, a slight modification can use this "breadcrumb" approach to alter the URL and use GET parameters, which can make the data universally persistent, at the expense of a "less pretty" URL.)
Data must be treated as untrusted and insecure, just like the original post.
Requires population of additional [hidden] fields.
Happy coding.
Use session_start() in each of the pages you want to access the search varaible
in the first page
$search = $_POST['s'];
$search = strtoupper($search);
$search = strip_tags($search);
$search = trim($search);
$search = mysql_real_escape_string($search);
set a session variable as
$_SESSION['searchStr']=$search
then in everyother page
session_start(); // at the very begining
if(isset($_SESSION['searchStr'])) {
$search=$_SESSION['searchStr']
}
My question is pertaining to extracting information from the URL using PHP.
I've three pages in the website I am building
catalogues.html
form_userdata.php
mail.php
The schema is as follows. The user will choose a file to download from catalogues.html
for eg
a href="form_userdata.php?id=1026&name=Vibrating Feeder - Heavy duty -VFH" target="_blank"
This id & name will be passed to form_userdata.php and after entering the details in form_userdata.php page, the page passes control to mail.php, that will check if the fields are all true and valid.
My question is how can I use the ID & name specified in "a href" in my code?
I am passing the ID and name from catalogues->form_userdata and collecting it in mail.php
Thank you for your valuable input
you can use sessions to store it when processing form_userdata.php and then use it in mail.php. That way you don't have to pass it in every URL.
when I add $id=$_POST['id']; at
form_userdata, I get an error saying
"undefined index: id"
That's quite logical, since you're passing them in the URI, and thus have to read them using $_GET in PHP, ie. do :
$id = isset($_GET['id']) ? (int)$_GET['id'] : null;
I found this solution:
session_start();
$_SESSION['id'] = $id=$_GET['id'];
$_SESSION['name'] = $name=$_GET['name'];
this will pass the value of ID and Name to the next page.
Thank you for your help
you may use $_GET to collect and pass variables
You can access the named values in an URL (query string, query-info part) by using the $_GET superglobal. It will contain the value by it's name:
$_GET['id']
More information is in the the PHP manual: $_GET. That page is already pretty specific, I suggest you read this manual page as well: Variables From External Sources it more broadly describes how this works.
As input is very important in programming, it's really recommended to understand how it works so you can use the language for your needs more easily.