Page 1 of 2

Cannot access variables in URL on https-site?

Posted: Fri Jul 20, 2007 4:57 am
by LJ79
Hey there,
I just registered so if I am asking in the wrong place please tell me so and I'll delete and repost the question.

Here goes:

I am having problems accessing the variables written in the URL of a site hosted on a secure server (https) - when i upload the same file to a normal server there is no problem and it reads all variables with $_GET, but from the https site i cant get them.

Does anybody know anything about this?
Do I need to use another method to access url-variables on a https?

Thanks in advance!

Posted: Fri Jul 20, 2007 5:00 am
by MalikBB
on the second site there must be server 'understanding' https

Posted: Fri Jul 20, 2007 5:06 am
by LJ79
can i somehow check that?

(the https server is for some crecit card payment service provided by my webhosting firm)

Posted: Fri Jul 20, 2007 5:46 am
by volka
please try

Code: Select all

<?php
foreach( array('_GET', '_POST', '_REQUEST', '_SERVER') as $v ) {
	echo '<pre>', $v, ': ';
	print_r($$v);
	echo "</pre>\n";
}
on the https server.

Posted: Fri Jul 20, 2007 6:09 am
by LJ79
volka,

then the returned url looks kinda like this (i deleted some of the variables, but you get the idea):

https://pay.scannet.dk/xxx/shop/result. ... ostnr=8000

and your little script returns:
_GET: Array
(
)

_POST: Array
(
)

_REQUEST: Array
(
)

_SERVER: Array
(
[DOCUMENT_ROOT] => /domains/www.xxx.dk/www
[HTTP_ACCEPT] => */*
[HTTP_CONNECTION] => Keep-Alive
[HTTP_HOST] => http://www.xxx.dk
[HTTP_USER_AGENT] => Wget/1.8.1
[PATH] => /bin:/usr/bin:/usr/local/bin
[REMOTE_ADDR] => 195.xx.xxx.84
[REMOTE_PORT] => 41438
[SCRIPT_FILENAME] => /domains/www.xxx.dk/www/shop/result.php
[SERVER_ADDR] => 195.xx.xxx.10
[SERVER_ADMIN] => root@xxx.dk
[SERVER_NAME] => http://www.xxx.dk
[SERVER_PORT] => 80
[SERVER_SIGNATURE] =>
[SERVER_SOFTWARE] => Apache/1.3.33 (Debian GNU/Linux) mod_ssl/2.8.22 OpenSSL/0.9.7e PHP/5.2.1-0.dotdeb.1 with Suhosin-Patch
[GATEWAY_INTERFACE] => CGI/1.1
[SERVER_PROTOCOL] => HTTP/1.0
[REQUEST_METHOD] => GET
[QUERY_STRING] =>
[REQUEST_URI] => /shop/result.php
[SCRIPT_NAME] => /shop/result.php
[PATH_TRANSLATED] => /domains/www.xxx.dk/www/shop/result.php
[PHP_SELF] => /shop/result.php
[REQUEST_TIME] => 1184929108
[argv] => Array
(
)

[argc] => 0
)

Posted: Fri Jul 20, 2007 6:16 am
by LJ79
... and when i test exactly the same file (incl. the url-variables) on a normal server it returns all the variables in the _GET and _REQUEST arrays...

Posted: Fri Jul 20, 2007 6:44 am
by volka
the ...returned url... I'm not sure I'm missing something. To be on the safe side: this
calls your script and in this script (result.php) you cannot access the GET parameters ordrenr, prisumoms etc. ?

Can you POST data to that script, e.g. via <form method="POST", and access these parameters ( print_r($_POST); ) ?

Posted: Fri Jul 20, 2007 7:01 am
by LJ79
yes exactly - i cannot access the $prisumoms and other variables in the url -

and no, unfortunately i cant do a POST instead, since this site (and the url) is generated by the "credit card payment module" that my webhost is offering. So the secure server is theirs and i simply do a POST with all the variables and they evaluate the creditcardinfo and then return the evaluation and alle the other variables (like price, addresses and other buyer info) with a GET to this result.php --

my problem is simply that I cant access the variables in the url - i find it very strage and the only thing i can think of that it could be is that it is a https. But i dont know anything about https-sites, and i dont know if it is standard there that they dont allow you to access the variables that are sent via GET.

(and that would make no sense, since that is exactly the way they sends them, so i am pretty confuzzled)

Posted: Fri Jul 20, 2007 7:14 am
by volka
Have only read until
LJ79 wrote:and no, unfortunately i cant do a POST instead
It's a test whether only GET parameters are truncated or POST values as well. Please try.

Posted: Fri Jul 20, 2007 7:27 am
by LJ79
okay now i tried POSTing variables directly to the result.php script and it cant access them either - (when it is uploaded to the secure server) -

and the little piece of code you gave me above to check for variables agains just show empty arrays under post, get and request...

Posted: Fri Jul 20, 2007 8:11 am
by LJ79
When i test the result.php on a secure and a non secure server with that little snippet of code you gave me there is one difference (aside form the fact that the secure server doesnt get any variables):

FROM NORMAL SERVER:
[HTTP_ACCEPT] => text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
[HTTP_ACCEPT_CHARSET] => ISO-8859-1,utf-8;q=0.7,*;q=0.7
[HTTP_ACCEPT_ENCODING] => gzip,deflate
[HTTP_ACCEPT_LANGUAGE] => da,en-us;q=0.7,en;q=0.3
[HTTP_CONNECTION] => keep-alive
[HTTP_HOST] => http://www.xxx.dk
[HTTP_KEEP_ALIVE] => 300
[HTTP_USER_AGENT] => Mozilla/5.0 (Windows; U; Windows NT 5.1; da; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5
FROM SECURE SERVER:
[HTTP_ACCEPT] => */*
[HTTP_CONNECTION] => Keep-Alive
[HTTP_HOST] => http://www.xxx.dk
[HTTP_USER_AGENT] => Wget/1.8.1
I dont know what those mean, but it seems like there are at least some differences on th server settings between the two servers...

I wrote my hosting company again - they are replying so slowly and always some kind of dodging answer, as if they have no clue what php is...

Posted: Fri Jul 20, 2007 8:14 am
by volka
I think now would be a good time to ask the people at scannet.dk what is removing the data. Reverse proxy, stateful firewall ...anything?

Posted: Fri Jul 20, 2007 8:21 am
by LJ79
Hey thanks a lot! Very nice of you to help -
Now I am well-equipped to approach them! :)
When I find the solution I'll come back and post it here.

Posted: Fri Jul 20, 2007 8:25 am
by volka
LJ79 wrote:I dont know what those mean, but it seems like there are at least some differences on th server settings between the two servers...
Those are parameters/headers sent by the client. Instead of wget you might want to try

Code: Select all

<form method="post" action="https://pay.scannet.dk/xxx/shop/result.php">
	<div>
		<input type="hidden" name="ordrenr" value="14" />
		<input type="hidden" name="prisumoms" value="75.00" />
		<input type="hidden" name="kontrol" value="222" />
		<input type="hidden" name="valuta" value="208" />
		<input type="hidden" name="postnr" value="8000" />
		<input type="submit" />
	</div>
</form>
in your firefox

Posted: Fri Jul 20, 2007 8:44 am
by LJ79
Funny! I just noticed you are sitting in Berlin - so am I :)
*opens window and screams "Volka" to check if we're neighbours*
--

Okay, I tried POSTing again from a form - just like you suggest - but still the [HTTP_USER_AGENT] gives "Wget/1.8.1" -
and the script doesnt recieve the variables... (I dont know what "wget" is).

Thanks a lot for your effort.