I am trying to create a signature for OAuth 1 to access a website. One of the endpoints has a query string that takes the form of a simple SQL statement such as:
?query=select * from customer
I know - horrible.
Anyways, my signature works fine for all other calls until I try to use a statement that has a space in the query string parameter value. I have tried a number of ways to UrlEncode the query string, but I always get the same result - a 401:
query%3Dselect%20%2A%20from%20term
query%3Dselect+%2A+from+term
I also tried this OAuth signature checker: http://quonos.nl/oauthTester/ but all it tells me is that "select * from term" is bad - not much help.
Does anyone know what format this querystring should be in for the base string?
Related
I am creating a new event in google calendar by the following URL structure.
https://calendar.google.com/calendar/r/eventedit?
text=discount for Asgardian&
dates=20200327T032400Z/20200327T032400Z&
details=Thor will be there to receive you&
location=Asgard&
trp=false&sprop=&sprop=name:
here is a URL variable text, which represents the title of an event.
if I pass a plain string, it works well. but if I pass special character like '%' (e.g. 20% off for Asgardian), then google calendar gave me -
Bad Request
Error 400
how can I pass '%'?
(same error for details vaiable also)
in the comment, #terry gave me answer for how to pass % through URL.
I need to encode it as %25.
he also share that - Javascript has a built-in function for this URL encoding. encodeURIComponent()
if we wrap our string by encodeURIComponent(), it'll give us URL encoded string.
thanks.
How do I clear/remove query string parameters, which my MVC action, doesn't require/support?
For instance, my action requires, say an id and a bool flag, so the url would be something like: http://localhost:someport/controller/action/?id=1&remove=true
But, if a user types in something like, http://localhost:someport/controller/action/?id=1&remove=true&some-junk-param=0
Then, I want the some-junk-param to be removed and not shown in the address bar, when the request is processed.
Any thoughts?
If you need to get rid of unwanted query string parameters, you have two general options:
Do it on server-side. You can achive this only with redirection, that means when browser asks URL with bad query string, server redirects browser to URL with good query string.
Caveats:
In this case we have redundant query just for cleaning query string.
User will have trash in browser history.
Do it on client-side. ASP.NET MVC Model binder will get only expected parameters from query string, so it's nothing bad with having other values in query string. You can check your URL on client-side with javascript and rewrite it with or without changing history using History API (IE10+).
Caveats:
In this case you will have to support consistency about allowed parameters between JS and C# code
Of course every way is suitable for it's own cases, but looking at caveats the second way is better, because it affects developer expirience whereas first way affects user expirience.
I try create simple OAuthHandler.
After my request (using the implicit flow), server send request to my page, with an authorization code. But in query string from server, all parameters starts with hash (#) instead?
In method HandleRemoteAuthenticateAsync, I'm trying to parse query string, but none of the properties contain authorization code or anything like that.
How can I handle hash in query string?
As Joppe and David mentioned in the comments, anything after the hash (#) is part of the fragment, and is not sent to the server by the browser. That's why your server code can't see it.
The implicit flow is for JavaScript clients, not web servers. You want the authorization code flow instead. The redirect will look like:
REDIRECT_URI?code=7a6fa...
Since the code is transmitted in the query string, instead of the fragment, your server-side code will be able to see it.
Just say I have the following url that has a query string parameter that's an url:
http://www.someSite.com?next=http://www.anotherSite.com?test=1&test=2
Should I url encode the next parameter? If I do, who's responsible for decoding it - the web browser, or my web app?
The reason I ask is I see lots of big sites that do things like the following
http://www.someSite.com?next=http://www.anotherSite.com/another/url
In the above, they don't bother encoding the next parameter because I'm guessing, they know it doesn't have any query string parameters itself. Is this ok to do if my next url doesn't include any query string parameters as well?
RFC 2396 sec. 2.2 says that you should URL-encode those symbols anywhere where they're not used for their explicit meanings; i.e. you should always form targetUrl + '?next=' + urlencode(nextURL).
The web browser does not 'decode' those parameters at all; the browser doesn't know anything about the parameters but just passes along the string. A query string of the form http://www.example.com/path/to/query?param1=value¶m2=value2 is GET-requested by the browser as:
GET /path/to/query?param1=value¶m2=value2 HTTP/1.1
Host: www.example.com
(other headers follow)
On the backend, you'll need to parse the results. I think PHP's $_REQUEST array will have already done this for you; in other languages you'll want to split over the first ? character, then split over the & characters, then split over the first = character, then urldecode both the name and the value.
According to RFC 3986:
The query component is indicated by the first question mark ("?")
character and terminated by a number sign ("#") character or by the
end of the URI.
So the following URI is valid:
http://www.example.com?next=http://www.example.com
The following excerpt from the RFC makes this clear:
... as query components are often used to carry identifying
information in the form of "key=value" pairs and one frequently used
value is a reference to another URI, it is sometimes better for
usability to avoid percent-encoding those characters.
It is worth noting that RFC 3986 makes RFC 2396 obsolete.
Link to API
There is a param "nonce":
An additional security element must be passed into the post:
nonce - All requests must also include a special nonce POST parameter with incrementing integer. The integer must always be
greater than the previous requests nonce value.
Of course I can implement it via integer param and perform ++ operation each time I use it, but what to do if this value is less than it is required and it causes request error? For example if it was reset for example after application reinstall?
Suddenly I found a solution:
#((int)[[NSDate date] timeIntervalSince1970])
I saw in php they use microtime() function. I hope my function will give the same result