i dont know how hidden password on url
i got problem like this http://127.0.0.1:8000/bulletin/%201/edit?passwordC=11111&page=1
My View
<form>
<div class="form-row" style="specified-width:200; position: absolute; bottom:0; margin-bottom:10">
<input style="width:150px" type="password" placeholder="Password" name="passwordC">
<input type="hidden" value="{{$buletin->currentPage()}}" name="page">
<button style="margin:0 5px" formAction="/bulletin/ {{ $tampil_B->id }}/deleteOper" type="submit" class="btn btn-danger">Delete</button>
<button formAction='(url(edit))' type="submit" class="btn btn-primary">Edit</button>
</div>
</form>
My Router
route::get('/bulletin/{id}/edit','BulletinController#edit');
my controller
public function edit (Request $request, $id)
{
$buletin = \App\Dashboard::find($id);
$url = "/?page={$request->page}";
if(is_null($buletin->password)){
$request->session()->flash('failed', 'Cant Edit Because this post not had been set password ');
return view('bulletin.edit_nopass', ['buletin' => $buletin,'url'=> $url]);
}
if (hash::check($request->passwordC,$buletin->password)){
return view ('bulletin.edit', ['buletin' => $buletin, 'url'=> $url]);//save and go back to card
} else {
$request->validate([
'passwordC' => 'required|required_with:password|same:password'
],[
'passwordC.required_with' => "Password not match",
'passwordC.required' => "Password Required",
'passwordC.same' => "The Password You Entered Do Not Match.Please Try Again"
]);
}
The issue is a byproduct of how you have written this solution. To remove the password from the URL, you will have to find a different mechanism to get to the edit page.
As it currently stands, you are doing a GET request to the edit page from the form, and because it is a GET request, the form parameters are sent in the URL.
From the edit controller method you are then returning a view, so the URL is never re-written.
That is why you have this problem, as to how you could solve this, there are many options; you could post to an endpoint that stores the approval in a session that you then check in middleware, or in the controller, and then return the view. You could use the reconfirm password middleware from Laravel. Or even a POST-REDIRECT-GET pattern, where you post the form and then redirect to the edit page from there with whatever you need to do to protect the edit endpoint.
There are many options, but its impossible to tell you how to solve this problem given that you need to rethink how you will solve it.
First of all it is not correct to send with GET .But if it is very vital you have two way:
1.use encrypt .but it is not safe too.because there is even online sites that can decrypte .
2.use Hash:make . Hashing is an unilateral.It means that you can not dehash it
Related
I have a user controller with an agentexport function, which is supposed to download an excell spreadsheet. Below is the function:
function agentexport($agentName) {
if($this->isAdmin() == TRUE) {
$this->loadThis();
}
else {
$this->excel->setActiveSheetIndex(0);
// Gets all the data using agent name
$data = $this->excel_model->getdatabyname($agentname);
//print_r($data);
//die;
$this->excel->stream('crosstown.xls', $data);
}
}
In my views I am trying to execute the above function with the following button:
<a class="btn btn-sm btn-info" href="<?php echo base_url().'agentexport/'.$record->agentName; ?>" title="Download Sheet><i class="fa fa-pencil"></i>Download Sheet</a>
The above button is meant to download the spreadsheet right away.
The url is defined in my routes as :
$route['agentexport'] = "user/agentexport";
Did I define my route the right way ? When I click on the route I get the following url
http://www.XXXXX.com/John%20Grisham.
As you can see, the name is appended at the end of the url but the page shows a 404. What am I doing wrong ?
Personal opinion here, but I don't think there's any strong reason to use a route. If nothing else, the following will be a good experiment to see if the $route definition is the problem.
Delete the $route you have been using for 'agentexport'.
Change the link to
<a class="btn btn-sm btn-info" href="<?= base_url('user/agentexport/'.$record->agentName); ?>" title="Download Sheet"><i class="fa fa-pencil"></i>Download Sheet</a>
To test that the link works and is passing the value, use the following version of agentexport
public function agentexport($agentName)
{
echo $agentName;
//or alternately
//var_dump($agentName);
}
It is assumed that you verified $agentName is a usable value before you used it in the link. If the above shows you a value, then you know the $route was the problem.
You can experiment to find a $route, but $route['agentexport/(:any)'] = 'user/agentexport/$1'; should work. If you're going to switch back to using a route don't forget to revert the link code. I'd write it like this, where the URI is passed as an argument to base_url.
<a class="btn btn-sm btn-info" href="<?= base_url('agentexport/'.$record->agentName); ?>" title="Download Sheet"><i class="fa fa-pencil"></i>Download Sheet</a>
If you find a route that works - and using a route is what you really, really want - then restore the code in agentexport to what you actually need. But again, I don't see any strong reason to obfuscate the link's URL.
If, from the view, you're pointing to /controller_name/method/agent_name (which is basically what you're doing after the route "translation", all you need to do is pick the agent name from the URI using the URL helper (remember to load it beforehand)
$user_id = $this->uri->segment(3);
The above will take whatever is in the third segment of the URI (agent_name in my example) and assign it to the $user_id variable.
Remember that whatever is possible to be manipulated by the user cannot be trusted, so you need to sanitize $user_id and make sure that the user requesting the file is allowed to access it
I have a Laravel app, and the password reset feature is needed. How can I flash a session message after the email is sent to the user or after clicking the submit button?
I can't seem to add a flash method to the function that returns the view of the reset password page, because the file is in the vendor folder.
After an hour of tracing of what function will be triggered after the submission of the password reset form, I have found out that:
After submission of the password reset form, the function sendResetLinkEmail will be triggered, can be found in SendsPasswordResetEmails.php.
Then in line 37
return $response == Password::RESET_LINK_SENT
? $this->sendResetLinkResponse($response)
: $this->sendResetLinkFailedResponse($request, $response);
The sendResetLinkResponse function is the one responsible for what happens if the email is sent successfully.
protected function sendResetLinkResponse($response)
{
return back()->with('status', trans($response));
}
By default, laravel auth:make doesn't display the 'status' variable in the front end or the reset password page.
I have to add these lines of code to the reset password template.
#if(session()->has('status'))
<div class="alert-container">
<div class="alert alert-success">
<button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">×</span></button>
{{ Session::get('status') }}
</div>
</div>
#endif
From the docs:
Sometimes you may wish to store items in the session only for the next request. You may do so using the flash method. Data stored in the session using this method will only be available during the subsequent HTTP request, and then will be deleted. Flash data is primarily useful for short-lived status messages:
$request->session()->flash('status', 'Task was successful!');
In account form fields or user registration page form fields for First name and Last name, when i place the following JS code :
<script>alert("Here")</script>
It is saved and is run on page load. This is very strange, because i checked the template files and values are escaped as below:
<?php echo $this->escapeHtml($this->getObject()->getFirstname()) ?>
I have also confirmed if i am in correct template file by changing the label of field.
I have read the following questions and tried to used them but did not worked for me.
https://magento.stackexchange.com/questions/569/how-to-escape-output-data
https://magento.stackexchange.com/questions/8179/is-there-a-generic-way-i-can-apply-input-filtering-to-magento-form-processing
Regarding to the observer method, it works, but when i try to login to magento admin, i cant, but when iremove the observer, i can login again.
Check the two attached screenshots.
Kindly help me with this issue.
Thank you
I have created an observer. For login forms at admin and front end (and may be some other forms), the form fields for user name and password are in array format like below:
<input type="text" id="username" name="login[username]" value="" class="required-entry input-text">
<input type="password" id="login" name="login[password]" class="required-entry input-text" value="">
TO fix this issue, i have modified the code in observer as below:
public function sanitizeParams($observer)
{
if(!Mage::app()->getStore()->isAdmin())
{
$post = Mage::app()->getRequest()->getParams();
foreach($post as $pkey => $pvalue)
{
if(is_array($post[$pkey]))
{
foreach($post[$pkey] as $key => $value)
{
$post[$pkey][$key] = filter_var($value, FILTER_SANITIZE_SPECIAL_CHARS);
}
}
else
{
$post[$pkey] = filter_var($pvalue, FILTER_SANITIZE_SPECIAL_CHARS);
}
}
$_POST = $post;
}
}
And it fixed my problem, and is working fine now.
Thanks.
I have a simple form in my tmpl/default.php:
<form id='AddForm' action="<?php echo JRoute::_('index.php?option=com_mycomponent&task=addcam'); ?>" >
<p>
<label for="CamName">Name:
</label>
<input type="text" id="CamName" name="cam_name" />
</p>
<button type='submit' class='submit_cam' name='addcam' value='Add'>Add</button>
<button type='reset' class='cancel_changes' name='cancel_changes' value='Cancel'>Cancel</button>
</form>
In my controller.php file I'm trying to process the values:
function addcam()
{
$add_name=JRequest::getString('cam_name');
$model = &$this->getModel();
$model->AddWebcam($add_name); //send to model to add to DB
}
In my model I just return the result of the query. With this implementation I just get routed to an empty page. I'd like to have it refresh the current page. Typically you do this with action="" but in my case I need it to route to the function called addcam in the controller. Or is there a better way to do this?
A common technique in Joomla when directing to the task is to have that function do a full redirect to a view at the end. This prevents a page refresh from trying to resubmit the data and leads to a cleaner url for the client. To do this, try the following:
function addcam()
{
$add_name=JRequest::getString('cam_name');
$model = &$this->getModel();
$model->AddWebcam($add_name); //send to model to add to DB
JFactory::getApplication()->redirect(JRoute::_(index.php?option=com_mycomponent&view=whatever));
}
Obviously, update the JRoute bit to the url you actually need. You can also include a message if you would like (like "Saved!"): http://docs.joomla.org/JApplication::redirect/1.6
I created a confirmation page for deleting an item. This works perfectly.
Now I want to appear the confirmation page in fancybox, still passing all the variables and delete the data or close the dialog.
It's important that the process still works as it does now (delete->confirmationpage->redirect/deletion) so that users with javascript disabled can perform these actions without a problem.
Now have I been reading about zend framework,ajax, json and more, but the more I read, the less I understand.
So in a nutshell, my question:
I want to pass a variable to the fancybox and if 'yes' perform the delete action or on 'no' close the dialog. This within the zend framework and jquery.
Any advice or tips are greatly appreciated!
You need to use content switching in your ajax which will then render your action appropriately, for example:
function confirmDeleteAction() {
if($this->_request->isXmlHttpRequest()) {
//This is ajax so we want to disable the layout
$this->_helper->layout->disableLayout();
//Think about whether you want to use a different view here using: viewRenderer('yourview')
}
//The normal code can go here
}
function deleteAction() {
//You probably don't want to show anything here, just do the delete logic and redirect therefore you don't need to worry where it's coming from
}
And in your fancybox, have a view that has a form and two buttons, the form should point to your delete action with the id of whatever your deleting as a get param. Set some javascript up that says something like (and this is mootools code, but you can convert it easily):
$('confirmButton').addEvent('click', function(e) {
e.preventDefault();
this.getParent('form').submit();
}
$('cancelButton').addEvent('click', function(e) {
e.preventDefault();
$('fancyBox').destroy(); //I'm not sure it has an id of fancyBox, never used it
}
Came across the question today and figured I could give it a fresh look. For Zend Framework the solution is really simple:
This is how the action looks:
public function deleteAction()
{
$this->_helper->layout()->disableLayout();
$this->view->news = $this->newsService->GetNews($this->_getParam('id'));
if($this->getRequest()->isPost())
{
if($this->getRequest()->getPost('delete') == 'Yes')
{
$this->newsService->DeleteNews($this->_getParam('id'), $this->view->user->username, $this->view->translate('deleted: ').'<strong>'.$this->view->pages[0]['title'].'</strong>');
$this->_helper->flashMessenger(array('message' => $this->view->translate('The page is deleted'), 'status' => 'success'));
$this->_helper->redirectToIndex();
}
elseif($this->getRequest()->getPost('delete') == 'No')
{
$this->_helper->flashMessenger(array('message' => $this->view->translate('The page is <u>not</u> deleted'), 'status' => 'notice'));
$this->_helper->redirectToIndex();
}
}
}
The delete.phtml
<div>
<h2><?php echo $this->translate('Delete news'); ?></h2>
<?php
foreach($this->news as $news)
{
?>
<p>
<?php echo $this->translate('You are now deleting <strong>\'').$news['title'].$this->translate('\'</strong>. Are you sure about this?'); ?>
</p>
<p>
<?php echo $this->translate('<strong>Note! </strong>This action is inreversable, even for us!'); ?>
</p>
<form action="<?php echo $this->baseUrl(false).'/news/index/delete/'.$news['id']; ?>" method="post">
<?php
}
?>
<input class="submit deleteYes" type="submit" name="delete" value="<?php echo $this->translate('Yes'); ?>" />
<input class="submit deleteNo" type="submit" name="delete" value="<?php echo $this->translate('No'); ?>" />
</form>
And this is how the link to delete a file looks (within a foreach loop with my database results)
<a class="deleteConfirmation" href="<?php echo $this->baseUrl(false).'/news/index/delete/'.$news->id; ?>">delete</a>
This works like you would expect; when you click on delete the user goes to the delete confirmation page and redirects the user back to the index after the form is submitted. But I wanted the confirmation in a dialog (in my case I use fancybox). To achieve this, add the following jquery to your index:
$('.deleteConfirmation').fancybox({
// Normal fancybox parameters
ajax : {
type : "POST"
}
});