refer to Validate a URL, without requiring it, using a Regular Expression in Flutter
I understand how to validate url, but sometimes user will just input the short web link like: youtube.com. in this case how to validate in still safe validation rules?
I tried: bool validURL = Uri.parse("https://google.com/").host == '' ? false : true; but still does not work
Related
Here is my script:-
if (!isset($request->security_token))
{
// Provide security token
$error = TRUE;
$err_message[] = Lang::get('caption_validation_error.ser_valid_security_token.value');
$err_validation[] = Lang::get('caption_validation_error.ser_valid_security_token.value').' [security_token]';
}
It means, if a param is not "sent", then the validation will be triggered. However, if a param with "blank" value is sent, it must not trigger the validation.
However, when I am hitting the api through POSTMAN app, the security_token with blank value enters the !isset validation.
What am I doing wrong?
This is not that obvious why it's like this because it seems quite strange at first glance. However if you know a bit more about Laravel and you look at app/Http/Kernel.php file you will see in there:
\Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
which as you can find out from name converts empty strings to null. So in your case when you are sending empty parameter it's considered as null so !isset($null) will be true.
So you have 2 options:
remove this middleware from array - however it will affect the whole application so it might not be the best way if you are not sure about it
Assuming you want to trigger this validation only if parameter is not sent at all instead of
if (!isset($request->security_token))
you can use for example
if (!$request->has('security_token'))
Obviously it's not exactly the same - if you now sent this token and set it to null it won't be still executed but I believe when you now know what's happening with this empty string you can now adjust it exactly to your needs.
in laravel i want to check simple url such as :
http://www.google.com
http://google.com
www.google.com
http://www.google.com
http://www.google
unfortunately laravel validation code as
['redirect_url' => 'required|url']
return false for this urls:
www.google.com
and return true for http://www.google address, how to check correctly urls in laravel, this validation is not best validation for urls
You can use regex validation rule for URL validation
['redirect_url' => ['required','regex:/\b(?:(?:https?|ftp):\/\/|www\.)[-a-z0-9+&##\/%?=~_|!:,.;]*[-a-z0-9+&##\/%=~_|]/i']]
Before validation check if string contains http:// or https:// with this code:
if(!(starts_with($url, "http://") || starts_with($url, "https://")) {
$url = "http://".$url;
}
Function starts_with() is helper function from Laravel. docs
The regex solution that Jay Dhameliya provided is probably the best one for your scenario but I just thought I would explain why the url validator doesn't work as you expected.
If you look at the illuminate/validation/Validator validateURL function it is expecting a the following to be specified as part of the URL.
protocol ( http/https/etc )
optional basic auth
a domain or ip address
optional port
a trailing / or nothing or / followed by something else
There doesn't seem to be any alternatives provided for this validator method or ways to say don't require the protocol. So once again a custom regex seems the best option. If you are planning on using it in more than one place you might want to consider creating your own Custom Validation Rule see the docs for details.
I want to send email value in parameters in ajax. I am using following code it is working properly, but I want to make it secure. no user can check or pass invalid value from calling this action in query string or in any other way. How can I make it secure?
$.ajax({
url: '/Application/UserInfo/',
type: 'POST',
data:{email:emailid},
success: function (result) {
var json = eval(result);
}
});
If you dont want anyone to be able to see the value of the email parameter, you should consider using HTTPS.
But for passing invalid values, you should do some validation server side where this value is used
It may help if you are doing it with two steps at all:
First you can check the email having the right format with a regular expression:
/^\w[\w|\.\-\_]+#\w[\w\.\-äöüÄÖÜ]+\.[a-zA-Z]{2,18}$/.test(email);
Then you may crypt the mail and then you can send it safely.
I am using blowfish. On page loading I generate a key that is set to the javascript of my page. Both, javascript and php have a blowfish controler that can crypt and decrypt any value. I am crypting the value on javascript and send it to the server.
There I decrypt it and check it again with regular expression. The key is not sent to server again, its stored somewhere in the session or so.
To take care that the email is correct you can check whether the domain is reachable through curl or so, but I prefer sending a confirmation mail to the adress and wait for an accept with a generated unique token.
If you just want to get sure of a user signed in with google plus account you may get use of the google plus api and check if the user is logged in. If not you don't accept it.
We have an existing Django form that accepts GET requests to allow users to bookmark their resulting query parameters. The form contains many fields, most of which are required. The form uses semi-standard boilerplate for handling the request, substituting GET for POST:
if request.method == 'GET':
form = myForm(request.GET)
if form.isValid()
# Gather fields together into query.
else
form = myForm()
The problem is that the first time the form is loaded, there's nothing in the GET request to populate the required fields with, so most of the form lights up with 'missing field' errors.
Setting initial values doesn't work; apparently, the non-existent values in the GET request override them.
How can we avoid this? I'm pretty certain we're simply not processing things correctly, but I can't find an example of a form that handles GET requests. We want errors to show up if the user hits the "Submit" button while fields are blank or otherwise invalid, but don't want these errors showing up when the form is initially displayed.
The positional argument to the forms.Form subclass informs Django that you intend to process a form rather than just display a blank/default form. Your if request.method == 'GET' isn't making the distinction that you want because regular old web requests by typing a URL in a web browser or clicking a link are also GET requests, so request.method is equal to GET either way.
You need some differentiating mechanism such that you can tell the difference between a form display and a form process.
Ideas:
If your processing is done via. AJAX, you could use if request.is_ajax() as your conditional.
Alternatively, you could include a GET token that signifies that the request is processing. Under this example, first you'd need something in your form:
<input type="hidden" name="action" value="process_form" />
And then you can look for that value in your view:
if 'action' in request.GET and request.GET['action'] == 'process_form':
form = myForm(request.GET)
if form.is_valid():
# form processing code
else:
form = myForm()
I'll also give you the standard, boilerplate point that it's generally preferable not to use GET for form processing if you can help it (precisely because you run into difficulties like this since you're using an anomalous pattern), but if you have a use case where you really need it, then you really need it. You know your needs better than I do. :-)
If your clean page load doesn't have any non form GET params, you can differentiate between a clean page load and a form submit in your view. Instead of the usual
form = YourForm()
if request.POST:
you can do
if request.GET.items():
form = YourForm(request.GET)
if form.is_valid():
...
else:
form = YourForm()
If your clean page load could have other params (eg email link tracking params) you'll need to use the QueryDict methods to test if any of your form params are in the request.
request.GET is and empty dictionary when you first load a clean form. Once you have submitted the form, request.GET will be populated with your fields data, even if the fields contain only empty data.
My first question is this, which I posted as comment:
Why not just use request.POST and the standard way of processing form data?
After considering everything here, perhaps what you are looking for is a way of processing data in your query string to populate a form. You can do that without using request.GET as your form.data.
In my own views, I take advantage of a utility function I created to add initial data to the form from request.GET, but I am not going to share that function here. Here's the signature, though. initial_dict is typically request.GET. model_forms is either a single ModelForm or a list of ModelForm.
def process_initial_data(model_forms, initial_dict):
Nevertheless, I am able to process the form through the standard practice of using request.POST when the form is POSTed. And I don't have to pass around all kinds of information in the URL query string or modify it with JavaScript as the user enters information.
I am using Ajax for processing with JQUERY. The Data_string is sent to my process.php page, where it is saved.
Issue: right now anyone can directly type example.com/process.php to access my process page, or type example.com/process.php/var1=foo1&var2=foo2 to emulate a form submission. How do I prevent this from happening?
Also, in the Ajax code I specified POST. What is the difference here between POST and GET?
First of all submit your AJAX form via POST and on a server side make sure that request come within same domain and is called via AJAX.
I have couple of functions in my library for this task
function valid_referer()
{
if(isset($_SERVER['HTTP_REFERER']))
return parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST) == $_SERVER['SERVER_NAME'];
else
return false;
}
function is_ajax()
{
$key = 'HTTP_X_REQUESTED_WITH';
return isset($_SERVER[$key]) && strtolower($_SERVER[$key]) == 'xmlhttprequest';
}
You might read this post regarding difference between post and get
While as Jason LeBrun says it is pretty much impossible to prevent people simulating a form submission, you can at least stop the casual attempts to. Along with implementing Nazariy's suggestions (which are both easy to get round if you really want to), you could also generate some unique value on the server side (i'll call it a token), which gets inserted into the same page as your Ajax. The Ajax would would then pass this token in with your other arguments to the process.php page whereupon you can check this token is valid.
UPDATE
see this question with regards to the token
anti-CSRF token and Javascript
You can not prevent people from manually emulating the submission of form data on your website. You can make it arbitrarily more difficult, but you won't be able to prevent it completely.