I'm trying to get data from a remote server in an Android application. A php file was created for interacting with the database. However instead of data, I got all structure of the PHP file such as codes and tags...(as you see in the attached picture below).
Please help me.
Click to enlarge
The web page you show sets a cookie and then does a browser redirect to http://topapplications.ir/myText.php?i=1 (All in JavaScript) So presumably your tests in Explorer work because they're redirecting.
If your back end needs to do this logic, and your front end can't execute the JavaScript, then I suggest performing the same logic via PHP instead. Either that or point to a URL that doesn't do a redirect.
Set the cookie with setcookie and then do a proper server redirect with status 302 if necessary.
Related
I have a project where i'm calling a php file from jquery ajax.Inside the php file i have a curl call to a rest API to have some data.This data flow cannot be altered i.e from jquery i call the php file then from php file the api will be called.Now i have to prevent displaying the url in the firebug console when the ajax call is triggered.Any idea how can i achieve this? Here is the code i used for calling the php file.
$.getJSON("file.php",function(data) {
console.log("hello"+data);
});
Now i have to prevent displaying the url in the firebug console when the ajax call is triggered.
Sorry, not possible. If the user's web browser is making a request, the user can see it. Even if you manage to somehow hide it from the web browser, they can still see it in any number of other tools. Any request that comes from the user's machine can be inspected by the user.
If you absolutely need to make this happen, then you need to write a custom client and perform encrypted communication between that client and your server.
Now to the real question... why should this be hidden from the user? If the user shouldn't see the data, then why is the request being made client-side in the first place? Just make the request from server-side code and keep the data server-side. If the user should see the data, then what's the problem? If the user only shouldn't see the URL but should see the data, get the data server-side and only show the data to the user.
If you have a public URL which is providing requestors with sensitive information and you don't want anybody to know what that URL is, you have a security problem. As mentioned in a comment above, security through obscurity is no security at all.
Apologies if this question duplicates some other question, but I can't find one exactly like it in S.O.
I am writing a remotely hosted app, the kind that runs when you put a javascript on your own website page, where the src="some remote javascript.js". so, the script operates by calling every operation as a jsonp ajax. A lot of jsonp housekeeping, but otherwise works surprisingly well.
In the main remote js script, I set a user cookie when the user logs in. It works fine, the cookie is set for a year, and when you return to the page it continues recognizes you.
However, when I try to output the cookie (even after it has been set) using php, my php code does not see it for some reason.
If I alert(document.cookie); the cookie is displayed.
If I do a var_dump($_COOKIE); php returns array(0) { }.
This isn't a "you have to reload the page after setting the cookie with javascript" problem.
As far as I know, when I use the Firefox Web Developer extension to View Cookie Information, it is all happening on the same domain.
Looking over many other examples, it is clear that PHP should be able to read a cookie, even if set by javascript.
Even as I write this, I think a glimmer of what the problem is is starting to form in my head, that (possibly) a JSONP'd php script isn't going to see the cookie set by javascript.
i am messed up with a strange problem. My Form works fine on local machine but when i upload this to some web server, it does not work fine . Without uploading online, when i add some values and click Submit. It shows ThankYou message. But When it is uploaded, after adding any value, when some values are added and Submit pressed, values are entered to database but it doesn't show Thankyou message rather it just remains as it is. Please, suggest some solution. What should i do to make it work fine online ?? Should i send the single HTML file that contains the form ? Have a look at form here: http://dl.dropbox.com/u/33855631/lon_dec/form.htm
i also tried it by uploading to different servers like bluehost etc but no solution.
You're indeed making a cross-domain request (to http://www.londondeclaration.com/wp-admin/admin-ajax.php), which your browser doesn't allow. Either host the front-end and back-end on the same domain, or (if that's not possible) host a proxy to the external source on your own domain.
As #PPvG already mentioned this looks like cross-domain scripting. In general, it is possible to perform croos-domain scripting, but you must set the according HTTP headers as specified here. That's what happens in detail:
user accesses a web page on DomainA including some JavaScript (i.e. jQuery)
user submits button and jQuery fires request to your server on DomainB
result is returned to the users browser, but per plicy the client forbids the scripts from DomainA to examine the response retrieved from DomainB. It's important to understand that security is enforced on the client.
How to solve the problem: Your application on DomainB must set the correct HTTP response header, so that the browser allows your jQuery script from DomainA to work with the response from DomainB:
Access-Control-Allow-Origin:DomainA
This may still not work in all situations. I.e. Internet Explorer does enforce fairly rigid rules when it comes to HTTPS, if I remember correcly cookie management is a problem as well.
EDIT: In Google Chrome you can easily see that this is the problem:
There's an existing website written in PHP. Originally only the website existed, but now an Android application is being built that would benefit from re-using some of the PHP logic.
The PHP site was structured such that there are many pages that perform an action, set success/error information in $_SESSION, and then redirect to a visual page without outputting any content themselves. For example, there's action_login.php:
The page accepts a username and password (from GET or POST variables), validates the credentials, sets success/failure messages in $_SESSION, and then redirects to the logged-in homepage on success or back to the login screen on failure. Let's call this behavior the "HTML response".
The Android application will need to call the same page but somehow tell it that it wants an "XML response" instead. When the page detects this, it will output success/error message in an XML format instead of putting them in $_SESSION and won't redirect. That's the idea anyway. This helps prevent duplicate code. I don't want to have action_login.php and action_login.xml.php floating around.
I've read that the Accept Header isn't reliable enough to use (see: Unacceptable Browser HTTP Accept Headers (Yes, You Safari and Internet Explorer)). My fallback solution is to POST xml=1 or use {url}?xml=1 for GET requests. Is there a better way?
No frameworks are being used, this is plain PHP.
That's what the Accept Header is for. Have the Android request the page as application/xml and then check what was requested in your script. You might also be interested in mod_negotiation when using Apache. Or use WURFL to detect the UserAgent and serve as XML when Android.
I'd go with the android app sending a cookie for every request (really I would prefer the Accept header, but with the problems you pointed out with webkit I understand your reluctance to do so). The cookie simplifies the code server-side to not have to check for $_GET['xml'] or $_POST['xml'], and if some android user shares an URL of your application and it had a ?xml=1, the user who opens this in a computer browser would receive XML instead of the normal web output.
I wouldn't rely on $_SESSION for mobile applications because users (or at least I do) on mobile platforms tend to open your app, play 5 minutes, put mobile on pocket and 2 hours later return to your app. Do you want to set a session lifetime so long?
why not set a specific session for the app and then only set the header if the session is set something along the lines of
$_SESSION['app'] = "andriod app";
if ($_SESSION['app'] == "andriod app") {
header..
not really sure how to implement this into an app as I've done really little work with apps but hope this helps your thought process
there is a page that i need to post a password to it and then i get a file to download.
the post goes to the same page address its loads again and pop up the download manager (download starts automatically).
now i want to do the same but in curl, i posted the data to the url and then its sends me the file back but i don't want my script to download the whole file i want only to get a link to download it by myself.
how can i do that?
Actually, you most probably can't. Such password protected download system usually checks either cookies or browser / environment based variables. Getting the link itself shouldn't be problem, however you could not use it outside this generator's scope anyway.
firstly you need to post that password with curl assuming "on specific form. the form will take you to the downloading page" now you need to use regex (regular expressions).
filter the data you want then save it on other variable to re-use it.
There is for sure a redirection after you hit 1st page with POST. Look for that redirection with curl and read http response headers: Content-Location or Location or even Refresh
To prevent the automatic download you have to set the curl opt to not follow redirects. I can't remember the exact command but curl by default will follow auto refreshes and URL redirects, which happen in split seconds so humans don't actually see it happening.
I kinda don't understand what you really want to do, but if you just want a link then have the php script perform the entire curl post and everything when they click it. Doesn't matter what the web server will require a password before access to a file, you can't skip that step.