Context:
I am working in MemberMouse (a WordPress Membership Plugin), and I am trying to write a script that updates a member's status to "Cancelled" after a Refund has been issued on their account.
I've been provided with a sample script that simply pulls/provides the users information: https://dl.dropboxusercontent.com/u/265387542/files/payment_notification_script.php
Problem:
I want to take $status = $_GET["status"]; and update it to "Cancelled". How can I achieve this? Is there a way to $_POST a status value back to MemberMouse, or to set $status equal to something else?
(I am a novice with PHP). Here's my attempt below:
...
// ---- PERFORM ACTION BASED ON EVENT TYPE ----
switch($eventType)
{
case $REFUND_ISSUED:
// set status to cancel
mm_member_status_change("Cancelled");
break;
}
Since you say you are new to PHP, here are some points you may not know.
1. $status = $_GET["status"]; may not be doing what you think it is doing.
this line is saying two things.
it is declaring a variable $status
it is setting that
variable to the URL variable $_GET["status"];
What is a URL variable?
in this case, it would look something like this in the URL.
www.mysitename.com/index.php?status=canceled
so, if you want to change the "status", you simply redefine the variable like so.
$status="canceled";
Related
I'm building a message system to learn how it works, and I've already got
pretty much everything. I can log in and make a post on a board, but now I would like to be able to edit it. The back-end is ready, it receives a POST request
Basically what I need to do is check if the currently logged in user is the author of a certain post from Javascript to show or hide the edit button. I know how to tell if the user is logged in from PHP so that it blocks requests if you aren't the author, but I can't hide or show the buttons as the posts are dinamically generated from a <template> using JS.
Login snippet:
$_SESSION["userid"] = $userid;
Edit check PHP snippet (kinda pseudo-code):
if ($_POST["action"] == "modifypost" && isset($_POST["postid"]) && isset($_POST["content"]))
{
$post = get_post($_POST["postid"]);
if ($post.userid != $_SESSION["userid"])
{
die("you are not allowed");
}
//MySQL queries
}
Post dynamic generation (abbreviated):
function add_post(post) {
var t = document.querySelector('#historypost');
t.content.querySelector(".content").innerHTML = post.content;
var clone = document.importNode(t.content, true);
document.body.appendChild(clone);
}
I had originally thought of setting a variable with the user ID from HTML with <script> and <?php ?>, but then the user would be able to manually set that variable from the console and show the buttons.
I had originally thought of setting a variable with the user ID from HTML with <script> and <?php ?>
Yes, this is one correct approach. Basically, use PHP to tell JavaScript which posts actually belong to the current user.
but then the user would be able to manually set that variable from the console and show the buttons
True. There is no way to secure information from user-meddling once you've sent it to the browser. This is because the user is in control of what gets executed in the browser. Instead of thinking of the button visibility as a security feature, think of it as a convenience -- something to make the user experience more pleasing.
Application security is really enforced on the server. Just make sure that one user is not allowed to edit another user's posts, and do not trust what comes from the browser. Verify inputs.
Ideally, I would prefer to put the post rendering logic inside the server-side.
But as your solution is focused in javascript, an option makes PHP render a javascript variable that tells if the user is the post author.
Example:
Inside your PHP file, in the HTML render part you can do this:
<script>var isAuthor = '<?php echo ($post.userid == $_SESSION["userid"])'; ?></script>
Doing this you will have javascript script variable called isAuthor, that will have value "1" is the user is the author.
-
But as I said, this doesn't look like a good approach to solve the problem. It's something that PHP can handle better, without expose your logic to the client.
I'm creating new account record. The easiest way is to fill account id (vat number or something similar) and push button. Button run some javascript. Javascript read value of account id and fill the rest (call some external ws and fill account name, address and so on).
But I need to read this unsaved account id. Standard
Xrm.Page.getAttribute("accId").getValue();
can read only saved values.
Via debugger I found the right value, so I wrote simple function, which returns it.
Here it is:
function getDirtyValue(attName) {
var control = Xrm.Page.ui.controls.get(attlName);
if (control != null && control.$1G_1 != null) {
return control.$1G_1.$3V_0;
}
else {
return null;
}
}
It works but is there some official way to get this value?
(language correction welcome)
You could avoid this trick by adding a function, called when the form loads, and sets the value of the field into a global variable. You can access that variable in the on change event of that field.
Keep in mind that Microsoft does not support methods that are not present in the SDK and they might change. So if they change the property you are using, and your code is already in production, you'll end up having some problems.
Hope it helps,
Cheers
Ok...I'm new to this >.<
I have my npm from github.com (node-twitterbot...whose dependency is twit)
I've looked at the twitter api..
What I'm trying to do is add an action which is post a tweet.
I can't seem to find out how to define the string for the actionName (which might be...)
var tweet = ("https://api.twitter.com/1.1/statuses/update.json");
and the actionFunction. Then I need to put it all together to post. Also, I have my instructions written below, however I'm not sure how to apply them. My actionName could be "tweet"? I have no idea how to define my actionFunction either...Can someone explain this? I NEED TO KNOW WHAT TO PUT WHERE. I have the twitterbot.js file open and ready to edit along with with all my oauth keys...access and consumer stuff. Please help anyway you can. I can paste my twitterbot.js file if that helps. Below are the instructions on the npm site reads:
Actions
In order to get your node-twitterbot to actually do something, you need to define actions. It is done through the addAction() method. It takes 2 parameters:
actionName: a string value for the name of an action
actionFunction: a function to be called when a given action is scheduled. (See below for method signature)
So our addAction method might look like this:
Bot.addAction("tweet", function(twitter, action, tweet) {
Bot.tweet("I'm posting a tweet!");
});
The twitter variable passed into the function is the Twit object associated with a given node-twitterbot, and can be managed directly. The same Twit object is available as [TwitterBot].twitter as well.
The action variable passed into the function is the TwitterBotAction created by addAction.
And the tweet object is the tweet passed into the action (if there was one)
TwitterBotActions
addAction() returns a TwitterBotAction object.
var tweetAction = Bot.addAction("tweet", function(twitter, action, tweet) {
Bot.tweet("I'm posting a tweet!");
});
But you will rarely need to directly hold onto the tweetAction directly. You can always get a reference to the action by calling
Bot.actionWithName("tweet");
Which will return the TwitterBotAction object, or null if the name is invalid (or the action already removed)
Again, I'm trying to put all of this together so i can post a tweet using the javascript in node.js Thank you for your time and consideration.
I have two tables: trade and user_pokemon_db
I want to copy a specific rows from user_pokemon_db, when an event occurs.
Html code:
echo "<a href='tradecenter.php' onClick='document.write(".trade($db_id).")' >Put in Trade</a>";
When the user clicks on the link, the php function is called which consists on sql query to copy the row.
$sql = " INSERT INTO trade (trade_id, user_id, pkmn_id, level, exp, health, attack1, attack2, attack3)
SELECT (id, user_id, pkmn_id, level, exp, health, attack1, attack2, attack3)
FROM user_pokemon_db WHERE user_id = '".$id."' AND id = '".$db_id."' ";
Problem maybe due to improper writting of the query.. or maybe due to improper formatting of the href!??
What should I do?
I don't know the content of your php function trade() but it seems that you are confusing javascript and PHP.
Keep in mind that in most of case, once the web page is sent to the user browser, the PHP execution is finished. If you want to do a SQL request after a link click, you need to load a new page or to use something like Ajax to run some PHP code again.
The simplest way to do what you want is to pass the pokemon id as a GET variable (= in the URL)
and check this variable on another page and generate the good SQL query :
echo '<a href="trade.php?pokemon_id='.$id.'" >Trade </a>' ;
And the trade.php would do something like that :
$id = $_GET['pokemon_id'] ; // Be Aware of SQL Injections !!
trade($id);
Have a look at this page for more information about forms : http://www.w3schools.com/php/php_forms.asp
( And if you are using GET or POST variables in your SQL query, be aware of SQL Injections )
If you want to run your PHP function without reloading the page, you should use AJAX. Check this page to understand how it works. A very easy way to use it is to use jQuery
I'm reading a boook on XSS attacks, and I've found an example about XSS filter evasion that is a little weird (IMHO).
This is the example text:
Another possible injection point that could exist is when the developer uses unsanitized
user input as part of the generated HTML within a script element. For example:
<script>
var query_string="<XSS>";
somefunction(query_string);
function somefunction {
...
}
</script>
It appears we have access to the inside of the JavaScript function. Let’s try adding some
quotes and see if we can jump out of the encapsulation:
<script>
var query_string="”<XSS>";
somefunction(query_string);
function somefunction {
...
}
<script>
It worked, and also caused a JavaScript error in the process as shown in Figure 3.38.
Let’s try one more time, but instead of trying to inject HTML, let’s use straight
JavaScript. Because we are in a script tag anyway, why not use it to our advantage?
<script>
var query_string="”;alert(“XSS”);//";
somefunction(query_string);
function somefunction {
...
}
</script>
the bold text is what I suppose to be the user input, taken for example from a form.
Back to my question: is there any way that this kind of attack works? For example, suppose somefunction(query_string) is used to run some sql query, and query_string is a product name to search within the database. If inside the search function I create sql_query = 'SELECT name FROM table WHERE name = "'+query_string+'"';, I think there's no way to inject some string with quotes to "jump out of the encapsulation", i.e inputting YAY";alert('hi');// will not change the JS to this:
var query_string = [user input, in this case YAY";alert('hi');//]
function abc(query_string){
sql_query = "select name FROM table WHERE name = 'YAY';
alert('hi');//
....
}
Am I wrong? What do you think? Can you make me a simple example (if it possible) on how this kind of attack can make some sort of damages?
I thought about something like an online shop, but assuming the JS is not used on server side, the only thing this attack can do is modify the query string and then submit it to the server..
Hope you can understand what I wrote and what I'd like to understand, thanks, best regards.
You should only look at the first line. The rest doesn't come into play in this xss example. It's a badly chosen example. So take this much simple example
var first_name="<XSS>";
In this example <xss> is user generated content. So your e.g. php code looks like this
var first_name="<? echo $firstName; ?>";
$firstName is taken from some database or something else, and was generated by the user who typed it into some textfield. Say the user typed: ";alert("XSS");//. PHP will generate the following code
var first_name="";alert("XSS");//";
Pretty printed:
var first_name="";
alert("XSS");
//";
As you see the user was able to run his code alert("XSS") in every other users browser that visited the page. In this example nothing bad will happen except some alert box, but the user might inject some code that gets the cookie info and sends it to some server, so the attacker can steal someone's login session.
This same problem - forgetting to escape user generated content - also applies for creating sql queries, but this isn't related to this example. The creator of this example should have used query_string in his example, as it is obviously confusing.