WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] BPS and URL Params Plugin (8 posts)

  1. ElementalMedia
    Member
    Posted 1 year ago #

    Hello
    I am using a slightly modified version of the URL Params plugin
    It allows me to pass a value (dollar amount) from one form to another, located on different page.

    Exactly in the same fashion as this site

    If you select $200 on the homepage, $200 will be pre-populated on the next form, different page.

    After installing BPS, these values are no longer being passed. This seems to be the result of the BPS 'locking down' procedure that re-writes/modifies a few files for greater security.

    Is there an exception line of code I can implement in the Custom Code area of BPS that will restore this functionality?

    If so, could you please tell me what that code would be, and in which pane of the Custom Code section I should place it in?

    Here is the modified URL Params code I am using:

    /*
    Plugin Name: URL Params
    Plugin URI: http://asandia.com/wordpress-plugins/urlparams/
    Description: Short Code to grab any URL Paramater
    Version: 0.4
    Author: Jeremy B. Shapiro
    Author URI: http://www.asandia.com/
    */
    
    /*
    URL Params (WordPress Plugin)
    Copyright (C) 2011 Jeremy Shapiro
    Updated by Phil Jolly 2012
    */
    
    //tell wordpress to register the shortcode
    add_shortcode("urlparam", "urlparam");
    
    function urlparam($atts) {
      $atts = shortcode_atts(array(
            'param'           => '',
            'default'        => '',
    	'dateformat'	=> ''
            ), $atts);
    
      $params = preg_split('/\,\s*/',$atts['param']);
    
      foreach($params as $param)
      {
            $pieces = explode('.', $param);
            $p1 = $pieces[0];
            $p2 = $pieces[1];
          if($_REQUEST[$p1][$p2]) {
    
            return $_REQUEST[$p1][$p2];
          }
         else if($_REQUEST[$param])
         {
          	if(($atts['dateformat'] != '') && strtotime($_REQUEST[$param]))
          	{
          		return date($atts['dateformat'], strtotime($_REQUEST[$param]));
          	} else {
          		return $_REQUEST[$param];
          	}
         }
      }
    
      return $atts['default'];
    }

    Thanks for your time and have a great day.

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    "After installing BPS, these values are no longer being passed."

    I need to see an actual example and/or specific details of the problem.
    What are the actual values that you are trying to post and what does the query string look like. You can post just the end portion of the query string and do not need to post your entire URL if you do not want to.

    I am guessing that maybe square brackets are being used in the query string and BPS will block square brackets in query strings.

  3. ElementalMedia
    Member
    Posted 1 year ago #

    Thanks for the fast reply.
    I am hoping you had a chance to look at the example site I linked to.

    Here is the code I am using:

    <form action="http://mysite/loanpage/" method="GET"  onsubmit="this.submit();return false;">
    
    <div class="styled-select">
    <select name="form[requested_amount]"><option value="100">$100</option><option value="200">$200</option><option value="300">$300</option><option value="400">$400</option><option value="500" selected="selected">$500</option><option value="600">$600</option><option value="700">$700</option><option value="800">$800</option><option value="900">$900</option><option value="1000">$1000</option></select>
    </div>				<button class="blue" type="submit">APPLY NOW</button>								</form>

    I am trying to pass the 'requested amount' value, so I believe you are right on target with the square brackets.

    Any exemption code I can use to get this working again, and where would I place this code, please.
    Thanks

  4. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Yes i looked at the site url you posted. Is this the website that is having the problem?
    This query string has urlencoded square brackets - %5B and %5D and would be blocked by BPS.

    ?form%5Brequested_amount%5D=200&submit.x=258&submit.y=49

    To not have this example query string blocked by BPS you would modify these security filters. If the example site you had me look at is not your site and your query strings have another problem then this fix will not work for your site. If your query string is different for your actual site then i would need to see the query string to tell you what needs to be done.

    modify these security filters...
    RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|%3c|%3e|%5b|%5d).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x5b|\x5d|\x7f).* [NC,OR]
    
    ...to this
    
    RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
  5. ElementalMedia
    Member
    Posted 1 year ago #

    No that is not the actual site. My client preferred I did not list it here in the forum.

    I pasted the actual code we are using for the button that has the square brackets <select name="form[requested_amount]"> And the value 'requested amount' is the value we are trying to pass.

    There are several fields in the Custom Code pane:

    Root .htaccess File Custom Code
    - CUSTOM CODE TOP:
    - CUSTOM CODE PLUGIN FIXES
    - CUSTOM CODE BOTTOM
    
    wp-admin .htaccess File Custom Code
    - CUSTOM CODE WPADMIN TOP
    - CUSTOM CODE WPADMIN PLUGIN FIXES

    Where would I place the code you provided in the above post?

  6. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Yes, i completely understand about remaining anonymous, but posting only the query string itself and not the entire domain name/URL is safe because the site would still remain anonymous.

    The actual code you posted tells me what the possible output might be, but it does not tell me the exact end result/output - the query string.

    If the actual query string for the actual website contains square brackets then you would not be adding anything to Custom Code and would be directly editing the security filters in your root .htaccess file. These are standard security filters so you would need to modify them directly following the example i posted.

  7. ElementalMedia
    Member
    Posted 1 year ago #

    modify these security filters...
    RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|%3c|%3e|%5b|%5d).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x5b|\x5d|\x7f).* [NC,OR]
    
    ...to this
    
    RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]

    If the actual query string for the actual website contains square brackets then you would not be adding anything to Custom Code and would be directly editing the security filters in your root .htaccess file. These are standard security filters so you would need to modify them directly following the example i posted.

    This solution worked great. Thank you for the advice and the great plugin. Have a great day!

  8. ElementalMedia
    Member
    Posted 1 year ago #

    Resolved

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic