This just a same script in different server:
The link below works. When you enter the correct characters it display success.
http://mibsolutionsllc.com/captcha_test/test.php
This link below works. Even you enter the correct characters. Display always error. The session value doesn't give function the right way.
http://www.universitywomenshealthcare.com/uwh-content/captcha_test/test.php
If it's a sessions issue, how would one go about fixing this?
Try to echo out what the answer is for the input and check your current settings when you are comparing the input vs. the captcha.
why don't you put your php code in this page? In your second page (http://www.universitywomenshealthcare.com/uwh-content/captcha_test/test.php), somehow session variable is not keeping the originally assigned captcha value. Have you put session_start() in this second page. We will be able to help you more if you can send these two php pages.
Related
I ran a pentest on my app and it should an XSS issue. Essentially, I could do a url like the following and it would give me a popup
https://test.com/index.php?id=12345'><script>alert(1)</script>
So I have implemented something which I hope resolves this issue. At the top of the page I do
$_GET['id'] = urlencode($_GET['id']);
Within the page content, I might then have a link to another page like so
Link
When I now test the page, no pop up is displayed. The pentest is also clear. However, someone else in another location is trying it and they still get the popup. I just wanted to make sure that what I have done is ok?
Additionally, when I view the link in firebug, I see the link with the script part. Should this not be displaying as sanitized within firebug?
Any information appreciated.
Thanks
I think you're looking for htmlentities
I would set it to an intermediate variable, since you're using the $_REQUEST array later instead of $_GET
$id = urlencode(htmlentities($_GET['id']));
and then later
Link
So im asking what options do I have other than redirecting GET variables when Im trying to repopulate a form?
Im thinking I can create session variable and use that also. Am I correct that these are the ONLY 2 ways?
What I have now is:
if ( count($m) > 0 ) {
// there is an error in fields filled out so we are sending user back to form.
$_SESSION["myarray"] = $m;
header("location: ./edit.php?datefield=".$datefield."&text=".$entry."&flag=".$flag);
}
but this reveals my variable to the user. I want to avoid this.
UPDATE
I re-worded my question and the code to be clearer.
I also like found that the solution for me was to use an include('edit-error.php'). Which is basically the original edit.php with everything stripped out but the code needed to generate the form, and I populated edit-error.php with the needed variables. I never had this in my tool box before so I am grateful to the user who suggested it.
One way that you can consider for hide information (not totally, but more stronger than GET) of user is create a JSON with your infos and send a POST request to your page.
Personally, I still preferring sessions, but there are other ways.
The solution I used was provided my user pala_ , so thanks pala_ I up voted your comment.
I used include('edit-error.php'). Which is basically the original edit.php with everything stripped out but the code needed to generate the form, and I populated edit-error.php's form with the needed variables. I never had this in my tool box before so I am grateful to the pala_ who suggested it.
This allows me to conduct server side validation and redisplay the form again with user input, so they can resubmit. I was using header(Location) with paramaters to submit as GET and I didnt want that. Using include() is a perfect solution for me.
Okay php newbie here, please bear with me. I am not sure if this is a redundant question but here goes. I have a reference code i want to stick to my url. example: site.com/index.php?refcode=123. That's fine right? we can put anything on there. Naturally the visitor goes to the index page. But if the visitor then clicks on other buttons that leads to other pages in my site, the parameter is gone. Like I want to track which code the visitor has when he sends me an email when he later decides to go to my contact page. How can this be done with php? or can this be done with jquery?
You would be best off saving the url variable into a session variable instead. The session variable will stick with the user so you have access to it no matter what page they go to.
$_SESSION['refcode'] = $_GET['refcode'];
Make sure to use session_start()
But if you do want to do it the way you have asked you can modify all urls on your page and add:
'?'.$_SERVER['QUERY_STRING']
This will add the query string to your url so the next page they go to would still have it. But that does seem like a lot more work.
I have a form which sends data to a proccess page. Is it possible when the code in the process page is executed for the browser to jump back to the previous page?
EDIT
The reason i want this, is because i have a set of parameters which contains checkboxes. These parameters are echoed out via a while loop. I have a table where it shows which of those parameters are active. I would like to check the checkboxes by defualt where the corresponding parameter is in the table.
|||||||||||||||||||||||||||||||| Example ||||||||||||||||||||||||||||||
PARAMETERS:
T-Shirt: checked
Distance: checked
Race: unchecked
TABLE (parameters)
• T-Shirt
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||the example above checks the box if it already exists in the parameters table. When the user clicks back after the process page, the boxes he selected is checked.
Hope i am clear enough
Regards
I think a nice solution might be to implement a front controller for your webbage, a central script to include the appropirate page. Using a system like that, the user stays on the same page all the time even when other pages are loaded.
I haven't used a front controller in quite some time, so I won't write examples due to potential errors and poor coding. You can probably find some examples using google though, I wouldn't be surprised if the subject has been brought up here on Stackoverflow before either.
Even though I'll have to point out Griffin's solution is the best, if you're dead set on a redirect, simply have your PHP script execute the following lines:
echo '<script>document.history.go(-1);</script>';
die();
Or even
die('<script>document.history.go(-1);</script>');
It's a dirty solution, so I must advise against it.
Is it possible to use a variable from one page in a piece of code on another? e.g. submit a form on one page and on the second page use a PHP script to add the data from the form to a MySQL table
Thanks for all the help
Your best bet would be to use PHP's session functions. That way if the user navigates away from your page and then comes back, the session variables will still be there (provided the session hasn't expired). You can get more information here -- PHP Sessions. Basically all you have to do is call
session_start();
at the top of each php page (before anything is outputted to the browser) where you want to have access to the session variables. You can then set/retrieve a variable using
// set
$_SESSION['varname'] = "something";
// retrieve
$somevar = $_SESSION['varname'];
This is what the GET and POST 'super' globals are for.
http://www.tizag.com/phpT/postget.php
The script that generates the form does not have to be the script the processes the form. all it takes is for the FORM tag to point to the correct script. The only caveat is that whatever page you submit the form data to also has to then generate some suitable output (unless you do a AJAX POST).
If you're instead asking if two page executions can handle the same POSTed data, well that is quite a different question. At a simplistic level, you can have the first include() the second so it has access to all the same data. A bit more advanced is to re-create the original POST and synthesize a POST. This will probably require some JavaScript assistance. Another approach is to use PHP's session feature and put the value aside so a later script has access to it. This relies on the user then following the correct link, however!
Use session to access your variable to the second/other page.
Example:
index.php
<?php
session_start();
$_SESSION['yourData'] = 'yourData';
?>
=========================================================================
second_page.php
<?php
echo $_SESSION['yourData'];
?>
You may try this one. Visit this link for more details. Or PHP's official website.