So i've never worked with PHP or http posting or anything before, so please excuse me if i'm asking something dumb.
Heres a site so I can explain more accurately what I need.
http://nycserv.nyc.gov/NYCServWeb/NYCSERVMain
So I want to write something that will go to that site, go to the resultant page as if I had hit "go" next to where it says business tax, then enter in data into the text box on the new page and hit search, and finally get the data from the resulting page.
Having no idea how to do this and after googling for several hours with no luck, I think I should be doing HTTP posting. I've seen that using PHP and CURl seems to work well, but I still don't know exactly how I should be doing this. Any help would be greatly appreciated.
Make a form that copies one of theirs. For example:
<form action="http://nycserv.nyc.gov/NYCServWeb/NYCSERVMain" method="POST"><input type="text" name="searchticket"/><input type="submit" value="submit"/></form>
Save that as .html and then open it with a browser. Type a valid number into the text field (one that actually exists), submit it, and see if it takes you directly to a results page. Then you will know whether you can post to NYCSERVMain. If you can do that, I don't see why you couldn't do it with pHp if you really need to. Follow these instructions on how to post with php.
Well what's happening with the example you mentioned is each of those drop downs and [GO] button is in a separate form.
I believe you should follow this tutorial from Tizag.
They have lots of good basic HTMl tutorials as well as HTML + PHP tutorials that will be able to help you learn how to to what it is you are trying to do.
Good Luck!
Related
I got a theoretic question.
If I use a form with GET method that is leading for an external PHP file (test.php),
I suppose anyone can find out what would be the result simply by viewing the source page, getting the variables (e.g., action="test.php" name="do" value="hello"), and then typing the URL with these variables:
....test.php?do=hello
I mean, he wouldn't have to actually click the button on the original page in order to find out what happens.
However, is there anyway to know what would be the result of a POST method button, without clicking it?
Your question has two possible meanings.
One is discover what the page does, what is the result of processing. That can be found by almost anybody with enough knowledge and tools to send a post request. There are a bunch of tools that allow you to do that. You can do it with plugins for your browser, security analysing tools like webscarab, programming languages using cURL, etc.
The second meaning is determining how the result was achieved. That, is not possible to know unless the source code of the processing file is accessed and analysed.
I have been given a large PHP project that I am supposed to fix all the problems of.
The code has little to no documentation, and is a real mess organizationally. (Coding was outsourced to several different offshore developers)
Anyways, I am relatively new to PHP, coming from Java.
I'm using netbeans.
My question is: How can I figure out what function is being called for a specific button, and what is the best way to find where that is in the code?
Thanks,
The short answer is, "it depends."
Is it part of a form? Is it an image that is just hyperlinked to another page? The most simple way of finding out is to view the source code of the page and find the HTML code for the button.
If it submits a tag, then look at the form's ACTION attribute for the page that deals with the data. That page will likely retrieve the information using the $_POST or $_GET variables.
<form action="/path/hello.php" name='myForm' method='post'>
<!-- onChange="ajaxFunction();" -->
<input type= "text" name="user" id= "txtname" /><br />
<!-- <input type="text" name="user2" id="txtname2" /> -->
<input type='submit' name = "click" />
</form>
Noweveryone who looks at my html source code will know where this php file is located and will know how to call it. How can i stop this ?
If you handle the POST request to /path/hello.php properly, it shouldn't matter whether someone accesses it manually. Just make sure you are checking for things like the existence of $_POST['click'] and any other POST data you expect to exist, clean it, and proceed as normal.
If someone were to call /path/hello.php with spoofed POST data, then how would that be any different than them submitting your own form? There's no need to modify the script's visibility.
Furthermore, if your fear is that someone would be able to view the source of your PHP scripts--don't. The only thing a user would be able to see if they made an HTTP request to your PHP script would be the rendered HTML.
However, even if they could--why wouldn't you want someone to see your source (of course, barring situations where you might have sensitive configuration data within a PHP file)
You can't stop it. If you're going to tell the browser where the form is, you have to put the address in the HTML somewhere and once you do that anyone can see it.
It really shouldn't make any difference though, as your script should be able to cope with whatever values are sent to it. You can't blindly trust the data from the client in any case, so you need to verify the data sent is what you're expecting - no matter whether that's data sent by filling in your form as normal or someone calling it directly.
I can give a good example for why you would want to do this. You may have a service and offer it to a 3rd party, however in order to make this work there is some important configurable data that may come exposed. Here is an example
You own a website and let's say you want to create some type advertising campaign on your website but your "client" wants to advertise this the same thing on their website but the data needs to go into your email database.
you may not want them to know who you use
those services may require you to add account number or some type of identifying parameter towards your account.
May not be a big deal but still could be a security risk. So if you divert or mask it can prevent some of it.
There is no way to avoid this other than leave off action all together. The form will then submit to the current URL.
In any case, why are you worried about someone accessing the script? If you've written it correctly, no information should be exposed, and, no, they will not know how to "call" it - unless by calling it you mean simply accessing it in the browser. If by simply accessing it in the browser, sensitive information is displayed, you've got some serious problems on your hands.
I think your question is that by showing these paths that people will be able to actually view the source of the php file. That is not possible because it is being rendered by the php engine you are using. You have nothing to fear here.
Sorry, this isn't an answer, but a general observation on this same subject...
I have also experienced this and, seem to know where the OP is coming from...
I have seen a number of large CMS where form "actions" don't show the script... almost as if it points to a "friendly" URL...
Such as <form name="contactform" method="post" action="http://example.com/contact/send-contact">
As can be seen the extension is missing but the form is processed correctly...
I guess the htaccess could hide the extensions but some have a mix of visible URLs for standard pages and some "friendly" URLs for other content (including forms).
I'm not sure how these work...
It is sometimes considered best practice to keep .php files above the root directory to protect against the rare occurrence of php being configured incorrectly on the server and displaying php code to the client.
All you have to do is create a proxy script and post to that. I store the action in a hidden field so that I don't need multiple proxy scripts. I can't post the source code because I would be duplicating my answer on another post. You can find it here: https://stackoverflow.com/a/36941336/2452680
you can first give an action to page1 and in page 1 you can get the data and redirect and post the data to page2.
if you are using phpin page1 you can use curl and options to put data and execute it.
I am having issues creating a sticky for in PHP. It seems all the samples I can find online are using one pages for both the form and the processor. I have two separate pages. This is going to be a very long form and if a validation fails, and the user has to re-enter everything, they won't, they'll quit. So this is a vital feature for this form. Also, I am very new to PHP and haven't touched ASP for several years.
When all is said and done, this form will probably have over 50 items. It is using POST. What is the easiest way to convert my form to a sticky form?
The current form can be found here: http://family.themajdans.com/new_submission.php. Only the "Your Information" part works right now.
Any help would be appreciated.
I suggest using a framework/library which already has support for this feature to generate the form. There are several. In fact, I think there are several dozen.
Why don't you do it like this (one file PHP)... Make sure everything is well sanitized before doing this. Just filter out invalid inputs, and leave valid ones to be reposted.
<input type="text" name="age" value="'.$post["age"].'"/>
Hi I have a web form that sends a string to one php file which redirects them to a corresponding URL. I've searched about web form hacking and I've only received information about PHP and SQL... my site only uses a single PHP file, very basic etc. Would it be open to any exploits? I'm obviously not going to post the URL, but here is some code I was working on for the php file:
Newbie PHP coding problem: header function (maybe, I need someone to check my code)
Thanks
From that little snippet, I don't see anything dangerous. "Hackers" can enter pretty much anything they want into $_REQUEST['sport'] and thereby $searchsport, but the only place you use it is to access your array. If it's not found in your array.... nothing much will happen. I think you're safe in this limited scenario ;) Just be careful not to use $searchsport for...... just about anything else. Echoing it, or inserting it into a DB is dangerous.
Uh, it really depends. If you are inserting data into a MySQL DB without sanitizing, the answer is a huge yes. This is something you need to decide for yourself if you aren't going to show code.
The solution you've got in the linked question is pretty safe.
Every possible action is hardcoded in your script.
Nothing to worry about.
Though asking for the "web form like this" you'd better to provide a web form. Not the link to the question that contains a code that can be presumed as this form's handler.