I am trying to integrate some third party tracking code into one of my sites, however it is throwing up some errors, and their support isn't being much use, so i want to try and fix their code myself. Most I have fixed, however this function is giving me problems:
private function getXForwardedFor()
{
$s =& $this;
$xff_ips = array();
$headers = $s->getHTTPHeaders();
if ($headers['X-Forwarded-For']) {
$xff_ips[] = $headers['X-Forwarded-For'];
}
if ($_SERVER['REMOTE_ADDR']) {
$xff_ips[] = $_SERVER['REMOTE_ADDR'];
}
return implode(', ', $xff_ips); // will return blank if not on a web server
}
In my dev enviroment where I am showing all errors I am getting:
Notice: Undefined index: X-Forwarded-For in /sites/webs/includes/OmnitureMeasurement.class.php on line 1129
Line 1129 is:
if ($headers['X-Forwarded-For']) {
If I print out $headers I get:
Array
(
[Host] => www.domain.com
[User-Agent] => Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
[Accept] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
[Accept-Language] => en-gb,en;q=0.5
[Accept-Encoding] => gzip,deflate
[Accept-Charset] => ISO-8859-1,utf-8;q=0.7,*;q=0.7
[Keep-Alive] => 115
[Connection] => keep-alive
[Referer] => http://www10.toptable.com/
[Cookie] => PHPSESSID=nh9jd1ianmr4jon2rr7lo0g553; __utmb=134653559.30.10.1275901644; __utmc=134653559
[Cache-Control] => max-age=0
)
I can't see X-Forwarded-For in there which I think is causing the problem. Is there something I should add to the function to take this into account?
I am using PHP 5.3 and Apache 2 on Fedora
This is not really a big deal, but good to fix nevertheless. It's complaining about you trying to access an array key that doesn't exist. (Even querying the array with that key using if is regarded accessing.)
Change
if ($headers['X-Forwarded-For'])
{ $xff_ips[] = $headers['X-Forwarded-For']; }
to
if (array_key_exists('X-Forwarded-For', $headers))
{ $xff_ips[] = $headers['X-Forwarded-For']; }
Even better than array_key_exists is isset because the latter is a language construct (executes faster) and can be used on all sorts of variables. Make it a routine to check that variables you are unsure about are set before trying to read from them.
Related
I need to login to http://auto.vsk.ru/login.aspx making a post request to it from my site.
I wrote a js ajax function that sends post request to php script on my server, that sends cross-domain request via cUrl.
post.php
<?php
function request($url,$post, $cook)
{
$ch = curl_init();
$curlConfig = array(
CURLOPT_URL => $url,
CURLOPT_POST => 1,
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_COOKIEFILE => $cook,
CURLOPT_COOKIEJAR => $cook,
CURLOPT_USERAGENT => '"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Trident/7.0; Touch; .NET4.0C; .NET4.0E; Tablet PC 2.0)"',
CURLOPT_FOLLOWLOCATION => 1,
CURLOPT_REFERER => $url,
CURLOPT_POSTFIELDS => $post,
CURLOPT_HEADER => 1,
);
curl_setopt_array($ch,$curlConfig);
$result = curl_exec($ch);
curl_close($ch);
return $result;
}
$result = request($_POST['url'], $_POST['data'], $_POST['cook']);
if ($result === FALSE)
echo('error');
else
echo($result);
?>
Js code:
function postcross(path,data,cook,run)
{
requestsp('post.php','url='+path+'&data='+data+'&cook='+cook, run);
}
function requestp(path, data, run)
{
var http = new XMLHttpRequest();
http.open('POST', path, true);
http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
http.onreadystatechange = function()
{
if(http.readyState == 4 && http.status == 200)
{
run(http);
}
}
http.send(data);
}
postcross('http://auto.vsk.ru/login.aspx',encodeURIComponent('loginandpassord'),'vskcookies.txt',function(e){
document.getElementById('container').innerText=e.responseText;
});
The html page I getting from response says two things:
My browser is not Internet Explorer, I should switch to it.(actually it works from Google Chrome, at least can login).
My browser doesn’t support cookies.
About the cookies it is very similar to this (veeeery long) question. File vskcookies.txt is created in my server and it is actually updates after post request call, and stores cookies.
About the IE, firstly I thought that the site checks browser from js, but it is wrong, because js doesn’t run at all - I only read html page as a plain text, and it already has that notification about IE.
So wondered what if I make cUrl request wrong? I wrote new php script that shows request headers, here is a source:
head.php
<?php
foreach (getallheaders() as $name => $value)
{
echo "$name: $value\n";
}
?>
The result of postcross('http://mysite/head.php',encodeURIComponent('loginandpassord'),'vskcookies.txt',function(e){ document.getElementById('container').innerText=e.responseText; }):
Host: my site
User-Agent: "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Trident/7.0; Touch; .NET4.0C; .NET4.0E; Tablet PC 2.0)"
Accept: */*
Content-Type: application/x-www-form-urlencoded
Referer: mysite/head
X-1gb-Client-Ip: my ip
X-Forwarded-For: ip, ip, ip
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Port: 443
Accept-Encoding: gzip
X-Forwarded-URI: /head
X-Forwarded-Request: POST /head HTTP/1.1
X-Forwarded-Host: my site
X-Forwarded-Server: my site
Content-Length: 823
Connection: close
For some reason there is no Cookie: parameters, but user agent is IE as I mentioned.
Also I tried to replace head.php source with
print_r($_COOKIE);
And got empty array:
Am I doing something wrong, or it is site bot-protection?
Update 1
It is showing cookies only if to pass them through CURLOPT_COOKIE.
So I think I will leave CURLOPT_COOKIEFILE => $cook; as it is, and for CURLOPT_COOKIE something like file_get_contents($cook), although there is useless information. protection?
Important Update 2
Okay, probably I just stupid. Response html page indeed consists messages about IE and offed cookies, but they are in div that is display:none and are displayed on by js.
So, seems my tries fail because of another reasons.
When I try to implement auto-complete using the code below :
$('#keyword').autocomplete({
source : '/Dev/pages/search.php',
minLength : 3,
type : 'POST',
select: function( event, ui )
{
$(this).data("autocomplete").menu.element.addClass("yellow");
}
})
.data( "ui-autocomplete" )._renderItem = function( ul, item )
{
console.log(item);
return $( "<li>" )
.append( "<a>" + add3Dots(item.name,20) + "</a>" )
.appendTo( ul );
};
if (isset($_POST["term"])){
$term = trim($_GET['term']);
$parts = explode(' ', $term);
$p = count($parts);
$a_json = array();
$a_json_row = array();
$search = connexion::bdd_test();
$requete = "SELECT name from BDD_TEST.companies";
for($i = 0; $i < $p; $i++) {
$requete .= ' WHERE name LIKE ' . "'%" . $conn->real_escape_string($parts[$i]) . "%'";
}
$result = $search->query($requete);
while($donnees = $result->fetch(PDO::FETCH_ASSOC)) {
$a_json_row["name"] = $data['name'];
array_push($a_json, $a_json_row);
}
}
else
{
$a_json['call']=false;
$a_json['message']="Problem to collect word.";
}
$json = json_encode($a_json);
print_r($json);
When I test, if condition is not satisfied and I get the message directly from else " Problem to collect word . "
It means that $_POST["term"] is not defined.
How can I retrieve the input value ?
To be sure that values have been send, you can see what headers the browser sent to the web server with PHP for testing purposes.
This is possible using the apache_request_headers() function but it only works if PHP is run on Apache as a module.
How using apache_request_headers() :
If PHP is run on Apache as a module then the headers the browser send can be retrieved using the apache_request_headers() function. The following example code uses print_r to output the value from this function call:
print_r(apache_request_headers());
The output from the above using an example request from Google Chrome would output something similar to the following:
Array
(
[Host] => www.testing.local
[Connection] => keep-alive
[User-Agent] => Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.206.1 Safari/532.0
[Cache-Control] => max-age=0
[Accept] => application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
[Accept-Encoding] => gzip,deflate,sdch
[Accept-Language] => en-US,en;q=0.8
[Accept-Charset] => ISO-8859-1,utf-8;q=0.7,*;q=0.3
)
Alternative when PHP is run as a CGI :
If PHP is not being run as a module on Apache, the browser headers should be stored in the $SERVER array with the key being the request header name converted to upper case, hypens replaced with underscores, and prefixed with HTTP
The same request above showing the relevent lines from $_SERVER are as follows:
[HTTP_HOST] => www.testing.local
[HTTP_CONNECTION] => keep-alive
[HTTP_USER_AGENT] => Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/4.0.206.1 Safari/532.0
[HTTP_CACHE_CONTROL] => max-age=0
[HTTP_ACCEPT] => application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
[HTTP_ACCEPT_ENCODING] => gzip,deflate,sdch
[HTTP_ACCEPT_LANGUAGE] => en-US,en;q=0.8
[HTTP_ACCEPT_CHARSET] => ISO-8859-1,utf-8;q=0.7,*;q=0.3
The alternative method is create our own function if the apache_request_headers() function does not exist, which extracts just the values from $_SERVER and converts the key names to the same style as apache_request_headers(). This works like so:
if(!function_exists('apache_request_headers')) {
function apache_request_headers() {
$headers = array();
foreach($_SERVER as $key => $value) {
if(substr($key, 0, 5) == 'HTTP_') {
$headers[str_replace(' ', '-', ucwords(str_replace('_', ' ', strtolower(substr($key, 5)))))] = $value;
}
}
return $headers;
}
}
The new function is only declare if the function with that name does not already exist. The end result is that whether or not the internal PHP function exists, you will be able to call a function with this name in your code.
A loop is done though the $SERVER array and any whose key starts with HTTP is added to the array, and the key is translated via a series of function calls to be in the same format as returned by apache_request_headers().
View HTTP headers in Google Chrome
Chrome has a tab "Network" with several items and when I click on them I can see the headers on the right in a tab.
Press F12 on windows or ⌥⌘I on a mac to bring up the Chrome developer tools.
Try to retrieve value(s) without knowing HTTP methods
You can detect which request type was used (GET, POST, PUT or DELETE) in PHP by using
$_SERVER['REQUEST_METHOD']
For more details please see the documentation for the $_SERVER variable.
Or you can retrieve value(s) using $_REQUEST['you_variable'].
Note $_REQUEST is a different variable than $_GET and $_POST, it is treated as such in PHP -- modifying $_GET or $_POST elements at runtime will not affect the elements in $_REQUEST, nor vice versa.
I wrote a function that allows me to send HTTP GET requests in PHP:
function get_HTTPS_page_with_version($url, $hostname, $use_HTTP_1_0 = false, &$headers = NULL, $follow_redirect = true, $use_SSL = true) {
$context = Array(
"http" => Array(
"method" => "GET",
"ignore_errors" => true,
"follow_location" => $follow_redirect,
"user_agent" => "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36",
"header" => "Accept-language: en")
);
if ($use_SSL) {
$context["ssl"] = Array(
"peer_name" => $hostname,
"SNI_server_name" => $hostname,
"verify_peer_name" => false,
"verify_peer" => false);
}
if (!$use_HTTP_1_0) {
$context["http"]["protocol_version"] = "1.1";
$context["http"]["header"] .= "\r\nHost: $hostname".
"\r\nConnection: close";
}
$page = file_get_contents($url, false, stream_context_create($context));
$responseCode = get_HTTP_response_code($http_response_header);
$headers = $http_response_header;
return Array($responseCode, $page);
}
The issue is that when I use this function to get a specific file (which is Verisign Certificate Revocation List), it appends some chars at the beginning:
6639 6361 0a0d --> f9 ca \n\r
and at the end of the file:
0a0d 0d30 0d0a 000a --> \n\r \r0 \r\n NUL\n
I compared files obtained manually using Wget and with this function, and also at network level using Wireshark, and I can confirm that the file sent by the server is the same in both cases.
I also don't have the problem for Thawte CRL
Does anyone have an idea about what might cause this behavior?
EDIT
Verisign CRL changed and other bytes are added by file_get_contents than the ones that I listed above, but the result is still the same --> The file is not the same when downloaded by this function than manually using wget.
EDIT 2
There is no problem when I set $use_HTTP_1_0 = true.
There is no problem when I add header Accept-Encoding: gzip,
deflate (except that I get a gz file and that I'd prefer to avoid
this :))
There is still a problem when I only change Connection from close
to Keep-Alive
I am trying to get twitter posts following this tutorial:
https://www.youtube.com/watch?v=tPrsVKudecs
there aren't a lot of tutorials regarding this online, and twitters console doesn't support running queries anymore as far as I understood.
any idea why this is happening?
This is the output I get in the Chrome "Network":
Remote Address:54.666.666.666:80
Request URL:http://666.com/yh/test/tweets_json.php
Request Method:GET
Status Code:500 Internal Server Error
Response Headers
view source
Connection:close
Content-Length:0
Content-Type:text/html
Date:Mon, 15 Jun 2015 13:51:40 GMT
Server:Apache/2.4.7 (Ubuntu)
X-Powered-By:PHP/5.5.9-1ubuntu4.5
Request Headers
view source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
Host:666.com
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36
Any ideas why this is happening?
Is there a better simple way to do it?
EDIT:
tweets_json.php
<?php
require 'tmhOAuth.php'; // Get it from: https://github.com/themattharris/tmhOAuth
// Use the data from http://dev.twitter.com/apps to fill out this info
// notice the slight name difference in the last two items)
$connection = new tmhOAuth(array(
'consumer_key' => '',
'consumer_secret' => '',
'user_token' => '', //access token
'user_secret' => '' //access token secret
));
// set up parameters to pass
$parameters = array();
if ($_GET['count']) {
$parameters['count'] = strip_tags($_GET['count']);
}
if ($_GET['screen_name']) {
$parameters['screen_name'] = strip_tags($_GET['screen_name']);
}
if ($_GET['twitter_path']) { $twitter_path = $_GET['twitter_path']; } else {
$twitter_path = '1.1/statuses/user_timeline.json';
}
$http_code = $connection->request('GET', $connection->url($twitter_path), $parameters );
if ($http_code === 200) { // if everything's good
$response = strip_tags($connection->response['response']);
if ($_GET['callback']) { // if we ask for a jsonp callback function
echo $_GET['callback'],'(', $response,');';
} else {
echo $response;
}
} else {
echo "Error ID: ",$http_code, "<br>\n";
echo "Error: ",$connection->response['error'], "<br>\n";
}
// You may have to download and copy http://curl.haxx.se/ca/cacert.pem
tmhOAuth.php: https://github.com/themattharris/tmhOAuth/blob/master/tmhOAuth.php
and this pem key: http://curl.haxx.se/ca/cacert.pem
All three in the same folder
In the tutorial it should run the query and get the json output.
I get a blank page.
I´m sending an ajax request with a custom header called Authorization,
and I'm trying to get that header with PHP
if (!function_exists('getallheaders'))
{
function getallheaders()
{
$headers = array();
foreach ($_SERVER as $k => $v)
{
if (substr($k, 0, 5) == "HTTP_")
{
$k = str_replace('_', ' ', substr($k, 5));
$k = str_replace(' ', '-', ucwords(strtolower($k)));
$headers[$k] = $v;
}
}
return $headers;
}
}
$val = getallheaders();
echo $val;
and I get all the headers but not the custom one
val: Object{
Accept: "application/json, text/plain, */*"
Accept-Encoding: "gzip, deflate, sdch"
Accept-Language: "es-ES,es;q=0.8,en;q=0.6"
Connection: "keep-alive"
Host: "www.localhost.com"
Origin: "http://localhost"
Referer: "http://localhost/gestion/"
User-Agent: "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36"
}
Any clues why I'm not getting header Authorization?
For custom headers the $_SERVER global in php documentation state that
There is no guarantee that every web server will provide any of these; servers may omit some, or provide others not listed here. That said, a large number of these variables are accounted for in the » CGI/1.1 specification, so you should be able to expect those
so try to use apache_request_headers which may help you if your working with apache as a server
Server Quote
apache_request_headers