I have created a search form with get method. But when the url looks like this search.php?search[] or search?search[] (mod_rewrite) then I get a sql fattal error. It's passing an array and I want to avoid that problem.
my question is how do I redirect a person from that url to search.php
It sounds like you are directly passing the ?search[] query string variable into your SQL. mod_rewrite won't fix this for you... what if I decide to call your page with http://www.yoursite.com/search.php?search=;DROP TABLE users;? You simply aren't able to use mod_rewrite to predict all the bad kinds of input that a user can come up with.
Your code needs to be doing input validation and sanitization. You must assume that everything your script receives from the user is malicious and dangerous. That includes all data inside $_GET, $_POST and $_COOKIE.
The right solution here is to check that $_GET['search'] is a valid value to be passing to your SQL. Something like:
if (is_string($_GET['search']) && ! empty($_GET['search']) {
//escape the input properly using your database-specific method, e.g.:
$searchParam = mysql_real_escape_string($_GET['search']);
//run your query with the escaped data
}
At a minimum, that would ensure that your passed in search variable was not an empty string.
Related
I'm currently writing an app that accesses google bigquery via their "#google-cloud/bigquery": "^2.0.6" library. In one of my queries I have a where clause where i need to pass a list of ids. If I use UNNEST like in their example and pass an array of strings, it works fine.
https://cloud.google.com/bigquery/docs/parameterized-queries
However, I have found that UNNEST can be really slow and just want to use IN on its own and pass in a string list of ids. No matter what format of string list I send, the query returns null results. I think this is because of the way they convert parameters in order to avoid sql injection. I have to use a parameter because I, myself want to avoid SQL injection attacks on my app. If i pass just one id it works fine, but if i pass a list it blows up so I figure it has something to do with formatting, but I know my format is correct in terms of what IN would normally expect i.e. IN ('', '')
Has anyone been able to just pass a param to IN and have it work? i.e. IN (#idParam)?
We declare params like this at the beginning of the script:
DECLARE var_country_ids ARRAY<INT64> DEFAULT [1,2,3];
and use like this:
WHERE if(var_country_ids is not null,p.country_id IN UNNEST(var_country_ids),true) AND ...
as you see we let NULL and array notation as well. We don't see issues with speed.
Here is below my code of route:-
app.get('/server/lead/get/:id?', leadCtrl.get);
app.get('/server/lead/filter/:filterQuery', leadCtrl.get);
As you see above i am using different route to access same controller method leadCtrl.get.
Now, i want something like route app.get('/server/lead/get/:id?:filter?', leadCtrl.get);. So, i can get params either req.params.id or req.params.filter but only one at a time.
What you asked in the question is not possible in the form that you describe it.
Now, i want something like route
app.get('/server/lead/get/:id?:filter?', leadCtrl.get);. So, i can get
params either req.params.id or req.params.filter but only one at a
time.
Your router would have no way to differentiate those two parameters. If it got a request to /server/lead/get/X then what is X? A filter or an ID?
Your options
You have few solutions here:
You can either keep using two routes like you did before.
You can use a common parameter for both cases as Robert explained in the comments.
Or you can use what seems to me the perfect solution for your use case - named query parameters - just use a route /server/lead/get and use query parameters to pass id and the filter.
Example URLs:
/server/lead/get?id=xxx
/server/lead/get?filterQuery=xxx
You will only have to make sure in your handler that only one of those two are set at a time with something like:
if (req.query.id && req.query.filterQuery) {
// respond with error
}
You can even mix the two if you have app.get('/server/lead/get/:id?') route you can have the id in the route and filterQuery as a query parameter. Now the URLs would be:
/server/lead/get/xxx (for id)
/server/lead/get?filterQuery=xxx (for filter)
For more info see: http://expressjs.com/en/api.html#req.query
Better way
If you follow some REST conventions then you can use:
app.get('/server/lead/:id') for one object with id (not optional)
app.get('/server/lead') for a list of objects (with optional filterQuery passed as a query parameter)
That way you would always know that when you access:
/server/lead/xxx - then it's one object with ID = xxx
/server/lead - then it's a list of any objects
/server/lead?filterQuery=xxx - then it's a list of objects that match the query
If you follow the REST conventions for things like this instead of inventing your own, it would be much easier for you to design the routes and handlers, and it would be much easier for other people to use your system.
You may also want to use plural /server/leads instead of /server/lead which is common with REST. That way it will be more obvious that leads is a list and leads/id is one of its elements.
For more info see:
https://en.wikipedia.org/wiki/Representational_state_transfer
http://www.restapitutorial.com/lessons/whatisrest.html
https://spring.io/understanding/REST
You have to realize that the following two routes match exactly the same:
app.get('/server/lead/get/:id?', leadCtrl.get);
app.get('/server/lead/get/:filter?', leadCtrl.get);
Express doesn't care about how you name the placeholders, so any requests for /server/lead/get/SOMEVALUE will always match the first (the one with :id).
You can add a distinction yourself, by only allowing a parameter to match a particular regular expression. From your code, it looks like :id should match MongoDB ObjectId's, so you can create a specific match for those:
app.get('/server/lead/get/:id([a-fA-F0-9]{24})?', leadCtrl.get);
If SOMEVALUE matches an ObjectId, it will call leadCtrl.get and populate req.params.id. If you also add another router for "the rest", you can also cover the req.params.filter case:
app.get('/server/lead/get/:filter?', leadCtrl.get);
As an aside: you're saying that you're passing JSON to the "filter" routes, in the URL. I would strongly suggest using a POST route for that, and post the JSON as request body content.
I'm writing a REST api in node js that will execute a sql query and send the results;
in the request I need to send the WHERE conditions; ex:
GET 127.0.0.1:5007/users //gets the list of users
GET 127.0.0.1:5007/users
id = 1 //gets the user with id 1
Right now the conditions are passed from the client to the rest api in the request's headers.
In the API I'm using sequelize, an ORM that needs to receive WHERE conditions in a particular form (an object); ex: having the condition:
(x=1 AND (y=2 OR z=3)) OR (x=3 AND y=1)
this needs to be formatted as a nested object:
-- x=1
-- AND -| -- y=2
| -- OR ----|
| -- z=3
-- OR -|
|
| -- x=3
-- AND -|
-- y=1
so the object would be:
Sequelize.or (
Sequelize.and (
{x=1},
Sequelize.or(
{y=2},
{z=3}
)
),
Sequelize.and (
{x=3},
{y=1}
)
)
Now I'm trying to pass a simple string (like "(x=1 AND (y=2 OR z=3)) OR (x=3 AND y=1)"), but then I will need a function on the server that can convert the string in the needed object (this method in my opinion has the advantage that the developer writing the client, can pass the where conditions in a simple way, like using sql, and this method is also indipendent from the used ORM, with no need to change the client if we need to change the server or use a different ORM);
The function to read and convert the conditions' string into an object is giving me headache (I'm trying to write one without success, so if you have some examples about how to do something like this...)
What I would like to get is a route capable of executing almost any kind of sql query and give the results:
now I have a different route for everything:
127.0.0.1:5007/users //to get all users
127.0.0.1:5007/users/1 //to get a single user
127.0.0.1:5007/lastusers //to get user registered in the last month
and so on for the other tables i need to query (one route for every kind of request I need in the client);
instead I would like to have only one route, something like:
127.0.0.1:5007/request
(when calling this route I will pass the table name and the conditions' string)
Do you think this solution would be a good solution or you generally use other ways to handle this kind of things?
Do you have any idea on how to write a function to convert the conditions' string into the desired object?
Any suggestion would be appreciated ;)
I would strongly advise you not to expose any part of your database model to your clients. Doing so means you can't change anything you expose without the risk of breaking the clients. One suggestion as far as what you've supplied is that you can and should use query parameters to cut down on the number of endpoints you've got.
GET /users //to get all users
GET /users?registeredInPastDays=30 //to get user registered in the last month
GET /users/1 //to get a single user
Obviously "registeredInPastDays" should be renamed to something less clumsy .. it's just an example.
As far as the conditions string, there ought to be plenty of parsers available online. The grammar looks very straightforward.
IMHO the main disadvantage of your solution is that you are creating just another API for quering data. Why create sthm from scratch if it is already created? You should use existing mature query API and focus on your business logic rather then inventing sthm new.
For example, you can take query syntax from Odata. Many people have been developing that standard for a long time. They have already considered different use cases and obstacles for query API.
Resources are located with a URI. You can use or mix three ways to address them:
Hierarchically with a sequence of path segments:
/users/john/posts/4711
Non hierarchically with query parameters:
/users/john/posts?minVotes=10&minViews=1000&tags=java
With matrix parameters which affect only one path segment:
/users;country=ukraine/posts
This is normally sufficient enough but it has limitations like the maximum length. In your case a problem is that you can't easily describe and and or conjunctions with query parameters. But you can use a custom or standard query syntax. For instance if you want to find all cars or vehicles from Ford except the Capri with a price between $10000 and $20000 Google uses the search parameter
q=cars+OR+vehicles+%22ford%22+-capri+%2410000..%2420000
(the %22 is a escaped ", the %24 a escaped $).
If this does not work for your case and you want to pass data outside of the URI the format is just a matter of your taste. Adding a custom header like X-Filter may be a valid approach. I would tend to use a POST. Although you just want to query data this is still RESTful if you treat your request as the creation of a search result resource:
POST /search HTTP/1.1
your query-data
Your server should return the newly created resource in the Location header:
HTTP/1.1 201 Created
Location: /search/3
The result can still be cached and you can bookmark it or send the link. The downside is that you need an additional POST.
I am using the add_rewrite_rule() function to modify my URL structure.
I'm wanting to use add_rewrite_rule to add a custom rule but these rules only get added in when other than default settings are selected in my permalink settings area.
i.e. in the settings there are following options:
- Default http://localhost/wordpress/?p=123
- Day and name http://localhost/wordpress/2014/08/14/sample-post/
- Month and name http://localhost/wordpress/2014/08/sample-post/
- Numeric http://localhost/wordpress/archives/123
- Post name http://localhost/wordpress/sample-post/
- Custom Structure http://localhost/wordpress
So, when I select other then 'Default', my add_rewrite_rule() function works, but while selecting 'Default', the function doesn't seem to be work. So please suggest me how to work the function in any condition. Any help would be Appriciated.
Update:
I think the problem lies here:
When I use this, while selecting 'Default':
get_option('permalink_structure');
I got nothing.
While in the other cases, there are some values like:
/%postname%/
/archives/%post_id%
/%year%/%monthnum%/%postname%/
The Default permalinks, or so called "Ugly" permalinks, are not adding anything to the .htaccess file, so the Apache rewrite engine is not enabled. Without the rewrite engine, no rewrites can be done. So the short answer is that rewrites are not possible with Default permalinks.
I can recommend you to use rewrites along with query vars. When adding a rewrite rule, pass your custom data to a query var, and build the functionality around that query var. This way your functionality will work in all situations and with all permalink types.
So for example if you have the following rule:
add_rewrite_rule('^sometest/([^/]*)/?','index.php?custom_query_var=$matches[1]', 'top');
and you have the custom_query_var added as a query var by using the following code:
function add_query_vars_filter( $vars ){
$vars[] = "custom_query_var";
return $vars;
}
add_filter( 'query_vars', 'add_query_vars_filter' );
then when Default permalinks are selected, the following URL would work for you:
http://yoursite.com/index.php?custom_query_var=abc
and if "Pretty" permalinks are selected, the URL rewriting would work and your URL would look the following way:
http://yoursite.com/sometest/abc/
which is basically the best that can be achieved with rewrites.
I agree with #Martin. Here's a resource that will help https://core.trac.wordpress.org/ticket/15235
use this:
function my_add_query_vars( $qvars ) {
$qvars[] = 'business-coaching';
$qvars[] = 'country';
$qvars[] = 'territory';
$qvars[] = 'region';
return $qvars;
}
add_action('query_vars', 'my_add_query_vars');
//Write the rule
function add_analytic_rewrite_rule()
{
// Regex:The regex to match the incoming URL is:business-coaching(/([^/]+))?(/([^/]+))?(/([^/]+))?/?
// Redirect Rule :The resulting internal URL: `index.php` because we still use WordPress
// `pagename` or page_id=45 because we use this WordPress page
// `country` : we will assign the first captured regex part to this variable
// `territory` we will assign the second captured regex part to this variable
// `region` we will assign the third captured regex part to this variable
add_rewrite_rule('business-coaching(/([^/]+))?(/([^/]+))?(/([^/]+))?/?','index.php?page_id=45&country=$matches[2]&territory=$matches[`enter code `enter code here`here`4]®ion=$matches[6]','top');//superfinal
}
add_action('init', 'add_analytic_rewrite_rule');
I need to redirect the URLs like this http://mysite.com/store/store-name to http://mysite.com/stores/products/store-id. Note that i need to get the store id from the database. So is it possible to do db operations in routes.php?
And in documentation the syntax is give as $route['store/:any']. How to get the value of second parameter here which is mentioned as :any.
There's not really any good nor simple way of running database queries through the routes. You can however have in the beginning of the controller function a validation.
I asume your store-name is some sort of slug for the product? Basicly you can validate if value is numeric or not, and if not find by slug and then redirect.
config/routes.php
$route["store/(.*)"] = 'stores/products/$1';
/* () and $1 together passes the values */
controllers/stores.php
/* Class etc. */
function products($mix) {
if (is_numeric($mix))
$int_id = $mix;
else {
$row = $this->get_where('products', array('slug' => $mix))->row();
$this->load->helper('url');
redirect("stores/products/{$row->id}");
}
/* Do stuff with the $int_id */
}
This asumes that you have:
A table named products
A column named id that's your products id
A column named slug that that's based on your store-name
I may be a little late to the party, but I may have an alternative suggestion.
I use the following for my routes:
http://mysite.com/store/1/store-name
Reason being... Based on your method, if you create
http://mysite.com/store/store-name
but then after a period of time (of which no doubt Google has indexed your page) you decide for what ever reason you have to change the name of the store to "Wonderful store name", you would naturally change your link to
http://mysite.com/store/wonderful-store-name
Which kills your SEO and any index links.
My solution of using http://mysite.com/store/1/store-name means that you can change store-name to anything you want, but it will always reference 1 meaning the user will still see the related page.
Anything is possible with CodeIgniter routes. Its all in the way you code it. Routing in CI is really flexible. You can use regular expressions besides the standard CI wildcards (:any)(:num). You can even add prefixes or suffixes to the path variables if you have to like:
$route['store/(:any)'] = "redircontroller/redirfunction/$1";
// for instance the namelookup method of the mystores controller
$route['stores/products/(:any)'] = "mystores/namelookup/$1";
You get the second parameter(and third and so on) by defining the variables in your route value which get passed to the controller method you define. If 'products' in you new url is also a variant you should start your wildcard expression there instead. You could also pull parameters out of the url using the URI class ($this->uri->segment(n)).
You don't, however, do database operations in routes.php. You do your database operations in the controller where you route to. My guess is that you'll have to match the store id using whatever is used in the url in a query.
In any case the path that you are using the routes file for is the path the user will see. To do the redirect you have to accept the original path and then redirect the user to the new path like so:
// in some controller that's attached to the original url
public function redirfunct($var){
$this->load->helper('url');
redirect(base_url('stores/products/' . $var));
}
I hope this helps you.
Yes that is easy, you only need to show the ID instead of the name,
you must be doing like storeName> Click to view details
Make it as
storeId> Click to view details
and when you are passing the parameter to the database, change the check of mysql, change it to id instead of name , that can be some like
" select yourRequiredColumn from table_name where id=".parameter."
Thanks