Solved

PHP Code Question

Posted on 2011-09-28
7
286 Views
Last Modified: 2012-05-12
The attached code works fine. This code basically pulls data from a MySQL database & displays it in a browser. At this time when a user pulls this form up it displays the path to the .php file (URL) in the browser...My question is, is there any way for me to hide the URL or maybe even the tail end of it? For instance, at this time when it is pulled up in a browser it shows http://myserver/myfolder/thisfile.php

Is there any a way for me to add something to the attahced code to hide the thisfile.php at the end of the URL?
 
<html>  
<body bgcolor="#03EBA6"> 
<head>

<?php
include('lock.php');
?>

<body>
<h2>Welcome <?php echo $login_session; ?></h2> 

<b><p><h5><a href="slogout.php">LOG OUT</a> </h5></p>
This area displays employees supervised by John Doe.
</body>

<html>
<head>
<title> PETS</title>
</head>
</html>

<title> PETS</title>
<table>
      <thead>
      <tr>
	   <table border='7'>

<th>First Name</th>
<th>Last Name</th>
<th>6-Month Review Date</th>
<th>Eval Due Date</th>
<th>Eval Due to Emp</th>
<th>Eval Due to the Man</th>
<th>Eval Due to Per Spec</th>
<th>Last Increase Date</th>
<th>Current L/S</th>
<th>Step Promo Due Date</th>
<th>Next L/S</th>
<th>Last Rating</th>
<th>Last Eval Date</th>

      </tr>      
      </thead>
      <tbody>
<?php
require('connection.php');

if (isset($_GET['op']) && $_GET['op'] == "d") 
if($_GET['op'] == "d" && !empty($_GET['id']) )
{
   $query="UPDATE hr_info SET status = '0' WHERE hrid={$_GET['id']}";
   $result = mysql_query($query) or die(mysql_error());  
}

$query="SELECT hrid, f_name, l_name, eval_due_date, SUBDATE( `eval_due_date`, INTERVAL 6 MONTH) as `six_months_prior_date`, ADDDATE( `eval_due_date`, INTERVAL 7 DAY) as `due_2_emp`, ADDDATE( `eval_due_date`, INTERVAL 14 DAY) as `due_2_chf`, ADDDATE( `eval_due_date`, INTERVAL 44 DAY) as `due_2_ps`, gscl, lwlr, wgdd, rating, nls, last_eval_date FROM hr_info WHERE status ='1' AND supervisor = 'john doe' ORDER BY eval_due_date ";
$result = mysql_query($query) or die(mysql_error());  
 
while($row = mysql_fetch_array( $result )) {
?>
       <tr>
           
						<td><?php echo "".$row['f_name']; ?></td>
                        <td><?php echo "".$row['l_name']; ?></td>						
                        <td><?php echo "".$row['six_months_prior_date']; ?></td>
						<td><?php echo "".$row['eval_due_date']; ?></td>
						<td><?php echo "".$row['due_2_emp']; ?></td>
						<td><?php echo "".$row['due_2_chf']; ?></td>
						<td><?php echo "".$row['due_2_ps']; ?></td>
						<td><?php echo "".$row['lwlr']; ?></td>
						<td><?php echo "".$row['gscl']; ?></td>
						<td><?php echo "".$row['wgdd']; ?></td>
						<td><?php echo "".$row['nls']; ?></td>
						<td><?php echo "".$row['rating']; ?></td>
						<td><?php echo "".$row['last_eval_date']; ?></td>
      </tr>
<?php } ?>            
      </tbody>
 
</table>

Open in new window

0
Comment
Question by:wantabe2
7 Comments
 
LVL 1

Expert Comment

by:RHochstenbach
ID: 36719800
What you could do is using POST instead of GET and then put both the form and the PHP code in the same file.
Example:
<form method="post" action="">
<input name="myname">
</form>

<?php
if(isset($_POST['myname'])) {
$myname = $_POST['myname'];
$find = mysql_query("select * FROM names WHERE name = '$myname'");
}
?>
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 36719901
I am not sure I understand what you are trying to hide, but I can tell you that these lines do not make sense.

if (isset($_GET['op']) && $_GET['op'] == "d")
if($_GET['op'] == "d" && !empty($_GET['id']) )
{
   $query="UPDATE hr_info SET status = '0' WHERE hrid={$_GET['id']}";
   $result = mysql_query($query) or die(mysql_error());  
}

There is never a case when you want to modify the data model on the basis of a GET request; that is a violation of the HTTP protocols.  Consider what would happen if a hacker ran a script that had this:

$id = 0;
while ($id < 1000000)
    $id++;
    file_get_contents("//path/to/your.php?op=d&id=$id");
}

Poof - the script has just clobbered your first million rows.

So if you find that changing to POST is the thing you want, here is another reason to do it!

Best regards, ~Ray
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 36720061
Renaming or rewriting the file name is done by the server.  Nothing you can add to the PHP file to do that.  In addition, line 48 does nothing at all.  I would have thought it would show an error.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 108

Expert Comment

by:Ray Paseur
ID: 36720155
@Dave, I think this is more or less what the author meant near line 48.
if (isset($_GET["op"]))
{
    if ($_GET["op"] == 'd')
    {
        if (!empty($_GET["id"]))
        {
            $id  = mysql_real_escape_string($_GET["id"]);
            $sql = "UPDATE hr_info SET status = '0' WHERE hrid = '$id' LIMIT 1";
            $res = mysql_query($sql) or die(mysql_error());
            $num = mysql_affected_rows($res);
            if (!$num) echo "DID NOT FIND hr_info FOR hrid = $id";
        }
    }
}

Open in new window

0
 
LVL 6

Accepted Solution

by:
neorush earned 500 total points
ID: 36720214
You can accomplish something like this with Apache's mod_rewrite.  If you are on a linux / unix server you are probably using apache, and you probably have mod_rewrite available.  Create or edit a .htaccess file in the root of your site and add  / edit this and then visit something like: http://myserver/AnythingIWantHere
##### SITE REWRITES ######
RewriteEngine on
RewriteRule ^AnythingIWantHere$ /myfolder/thisfile.php [L]

Open in new window

0
 
LVL 15

Author Comment

by:wantabe2
ID: 36891178
@neorush
I am using WAMP on a Windows box....is this still possible?
0
 
LVL 6

Expert Comment

by:neorush
ID: 36892508
Yeah, apache is apache, you just need the rewrite module installed.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

SASS allows you to treat your CSS code in a more OOP way. Let's have a look on how you can structure your code in order for it to be easily maintained and reused.
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
In this tutorial viewers will learn how to style transparent/translucent elements using alpha transparency in CSS Start with a normal styled element, such as a div.: Define its "background-color" property as "rgba (255, 255, 255, .5): The numbers in…
The viewer will receive an overview of the basics of CSS showing inline styles. In the head tags set up your style tags: (CODE) Reference the nav tag and set your properties.: (CODE) Set the reference for the UL element and styles for it to ensu…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now