0

I have a URL string as follows:

compare.php?use_url=on&zipcode=London&categories%5B%5D=2&categories%5B%5D=4&categories%5B%5D=5&radius=0&checkboxnational=1&lat=50.8104415&lng=-2.99781710000002&outcode=EX13

What I am doing is converting this to hidden form elements via the following code, which I modified for arrays:

foreach($_GET as $key => $value) {
    // Handle cases where QS argument is an array - for instance, "?cat[]=1&cat[]=2"
    if (is_array($value)) {
        foreach ($value as $k => $v)  {
            echo "<input type='hidden' name='$key' value='$v' />";
        }
    } else {
        echo  "<input type='hidden' name='$key' value='$value' />";
    }
}

The page breaks. The strange thing is that ALL the hidden fields are being injected into the page:

enter image description here

and when I look in the log I find the error:

Object of class stdClass could not be converted to string

which is refering to the else part of the code. I have been reading about this error, it's the first time I've encountered it as a hobby developer. I have tried wrapping the input field in parentheses as follows:

echo("<input type='hidden' name='$key' value='$value'/>");

but no luck. I got this function via the SO page submitting a GET form with query string params and hidden params disappear and no-one mentioned this isssue. Can anyone help me out here? Thanks.

EDIT1: some of the comments have asked for the line 295 on storelocator.php. It is the line :

echo  "<input type='hidden' name='$key' value='$value' />";

on the above foreach statement. Thanks.

EDIT2 ok so thanks to @Alexander in the comments I did an echo var_dump($_GET) and got the following:

array(15) { ["use_url"]=> string(2) "on" ["zipcode"]=> string(26) "Smallridge Road, Axminster" ["categories"]=> array(3) { [0]=> string(1) "2" 1=> string(1) "4" [2]=> string(1) "5" } ["radius"]=> string(1) "0" ["checkboxnational"]=> string(1) "1" ["lat"]=> string(10) "50.8104415" ["lng"]=> string(17) "-2.99781710000002" ["swlat"]=> string(9) "50.800220" ["swlng"]=> string(9) "-3.013988" ["nelat"]=> string(9) "50.820661" ["nelng"]=> string(9) "-2.981639" ["outcode"]=> string(4) "EX13" ["lat_lon"]=> object(stdClass)#4 (4) { ["lat"]=> string(10) "50.8104415" ["lon"]=> string(17) "-2.99781710000002" ["citybounds"]=> object(stdClass)#5 (2) { ["northeast"]=> object(stdClass)#6 (2) { ["lat"]=> float(50.820661) ["lon"]=> float(-2.981639) } ["southwest"]=> object(stdClass)#7 (2) { ["lat"]=> float(50.80022) ["lon"]=> float(-3.013988) } } ["outcode"]=> string(4) "EX13" } ["allproduct"]=> int(16) ["allnational"]=> int(16) }

I never realised that $_GET contained so much more than what was shown in the URL string. Can anyone advise me on how I can input only those parameters that are in the URL into hidden form elements? Thanks

EDIT3 ok so after realising that my $_GET contains so much more than the URL string, I went down the route of grabbing the URL, passing the parameters into an array, and then running the foreach statement, as follows:

$myurl = $_SERVER["REQUEST_URI"]; 
$separator = parse_url($myurl);
// $queryb gives the url from url=on and onwards
$parameters = $separator['query'];
parse_str($parameters, $parameter);
// $arrb is the array of the URL
$array = $parameter;
//echo var_dump($arrb);
foreach($array as $key => $value) {
    if (($key != "sortbar") && ($key != "checkboxdc")) {
        // Handle cases where QS argument is an array - for instance, "?cat[]=1&cat[]=2"
        if (is_array($value)) {
            foreach ($value as $k => $v)  {
                echo('<input type="hidden" name="' . $key . '[]" value="' . $v  . '" />');
            }
        } else {
            echo('<input type="hidden" name="' . $key . '" value="' . $value . '" />');
        }
    }
}
Community
  • 1
  • 1
luke_mclachlan
  • 1,035
  • 1
  • 15
  • 35
  • 2
    where code from **storelocator.php line 295???** – HoangHieu May 07 '15 at 09:05
  • Can you show us +/- 10 Lines on 295. – take May 07 '15 at 09:06
  • It means your variable is an object of class stdClass. Perhaps is has some field, that you want to print, see with `var_dump($variable)`. Then print just the field `echo $variable->someField`. – Honza Haering May 07 '15 at 09:06
  • 5
    this website is vulnerable to XSS attacks – smnbbrv May 07 '15 at 09:06
  • this code is fine and you show that its working nice as well. The code you have after that, which you didnt show, is the one with problems – Hanky Panky May 07 '15 at 09:06
  • Works as expected for me with the query string that you specified. The error suggests that one of the variables in `$_GET` is an object. Use `is_object` function to check for that case and then do a `var_dump` to find out what object that is and where it comes from... – Alexander Tobias Bockstaller May 07 '15 at 09:11
  • That's kind of you all to comment. Let me see what I can dig out based on the feedback. Back in a moment. – luke_mclachlan May 07 '15 at 09:14
  • @simon , can you provide an example regarding XSS. I have read it on wikipedia as Cross-site scripting title , and first thing came to my mind was a chat application. How will a XSS attack possible in this case or similar case where there is only one user? Thanks – Abhinav Gauniyal May 07 '15 at 09:18
  • @AbhinavGauniyal just try a url with `anyparameter=">` and you see that it just removes everything from your page. I don't really know what kind of website is this one, but if this is not for home-use only, it can lead to this kind of attacks – smnbbrv May 07 '15 at 09:25
  • Thank you alll for your help. Do you probably know how I can input only those parameters that are in the URL into hidden form elements? Thanks – luke_mclachlan May 07 '15 at 09:26
  • ok guys done it via another way. Thanks all for your help. it's been an VERY valuable lesson for me. – luke_mclachlan May 07 '15 at 09:59

0 Answers0