I want to check what are ALL the possible parameters for any existing website url. Assuming the site is working with parameters type query string "architecture" (and not MVC for example) something like:
http://www.foobar.com/p1&itemsPerPage=50&size=500
Let's say there are other parameters which I don't know exist, and I don't see them in the url at the moment. For example, parameters like max, day and OtherExoticVariable. Again, I don't know their names but want to know ALL of their names. Is there some way of requesting the server to respond will all possible url parameters?
I would prefer a method with Javascript that I could run quickly through a browser but could also do asp.net c# if necessary.
Thanks a lot!
Ray.
It is the script/app running on the server that decides what parameters are valid. Unless the app provides such a query mechanism you can't do it. The server has no idea what is valid and what isn't.
Not guaranteed to get you ALL query strings, but it is often helpful to Google
"foobar.com/p1& * ".
You will be able to see all the public occurrences of query strings for the foobar.com website.
(As the accepted answer says, there is no general method to access query strings unless the website provides an API.)
I do not think this is possible. Each Web application designer can decide on the parameters individually, and you only know them if you see them being used.
Related
I'm rewriting a former SPA React app with Svelte. I'm using svelte-routing as a router and each time I enter an url in the browser address bar, the URL got lowercased. This causes me a problem because I need to catch URL-parameters with the original case.
With the React version, I don't have this problem.
Is it a problem with the sirv/polka server which is used with Svelte or the problem may come from elsewere?
Thank you for any help.
Svelte-routing doesn’t seem to change the case of any part of url, so it might be a server problem.
I found a lengthy discussion about casing and url from stackoverflow. Basically one shouldn’t trust case-sensitivity in url ie. the saftest bet would be lower-case, because different servers handle casing differently.
Query parameters and values are more complicated. If I was a backend designer, I would make query parameters case-insensitive and values case-sensitive.
www.example.com/product?brand=Nike&color=black
Would be the same as
Www.EXAMPLE.Com/Product?BRAND=Nike&Color=black
But this wouldn’t be the same
www.example.com/product?brand=nike&color=Black
Although I would design my backend a little further and atleast a value of color would be handled as case-insensitive.
In short:
As a user you should never trust any part of the url, query parameters or values to be case-sensitive.
As a backend designer you should allow every part of url and query parameters to be case-insensitive. Query values should also be case-insensitive, if possible.
I work for a small SMS marketing company, where we're sending out text message that each contain a unique code for the user (as a variable). My url is rather long, and I want to attach a unique variable for each one.
For example, the full URL might be:
http://www.mybigwebsiteurlishuge.com/more/more/?code={variable}
but I want it to be something like:
http://bit.ly/2398h?code={variable}
Anybody know any services that can do this? Otherwise I need to purchase small domain name just for this.
Thanks so much!
Most shortening services have APIs that you can use to shorten your URLs. Including bit.ly. Yu will have to use their API to the shortened URL.
I kept on looking, and still couldn't find anything suitable, so I got a new 3-character domain name, and also make a redirecting script that changed miniaturized variable names t the full ones. This works just as good really.
I'm trying to delete blobs in an mvc 3 application that uses azure storage.
I'm trying to pass the Uri of the blob which will be deleted to the controller, however an error is thrown:
A potentially dangerous Request.Path value was detected from the client (:)
I think this is from the https: part of the Uri and I need to parse it out, however I'm not sure how to do that. I'm wondering how to fix this error.
Is there a more graceful way to delete a blob from storage?
You must properly URL encode your urls. Here's an example of a badly encoded url:
http://foo.com/controller/action?param=http://bar.com
Here's how it should look like:
http://foo.com/controller/action?param=http%3A%2F%2Fbar.com
Or maybe you are having an url of the form:
http://foo.com/controller/action/https://bar.com
which is even worse. If you want to use special characters in the Path portion of an URL you might find the following blog post useful.
If you want unsecure content to get through then you can add [ValidateInput(false)] to your action - however, this is opening up something that is there for your security - so only do this if you are sure you're code is secure - see first answer in A potentially dangerous Request.Form value was detected from the client
I was able to fix it and I want to summarize the solution, since it requires bit from the other two answers and bits mostly from the Scott Hanselman Blog post.
You need to do a few things to make this work:
Put the [ValidateInput(false)] on your action method.
Make sure your Url is properly encoded (an example is given in the above post) which is done when you use the blobVariableName.Uri.AbsoluteUri as the string to pass from your view to your controller, so you shouldn't have to do anything there.
Make your query string looks like
http://site/controller/action?blobid=http%3A%2F%2F... and NOT http://site/controller/action/http%3A%2F%2F... the latter won't work!
On a side note, since I started, our functional requirements changed and now were storing information about each blob in the database, which allows me to pass parameters other than the blob's uri, which seems like a much safer way to play it.
A great deal of the community appears to be in agreement that it is a bad idea to pass uri's and to open up your application as to allow you to do so.
I am trying to implement Twitter's OAuth into my Code Igniter web application at which the callback URL is /auth/ so once you have authenticated with Twitter you are taken to /auth/?oauth_token=SOME-TOKEN.
I want to keep the nice clean URL's the framework provides using the /controller/method/ style of URL but I want to enable query strings as well, there will only ever be one name of the data oauth_token so it's ok if it has to be hard coded.
Any ideas?
I have tried tons of the things people are saying to do, but none work :(
PS: I'm using the .htaccess method of URL rewriting.
There are several ways to handle this.
Most People, and Elliot Haughin's Twitter Lib, extend the CI_Input library with a MY_Input library that sets allow_query_strings to true
You will also need to add ? to the allowed characters in config/config.php and set $config['url_protocal'] to PATH_INFO
see here: Enable GET in CodeIgniter
Codeigniter Reactor lets you access $_GET directly or via $this->input->get(). You don't need to use MY_Input or even change your config.php. This method leaves the query string in the URL, however.
I used a hacked index.php to recognise users coming back from Twitter, check for valid and safe values, then re-direct it to to a CodeIgniter friendly URL.
It may not be to everyones taste but I preferred it over allowing query strings throughout the entire application instead of just one particular circumstance.
I feel dumb for not knowing this, but I see a lot of links in web pages and instead of this:
<a href="http://foo.com/">
...they use this:
<a href="http://foo.com/?src=bar.com">
Now I understand that the ?src= is telling something that this referral is coming from bar.com, but I don't understand why this needs to be called out explicitly. Can anyone shed some light on it for me? Is this something I need to include in my program generated links?
EDIT: Ok, sorry, I'm not being clear enough. I understand the GET syntax with a question mark and parameters separated by ampersands. I'm wondering what's this special src parameter? Why would one site link to another and tack an src parameter on the end even though there's no indication that the destination site uses this normally.
For example, on this page hover your mouse over the screenshot. The link URL is http://moms4mom.com/?src=stackexchangesites
But moms4mom.com is our site. Passing the src parameter does nothing, so why include it?
There are a few reasons that the src is being used explicitly. But in general, it is easier and more reliable to trust a query string to determine referer[sic] than it is to trust the referer, since the latter is often broken, deliberately or not. On the other hand, browsers almost never break the query string in a url, since this, unlike referers, is pretty important for pages to function. Besides, a referer is often done without any deliberate action on the part of the site doing the refering, which some users dislike.
The reason (I do it) is that popular analytics tools sometimes make it easier to filter on query strings than referrers.
There is no standard to the src parameter. Each site has its own and it's usually up to the site that gets the link to define how it wants to read it (as usually it's that site that's going to pay for the click).
The second is a dynamic link, it's a URL that another language(like ASP and PHP) interpret as something to do, like in those Google URLs, but i never used this site(foo.com), then i don't much things about this parameter.
Depending on how the site processes its URL, you may or may not need to include the ?... information.
This is passed to the website, and the server can process it just like form input. Some sites require this - and build their navigation off a single page, using nothing but the "extra" stuff passed afterwards. If you're generating a link to a site like that, it will be required.
In other cases, this is just used to pass extra, unrequired info (such as advertising, tracking info, etc)... In those cases, you can leave it off.
Unfortunately, there's no way to know without trying whether you can remove the "extra" bits from the URL.
After reading some of your comments - I'll also say:
There is nothing special about the "src" field in a query string. The server is free to use it any way it wishes. Unless you know specific info about the server, you cannot assume it can be left out.
The part after the ? is the query string. Different sites use it for different things, and it is usually used for passing information to the server side code for that URL, but can also be used in javascript.
For more info see Query String