• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

php question get remote url

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    #11
    Originally posted by bogeyman View Post
    I know that you silly bonobo! It should not, however, be enabled by default.
    Why not? It doesn't do any harm. If somebody leaves a security hole in their application that allows it to be abused, then they're almost certainly leaving SQL injection and XSS holes as well, so this is the least of their worries.

    Comment


      #12
      Originally posted by NickFitz View Post
      Actually xog, your problem is almost certainly the urlencode call: this turns the slashes and so on into their urlencoded form.

      Assuming xxxxx represents some value that might contain special characters and needs URLEncoding, try

      Code:
      $encoded_inst_id = urlencode($inst_id);
      $contents = file_get_contents('https://select.worldpay.com/wcc/info?op=rates&instId='.$encoded_inst_id);
      echo $contents;
      Or have a look at the first example at http://www.php.net/manual/en/features.remote-files.php if you want finer control over file processing.

      Yup, it is. He needs to use htmlentities() instead (see my original post). urlencode() will convert all the symbols to their html equivalent which will break a file_get_contents call because it doesn't realise it is a url any more.

      Comment


        #13
        Originally posted by Ardesco View Post
        Unless of course your friendly web admin has set:

        Code:
        disable_functions = phpinfo 
        


        in the php.ini
        Misuse of the word "friendly" there - well, unless they allow me to re-enable it when I want to

        Comment


          #14
          Originally posted by Ardesco View Post
          Yup, it is. He needs to use htmlentities() instead (see my original post). urlencode() will convert all the symbols to their html equivalent which will break a file_get_contents callbecause it doesn't realise it is a url any more.
          Nope - he's building a URL, which isn't HTML. htmlentities() is used for encoding stuff to be rendered on a web page, not for URL encoding; so if one writes a URL to a page, it should be formed with urlencode() applied to values in the query string and fragment identifier, and then passed through htmlentities() to make it valid HTML. But for use as a URL, only the first is appropriate, otherwise it'll mess up the query string.

          E.G. http://example.com?p=1&q=2 would become http://example.com?p=1&q=2, which would result in the server thinking it had been passed a value of 2 with the name amp;q.

          Comment


            #15
            you got me there

            I bow down to NickFitz's superior knowledge

            Comment


              #16
              Originally posted by Ardesco View Post
              you got me there

              I bow down to NickFitz's superior knowledge
              As so must we all

              (otherwise he'll never shut up)

              You've come right out the other side of the forest of irony and ended up in the desert of wrong.

              Comment


                #17
                Originally posted by Ardesco View Post
                you got me there

                I bow down to NickFitz's superior knowledge


                Originally posted by bogeyman View Post
                As so must we all

                (otherwise he'll never shut up)

                Comment


                  #18
                  Hey lotsa of sensible answers, cheers. Will try those later, if work then on to the hard bit, actually extracting the figure I want.

                  Know nothing about the security stuff or server side at all as is probably obvious but this is a short conversion file Worlpay provide configured to my specific account so must be safe enough to use it?



                  ****
                  Hmm! HTMLentities works but now I am getting a file timeout although pages are available, same if use fopen. All the things that should allow remote access like allow_url_fopen are set to on according to the info file. Bum.
                  Last edited by xoggoth; 22 November 2008, 19:20.
                  bloggoth

                  If everything isn't black and white, I say, 'Why the hell not?'
                  John Wayne (My guru, not to be confused with my beloved prophet Jeremy Clarkson)

                  Comment


                    #19
                    You shouldn't use htmlentities(), as it's not relevant and could damage your URLs. See my post at the end of page 1, and the php.net documentation I linked to in my previous post - explicitly opening, reading, and closing the file may be more reliable for your setup.

                    Alternatively try the cURL functions - they're slightly more complicated to use, but if nothing else they give you a much better indication of what, if anything, has gone wrong.

                    Comment


                      #20
                      Cheers for further comments Nick. Turns out there was a security problem, I have to request access via the host firewall for every URL I want to open.
                      bloggoth

                      If everything isn't black and white, I say, 'Why the hell not?'
                      John Wayne (My guru, not to be confused with my beloved prophet Jeremy Clarkson)

                      Comment

                      Working...
                      X