Solved

PHP Code Question

Posted on 2011-09-28
7
283 Views
Last Modified: 2012-05-12
The attached code works fine. This code basically pulls data from a MySQL database & displays it in a browser. At this time when a user pulls this form up it displays the path to the .php file (URL) in the browser...My question is, is there any way for me to hide the URL or maybe even the tail end of it? For instance, at this time when it is pulled up in a browser it shows http://myserver/myfolder/thisfile.php

Is there any a way for me to add something to the attahced code to hide the thisfile.php at the end of the URL?
 
<html>  
<body bgcolor="#03EBA6"> 
<head>

<?php
include('lock.php');
?>

<body>
<h2>Welcome <?php echo $login_session; ?></h2> 

<b><p><h5><a href="slogout.php">LOG OUT</a> </h5></p>
This area displays employees supervised by John Doe.
</body>

<html>
<head>
<title> PETS</title>
</head>
</html>

<title> PETS</title>
<table>
      <thead>
      <tr>
	   <table border='7'>

<th>First Name</th>
<th>Last Name</th>
<th>6-Month Review Date</th>
<th>Eval Due Date</th>
<th>Eval Due to Emp</th>
<th>Eval Due to the Man</th>
<th>Eval Due to Per Spec</th>
<th>Last Increase Date</th>
<th>Current L/S</th>
<th>Step Promo Due Date</th>
<th>Next L/S</th>
<th>Last Rating</th>
<th>Last Eval Date</th>

      </tr>      
      </thead>
      <tbody>
<?php
require('connection.php');

if (isset($_GET['op']) && $_GET['op'] == "d") 
if($_GET['op'] == "d" && !empty($_GET['id']) )
{
   $query="UPDATE hr_info SET status = '0' WHERE hrid={$_GET['id']}";
   $result = mysql_query($query) or die(mysql_error());  
}

$query="SELECT hrid, f_name, l_name, eval_due_date, SUBDATE( `eval_due_date`, INTERVAL 6 MONTH) as `six_months_prior_date`, ADDDATE( `eval_due_date`, INTERVAL 7 DAY) as `due_2_emp`, ADDDATE( `eval_due_date`, INTERVAL 14 DAY) as `due_2_chf`, ADDDATE( `eval_due_date`, INTERVAL 44 DAY) as `due_2_ps`, gscl, lwlr, wgdd, rating, nls, last_eval_date FROM hr_info WHERE status ='1' AND supervisor = 'john doe' ORDER BY eval_due_date ";
$result = mysql_query($query) or die(mysql_error());  
 
while($row = mysql_fetch_array( $result )) {
?>
       <tr>
           
						<td><?php echo "".$row['f_name']; ?></td>
                        <td><?php echo "".$row['l_name']; ?></td>						
                        <td><?php echo "".$row['six_months_prior_date']; ?></td>
						<td><?php echo "".$row['eval_due_date']; ?></td>
						<td><?php echo "".$row['due_2_emp']; ?></td>
						<td><?php echo "".$row['due_2_chf']; ?></td>
						<td><?php echo "".$row['due_2_ps']; ?></td>
						<td><?php echo "".$row['lwlr']; ?></td>
						<td><?php echo "".$row['gscl']; ?></td>
						<td><?php echo "".$row['wgdd']; ?></td>
						<td><?php echo "".$row['nls']; ?></td>
						<td><?php echo "".$row['rating']; ?></td>
						<td><?php echo "".$row['last_eval_date']; ?></td>
      </tr>
<?php } ?>            
      </tbody>
 
</table>

Open in new window

0
Comment
Question by:wantabe2
7 Comments
 
LVL 1

Expert Comment

by:RHochstenbach
Comment Utility
What you could do is using POST instead of GET and then put both the form and the PHP code in the same file.
Example:
<form method="post" action="">
<input name="myname">
</form>

<?php
if(isset($_POST['myname'])) {
$myname = $_POST['myname'];
$find = mysql_query("select * FROM names WHERE name = '$myname'");
}
?>
0
 
LVL 108

Expert Comment

by:Ray Paseur
Comment Utility
I am not sure I understand what you are trying to hide, but I can tell you that these lines do not make sense.

if (isset($_GET['op']) && $_GET['op'] == "d")
if($_GET['op'] == "d" && !empty($_GET['id']) )
{
   $query="UPDATE hr_info SET status = '0' WHERE hrid={$_GET['id']}";
   $result = mysql_query($query) or die(mysql_error());  
}

There is never a case when you want to modify the data model on the basis of a GET request; that is a violation of the HTTP protocols.  Consider what would happen if a hacker ran a script that had this:

$id = 0;
while ($id < 1000000)
    $id++;
    file_get_contents("//path/to/your.php?op=d&id=$id");
}

Poof - the script has just clobbered your first million rows.

So if you find that changing to POST is the thing you want, here is another reason to do it!

Best regards, ~Ray
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
Renaming or rewriting the file name is done by the server.  Nothing you can add to the PHP file to do that.  In addition, line 48 does nothing at all.  I would have thought it would show an error.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 108

Expert Comment

by:Ray Paseur
Comment Utility
@Dave, I think this is more or less what the author meant near line 48.
if (isset($_GET["op"]))
{
    if ($_GET["op"] == 'd')
    {
        if (!empty($_GET["id"]))
        {
            $id  = mysql_real_escape_string($_GET["id"]);
            $sql = "UPDATE hr_info SET status = '0' WHERE hrid = '$id' LIMIT 1";
            $res = mysql_query($sql) or die(mysql_error());
            $num = mysql_affected_rows($res);
            if (!$num) echo "DID NOT FIND hr_info FOR hrid = $id";
        }
    }
}

Open in new window

0
 
LVL 6

Accepted Solution

by:
neorush earned 500 total points
Comment Utility
You can accomplish something like this with Apache's mod_rewrite.  If you are on a linux / unix server you are probably using apache, and you probably have mod_rewrite available.  Create or edit a .htaccess file in the root of your site and add  / edit this and then visit something like: http://myserver/AnythingIWantHere
##### SITE REWRITES ######
RewriteEngine on
RewriteRule ^AnythingIWantHere$ /myfolder/thisfile.php [L]

Open in new window

0
 
LVL 15

Author Comment

by:wantabe2
Comment Utility
@neorush
I am using WAMP on a Windows box....is this still possible?
0
 
LVL 6

Expert Comment

by:neorush
Comment Utility
Yeah, apache is apache, you just need the rewrite module installed.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

These days socially coordinated efforts have turned into a critical requirement for enterprises.
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
In this tutorial viewers will learn how to style transparent/translucent elements using alpha transparency in CSS Start with a normal styled element, such as a div.: Define its "background-color" property as "rgba (255, 255, 255, .5): The numbers in…
In this tutorial viewers will learn how to style elements, such a divs, with a "drop shadow" effect using the CSS box-shadow property Start with a normal styled element, such as a div.: In the element's style, type the box shadow property: "box-shad…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now