How can I let a user access a WordPress protected page with a URL that will submit the password in the form below?
I want to be able to let a user get to a password protected WordPress page without needing to type the password, so when they go to the page, the password is submitted by a POST URL on page load.
This not intended to be secure in any respect; I'll need to hardcode the password in the URL and the PHP. It's just for simplicity for the user.
Edit 4/19/10: As per answers below, it's possible to set a cookie directly to allow users to not have to enter a password. Letting search bots in is best done by detecting the user agent and redirecting, as bots aren't going to deal with cookies.
This is the form (which is WordPress core code):
<form action="http://mydomain.com/wp-pass.php" method="post">
Password: <input name="post_password" type="password" size="20" />
<input type="submit" name="Submit" value="Submit" /></form>
This is wp-pass.php (which is WordPress core code):
<?php
require( dirname(__FILE__) . '/wp-load.php');
if ( get_magic_quotes_gpc() )
$_POST['post_password'] = stripslashes($_POST['post_password']);
setcookie('wp-postpass_' . COOKIEHASH, $_POST['post_password'], time() + 864000, COOKIEPATH);
wp_safe_redirect(wp_get_referer());
?>
Rather than keep appending in the previous answer, I'll try to explain the problem a bit further here.
The way Wordpress passwording works, is:
The original page has a form, which
is sent to wp-pass.php.
wp-pass.php takes the provided
password, puts it in a cookie and
redirects the user back ot the
original page.
The original page checks the cookie
and if the password is correct, it
will show the page.
The problem here is that search engines don't accept cookies. So, you have two options:
Change the code Wordpress uses for passworded content to something that also accepts $_GET variables.
Use cURL to send the cookie using headers, having a separate page search engines can use.
I'd love to expand on the latter answer if you want, but I do wonder; if you're going to give search engines access to passworded content, anyone will have access. Why not just remove the password?
Change $_POST to $_REQUEST everywhere in wp-pass.php.
That code is only looking at the POST variables, not the GET variables in the URL. The REQUEST global contains both the POST, and the GET variables, which is what you want.
There's probably a better way, but I don't know WordPress.
EDIT
The problem is those parameters are in the GET array, not the POST array. So using a regular link with parameters isn't going to work. You can use a form with a hidden field. You can style the submit button to look like a link, if you want.
<form action="http://mydomain.com/wp-pass.php" method="post">
<input name="post_password" type="hidden" value="totally insecure password here" />
<input type="submit" name="Submit" value="Click here to enter your account" />
</form>
If you want to do this without editing WP's core, you can use cURL to simulate POST variables like this:
$ch = curl_init("http://mydomain.com/wp-pass.php");
curl_setopt($ch, CURLOPT_POSTFIELDS, "post_password=mypassword&Submit=Submit");
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_POST, 1);
curl_exec($ch);
curl_close($ch);
In your comment in this answer:
Actually, now I think I want search
engines to index the page, but then
non-googlebot traffic from that search
link gets redirected to an
introductory page, not a password
protected page. I could use php to
select googlebot traffic to see the
page (and index it), but non-googlebot
traffic could get an http redirect to
an intro page where the content is
user toggled by ajax after they see
the intro?
Beware about this practice. Search engines could interpret this as Cloaking.
Cloaking is a black hat search engine
optimization (SEO) technique in which
the content presented to the search
engine spider is different to that
presented to the user's browser.
I'm not saying they are automatically going to know you're doing this, maybe they'll never will. But it's interesting to know the risks involved.
I would like to know your intents about this practice to know if there are other alternatives that fit your needs.
First I don't know how search engines react to javascript, but could something like this work?
Call mydomain.com/wp-pass.php?post_password=mypassword&Submit=Submit
Add these 2 js function:
function gup( name ){
name = name.replace(/[\[]/,"\\\[").replace(/[\]]/,"\\\]");
var regexS = "[\\?&]"+name+"=([^&#]*)"; var regex = new RegExp( regexS );
var results = regex.exec( window.location.href );
if( results == null )
return "";
else
return results[1];
}
function setPassword()
{
var password = gup('post_password');
var passField = document.getElementByName('post_password');
var buttonSubmit = document.getElementByName('Submit');
if(password != "")
{
passField.value = password;
buttonSubmit.Click();
}
}
Add to the body tag, OnLoad="setPassword();"
I dont know how robots react to this...
I think the previous answers are rather more convoluted than they need to be.
If everyone can read the page, do not password protect it. That is by far the most neat solution. What is the password for if everyone and his dog can read the page?
If you really feel the need to make a link that uses POST though, here is the way to do it:
(Sorry if this background is redundant, but it seems like from your question like it is worth mentioning: HTTP supports various methods on URLs; POST is on, GET is another. When you normal-fetch a url, like with an <a> element, you are using the GET method.)
I agree that modifying core files to replace $_POST with $_REQUEST is unnecessary. What you want is a link element that uses the POST method. To do that, make a simple form like so:
<form action="your url" method="POST">
<input type="hidden" value="my_password" name="password"/>
<input type="submit" value="Submit" name="submit">
</form>
You can add style="border: 0; background: transparent;" and so on to the second input to make it look like a normal link if you want. It is a bit cumbersome, but works fine whenever you need to send a link using the POST method.
PS. Using Wireshark to inspect POST variables is a big waste of time. Install the Firebug FF extension and use the net panel. It will massively speed up working these sorts of things out.
Related
I am new to PHP and javascript programming
I have a string that can be "abc" or "aac" or "aaa" etc based on the inputs given by the user. After the user clicks some button(say submit) I want to generate a dynamic link like www.domain.com/abc or www.domain.com/aac based on string and navigate the user to the generated link. Is this possible?
Thank You
You can actually define a function and set it your form action. Then taking the user input it will be really each in the function to use header('location:YOUR_SITE_URL/'.$_GET['user_input']); die; for redirecting the user to desired url.
Hope that helps.
Yes it is possible, you can pass the string variable throw POST or GET when the user click submit
and then echo the link you want with the string congrenated. assuming you want to use php take a look at the example
$adress = "www.domain.com/";
$string = $_POST["get_string"];
$result = $adress + $string;
echo $result;
Possible, using routing. A real world example is how your usernames get to be part of the URL in social sites like Facebook.
What you need is a database of some sort to store the string, and it's matched data (could be an ID, or some identified) to tell the server what to load when that string is received. You'd also need routing code, which parses the entire url in search of that certain segment which should contain the string. This is how routing works in frameworks like CodeIgniter, Connect and Express.
In JS, routers in Connect look like:
app.route('/users/:username',function(username){
//okay! we got the username!
//now we'll look for it in the database if it's there
});
For PHP, here's an article regarding URL parsing.
In PHP :
Use methode in your page and store the variable to $UrlName (for example)
and continued with
echo("<script>location.href = \"www.domain.com/" . $UrlName . "\";</script>");
First in page1.html:
<form method="post" action="page2.php" >
String: <input type="text" name="string" />
<input type="submit" />
</form>
Then in page2.php:
header('location:www.domain.com/string/'.$_POST['string']);
But you should put a .htaccess containing:
Redirect /string/(.+) /page3.php?string=$1 [B,QSA]
And page4.php:
echo $_GET['string'];
I want to pass an id from one page to another when user clicks a url. There can be multiple url each corresponding to a separate id. Based on url clicked, I want to pass corresponding id and an action. Currently I am using following approach:
<a href="Process.php?action=del&id='.$id.'">
However both action and id are visible in url. Is there any way to hide this information in url and not passing it through url?
Also if I pass them using hidden fields, they can be accessed using browser dev tools. I want to make them secure so they can't be read or modified at all.
I would like to hide this for security purpose so no any user can see this
In HTML only, you'll not able to pass "hidden" variables through $_GET.
If you really want to hide some variables when a user click on a link, you can use Javascript with an auto-submitted form to use $_POST variables.
Example
<form method="POST" action="yourpage.php" id="yourform" style="display:none;">
<input type="hidden" name="hiddenfield" value="__" />
</form>
<a href="" onclick="document.getElementById('yourform').submit();return false;" />
Now, in yourpage.php, you'll be able to obtain the $_POST['hiddenfield'] value.
Edit:
I don't think it can be possible to really hide the values from dev tools. Btw, you can maybe use sessions, it will be more "secure"..
Example:
// page1.php
session_start();
$_SESSION['yourname'] = 'yourvalue';
// page2.php
session_start();
$_SESSION['yourname']; // Contains 'yourvalue'
The best way to hide id(if you mean security) is to encrypt it. You should use MCRYPT function to encrypt the id. You can encrypt both ID and your ACTION in one string and just pass this string to URL and then when you want to use it you can decrypt parameter and split it. When you connect it with MOD_REWRITE in htaccess you can get url like:
<a href="Process,Some title of yourpage,í,eHGxC•z»#”“§``"> to make it more "pretty" you can use base64 on this string.
or with base64, mcrypt and mod_rewrite
<a href="Process,SWRlYW">
to decrypt string you should use base64_decode(), mcrypt_decrypt()
You can use base64 for this (if security is really a big concern). Before passing it to the URL,
you can encode it first and then in the receiving end, you can decode it.
Check this URL : http://www.webtoolkit.info/javascript-base64.html
EDIT:
Please ignore the line above in the bracket.
Based on the comments below, base64 is really not responsible for security. Better approach is to use a server sided language to encrypt/decrypt values. Using base64 through javascript is not a good idea. Thanks Bobby.
I have various links in my website that point to a specific form.
Whenever someone fills out the form, I want to be able to know what link led them to the form.
I want to do this without having to create an individual line of PHP code for every link I create in the. Instead, I want to have some PHP code that picks up something from that link, and maybe inserts it into a hidden text box that gets its value or text from something that I tag in the link.
For example:
User clicks a link.
That link directs them to a form.
The link carries an identification that activates PHP code
When I recieve the form, I know what link was clicked to get to that form.
I want it to work with links in emails I send out as well.
Based on the information in your post, it sounds like you just want to send a token/ id.
Goto Form
Now on the form you can grab the token:
$token = $_GET['token']; // use proper testing first
Then use a switch or if statements to run whichever code you need.
<input type="hidden" value="<?php echo $token; ?>">
Additional:
As the //use proper testing first comment indicates, you should make sure the token being passed is valid and sanitized in case of attack. One option is to have tokens stored in a database when generated and then compared when validating. Also look into htmlspecialchars() and even strip_tags() for sanitizing.
If the token fails to validate, you should not output and should even have a warning message/redirect that there was an error.
You can use HTTP Referer to achieve this. In PHP, you can use
$referer = $_SERVER['HTTP_REFERER']
Use this for example :
if (isset($_SERVER['HTTP_REFERER']))
{
$ref = $_SERVER['HTTP_REFERER'];
}
then in your form something like:
<input type="hidden" value="<?php echo htmlspecialchars($ref, ENT_QUOTES); ?>" name="ref" />
so what I would like to do is have a link on an external website (example: externalsite.com) that will go to mywebsite.com/page.php, and I need to make it so ONLY clicking on the link from externalsite.com will allow you to access mywebsite.com/page.php.
The user cannot simply type it in their browser to get there, how would I go about doing this?
There's not a way to do this in a 100% secure manner. The browser typically sends a Referrer header with each request specifying where the use came from, but this is easily faked.
If possible, I would suggest having the externalsite.com issue a request to an authenticated web service on mywebsite.com for a token which is appended to the link with a reasonably short expiry time (long enough to allow the user to click on the link, but not so long that it can be shared around). Then, when the page on mywebsite.com loads, it should check for a valid token.
Given that no method is 100% secure, I'll show you a very easy, overtly insecure method that will work in any framework because it's pure JavaScript. Keep in mind that this is designed to work only as a general rule and is in no way "hacker proof".
Simply add this script to your mywebsite.com/page.php. It will redirect any request that isn't referred by a page on externalside.com.
var referrer = document.referrer;
referrer = referrer.toLowerCase();
if (referrer.indexOf("/externalsite.com") == -1) && referrer.indexOf(".externalsite.com") == -1) {
window.location.href = "http://mysite.com/accessdenied.php"
} else {
document.findElementById("myBody").style.display = "block";
}
To get around the whole "if you disable JavaScript, this doesn't work, you idiot" dilemma, add id="myBody" style="display: none;" to your page's <body> tag: the page will not be displayed unless JavaScript is enabled and validates the referring URL. Also, I'm not an idiot.
There are several ways to bypass this method: spoof the referring url, use FireBug to remove display: none, view the source of the page and recreate it on your local machine, etc. This method is more of a deterrent than a security feature.
You really can't make it 100% secure, and (probably) definitely not with a link (unless you use JavaScript to submit the form with a link in method 1 below). But there are some ways that might work for you.
Method 1
You could submit a form to the page with a button (and thats it - just the button) and then on the page, check if the correct form was submitted. But this is still not foolproof.
External site:
<form action="http://mywebsite.com/page.php" method="post">
<input type="hidden" name="pagesecuredsdjp91dx9x8yhr4kbbki" />
<input type="submit" value="Click here" />
</form>
Top of page.php:
<?php
if(!$_POST['pagesecuredsdjp91dx9x8yhr4kbbki']) {
die("Sorry, you cannot access this page.");
}
else {
//continue page
}
?>
I don't think you can just make a link do this.
Method 2
Pass a variable in the URL, but this is not recommended as the user could add it in the URL to get in.
Top of page.php:
<?php
if(!$_GET['securedpageaccess']) {
die("Sorry, you cannot access this page");
}
else {
//continue page
}
?>
External site:
Cick here
The random characters in the URL is just something put in there and isn't mandatory.
I recommend using the first method if you use either of them.
I hope this helps.
I've dealt with a system before that provides a link for the partner site, this link is used to generates a new temporary link for the user to be redirected to.
the first link (not the temporary one) can only be accessed by authorized IP addresses. This means only the partner site site can use the link.
Newby here.
Could someone show me an example of the code needed to do the following:
User pushes a button on my web site (there is no information for him to input, and no form, he just clicks on a button). I have found the following code on another post, but don't know if it is correct (I am also getting a syntax error on it):
<form action="php_file.php"><input type="submit" value="Click"></form>
The author of the above code said "Insert your PHP-Code into the file php_file.php and click the button, your file will be opened. Insert header("Location: html_file.html"); at the end of your php-file to get back to the page."
This click of the button needs to instigate the programming to grab the current URL and previous URL and insert them into the mysql database on my server. I have "PHP_SELF" and "HTTP_REFERER", but still need to get the results into mysql.
I would like to do this using only html, PHP and mysql, if possible.
Thanks to everyone for any help!
if your first file happen to be a PHP one, write this HTML form there.
<form action="php_file.php" method="POST">
<input type="hidden" name="previous" value="<?=urlencode($_SERVER['REQUEST_URI'])?>">
<input type="submit" value="Click">
</form>
and then in the php_file.php
<?
$current = $_SERVER['REQUEST_URI'];
$previous = $_POST['previous'];
though both variables will contain only partial url, without host name, schema and, possible, port. it's usually enough but if you need these absent parts, you'll have to add them manually.
as for the writing info into database and particular PHP syntax rules you have to find yourself a tutorial, because this site is devoted to answering questions, not online education nor doing someone's job for free.
With PHP, you can manage it with cookie session, first thing you'll need to do is start a session and then define the space where you'll store the URL information e.g: $_SESSION["url"]
session_start();
$_SESSION["url"]=$_SERVER['REQUEST_URI'];
And whenever you want to go to that particular page, add the header:
header('location: ' .$_SESSION["url"]. '');
Current:
$currentUrl = $_SERVER["PHP_SELF"];
Previous:
$previousUrl = $_SERVER['HTTP_REFERER'];
Note that some users may have browser preferences set that keep $_SERVER['HTTP_REFERER'] from being set, so it's possible that it would come back empty.