PHP - Hide Url (Get) Parameters

PHP - hide url (GET) parameters

Your only option is to use a form and POST if the page your are logging into is controlled by a 3rd party:

<form action="http://search.mywebsite.com/login.aspx" method="post">
   <input type="hidden" name="checktype" value="uid" />
   <input type="hidden" name="user" value="adam" />
   <input type="hidden" name="password" value="pass1234" />
   <input type="hidden" name="profile" value="dart" />
   <input type="hidden" name="defaultdb" value="kts" />
   <input type="submit" value="Log me into this website" />
</form>

EDIT: If it must be a link and javascript can be required then you can use javascript to create and submit a form on the fly:

<a href="#" onclick="postLogin()">Log me into this website</a>

<script type="text/javascript">
function postLogin() {
    var form = document.createElement("form");
    form.setAttribute("method", "post");
    form.setAttribute("action", "http://search.mywebsite.com/login.aspx");

    var params = {checktype: 'uid', user: 'adam', password: 'pass1234', profile: 'dart', defaultdb: 'kts'};
    for(var key in params) {
        if(params.hasOwnProperty(key)) {
            var hiddenField = document.createElement("input");
            hiddenField.setAttribute("type", "hidden");
            hiddenField.setAttribute("name", key);
            hiddenField.setAttribute("value", params[key]);

            form.appendChild(hiddenField);
         }
    }

    document.body.appendChild(form);
    form.submit();
}
</script>

Hide get parameters names from the URL

Updated answer

To add a routing which points to an external handler PHP file, the following snippet should be used:

function wprre_add_rewrite_rules() {
    global $wp_rewrite;

    // pattern with regexps
  $wp_rewrite->add_external_rule( '^wp_report/([\w\d-]+)/?', PATH_TO_THE_EXTERNAL_HANDLER.'report.php?report_name=$1' );
}
add_action('init', 'wprre_add_rewrite_rules');

You can spot one difference in the parameter handling between add_external_rule() and the add_rewrite_rule. You must use the match selector as the Apache uses it in this case.

This snippet must placed in a file which is always loaded by your plugin or theme. If you write a plugin it can be the main plugin file. In case of theme development it can be the main functions.php file.

The custom GET parameter registration is working as it was mentioned in the Original answer.

IMPORTANT

After you edited the rewrite rules via code (external or internal both) you must go to the Permalink settings page in the admin panel and click to the Save button without any changes. This is necessary, because this will flush the rewrite rules and the WP will write into the .htaccess file the rules.

This is the reason why I recommend you to hook on the plugin activation event and register the rewrite rules then and immediately run a flush_rewrite_rules() command.

NOTES

The problem with the original answer was that, the add_rewrite_rule() function only works if you route to the default basic index.php. You can only modify the parameters, but you can not route to an external file.

Original answer

I think you should use the WordPress API to achieve this. You will need to add a rewrite rule and tag in you theme or plugin with this syntax:

!! Disclaimer this is only working to route to the basic index.php !!

For the routing, add a rewrite rule which points to your PHP file.

function custom_rewrite_basic() {
  add_rewrite_rule('^report/([\w-]+)/?', 'index.php?page=$matches[1]', 'top');
}
add_action('init', 'custom_rewrite_basic');

If you want to use a query parameter which is not in the standard WP parameter list, you need to add that custom parameter name.

function custom_rewrite_tag() {
  add_rewrite_tag('%page%', '([^&]+)');
}
add_action('init', 'custom_rewrite_tag', 10, 0);

Be aware to you use built in parameters if you do not use as the WP API.

In this Codex article you find more details about the topic:
https://codex.wordpress.org/Rewrite_API/add_rewrite_rule

For troubleshooting and deeper dive understanding you might to check this Codex article too, which describes the proper rewrite rule usage. Because some in circumstances you need to reset the rewrite rules (plugin activation / deactivation).
https://codex.wordpress.org/Function_Reference/flush_rewrite_rules

Hide GET parameter from URL

\w in regexp means „word“ character and such url part as „my-prety-page“ will NOT match.
To hide GET params you must improve your urlManager rules. You can write such a rule for pages using SEF urls:

'<controller:\w+>/<id:\d+>/<title:[^\/]*>/*' => '<controller>/view'

In this case when you enter url

http://example.com/page/12/my-prety-title

a Page controller will be called to perform view action with id and title as arguments. It is the same if you enter this url:

http://example.com/page/view?id=12&title=my-prety-title

The last part /* in rule allows to keep additional params. E.g. if your address is

http://example.com/user/55/john-doe-junior/foo/bar/

in UserController's actionView you can write

echo '<pre>' ;
print_r($_GET);
echo '</pre>' ;
die();

and you'll see

Array
(
    [id] => 55
    [title] => john-doe-junior
    [foo] => bar
)

Hide url parameters from php

You need to add some extra verification/validation to your code. That's regardless if you're using GET or POST to pass the data.

You can set a session per call that defines what ID's the user are allowed to pass. It works like a basic CSRF protection:

It can be something like the below:

On the voting page:

<?php 
// Start sessions (should always be in the top
session_start();

// Get the image id's some how. Let's use these as an example
// This could just as well be strings or what ever it is you're posting
$image1 = 1;
$image2 = 2;

// Generate a pseudo random token
$token = bin2hex(random_bytes(16));

// Store the image references in a session with the token as name
$_SESSION[$token] = [$image1, $image2];
?>

// HTML that sends the image references and the token (important)

On the page that receives the data:

<?php
// Again, start sessions;
session_start();

// Check that all parameters are there
if (!isset($_POST['winner'], $_POST['loser'], $_POST['token'])) {
    die('Invalid request');
}

$winner = $_POST['winner'];
$looser = $_POST['loser'];
$token  = $_POST['token'];

// Check if the session is set. If not, then the call didn't come from your page
if (!$token || empty($_SESSION[$token])) {
    die('We have a CSRF attack');
}

// Check if both image references exists in session. If not, then someone have change the values
if (!in_array($winner, $_SESSION[$token]) || !in_array($loser, $_SESSION[$token])) {
    die('Invalid image references! We have a cheater!');
}

// Remove the token from the session so the user can't repeat the call
unset($_SESSION[$token]);

// Do your DB stuff using Prepared Statements.

This is an untested example, so it might not work straight out of the gate, but it shows you a technique that can be used.

Important

You are currently wide open to SQL Injections and should really use Prepared Statements instead of concatenating your queries. Specially since you're not escaping the user inputs at all!

Hide URL parameter from URL to get page info in PHP

You can´t get id from URL if you don´t pass as a GET parameter.

I suggest interpreting the name of the product and from there identify the ID. But if there are duplicates, the only way is to pass the ID.

One trick is to pass the Id as part of the product name. For example

www.website-name.com/product/**product-name-product-id.html**

In this way, the product name would be part of the URL.
This is solved by changing the htaccess like this

   RewriteCond %{REQUEST_FILENAME} !-f
   RewriteCond %{REQUEST_FILENAME} !-d
   RewriteRule ^(.+)/.*-([0-9]+)\.html$ index.php?me=$1&pr=$2 [L]

where me is menu "product" and pr is product id.
I hope it would be useful for you.

---

Related Topics