I'm working on a web based CRM system that has limited capabilities to extending it's functionality.
To extend the functionality, I've installed apache with PHP on the same server, from the php code, I have access to the CRM database.
I can run the page served by apache by adding a iframe in the CRM system, grabbing a ID from the URL and passing it to the iframe using the following javascript:
<div id="mydiv">
<script>
function getUrlParam( name, url ) {
if (!url) url = location.href;
name = name.replace(/[\[]/,"\\\[").replace(/[\]]/,"\\\]");
var regexS = "[\\?&]"+name+"=([^&#]*)";
var regex = new RegExp( regexS );
var results = regex.exec( url );
return results == null ? null : results[1];
}
console.log(window.location.href)
var iframe = document.createElement('iframe');
var html = 'http://192.168.0.2:8000/Map/' + getUrlParam('ID',window.location.href);
iframe.width = 800
iframe.height = 800
iframe.frameBorder = "0"
iframe.src =encodeURI(html);
document.getElementById("mydiv").appendChild(iframe);
console.log('iframe.contentWindow =', iframe.contentWindow);
</script>
</div>
This all works very well, but this aprouch opens up a security issue: To see anything in the CRM system, you need to be logged in.
If someone would know the url/port of the apache server, they can see whatever they like without having to login.
What would be the best way to overcome this security issue without relying on "Security through obscurity" ? Is there a way to check that the iframe source is only loaded when it's indeed a iframe or can I check for cookies from the parent site?
I have no access to the username/password of the loggedin user on the CRM side.
The CRM users only use chrome or firefox by the way.
Related
I Would like to open my app from safari, i am new with working with iOS and mobile application development.
My Website is written in PHP, And i Am Using Objective-c for iOS development.
Ow figured it out was a mistake of not refreshing app
here is an example of switching from browser totally using javascript
window.location = "myApp://";
This example call app to an iframe so as to preserve the state of the website: still in javascript:
var frame = document.createElement('iframe');
frame.src = 'myApp://';
frame.style.display = 'none';
document.body.appendChild(frame);
// avoid unnecessary iframe on the page
setTimeout(function() { document.body.removeChild(frame); }, 4);
Note that on this examples i have not put any parameters yet which would be like:
myApp://params
Objective-c End Looks more like this:
- (BOOL)application:(UIApplication *)app openURL:(NSURL *)url options:(NSDictionary<UIApplicationOpenURLOptionsKey, id> *)options
Still have a long way to go but will get there thanks for you help.
I'm creating an Adobe Air app for our members. Each time they open the app, I want it to quickly verify their membership status in the background before it allows them to use it. Unfortunately, I don't have access to the WordPress database that would tell me this valuable information.
Would it be possible to open a URL in the background (completely invisible to the user) that pings their member's only page on our site? Currently, if a non-member tries to access that page, it redirects them to a 404 error page. By loading it in the background, would there be a way for my app to tell if it was redirected to the 404 page or not?
That might be a horrible workaround, so any better ideas are completely welcomed.
You could write a server sided PHP script which will return "true" or "false" according to a userId:
http://yourdomain.com/isMember.php?userId=XXX
And then you could use the AS3 URLLoader class like so:
var urlRequest:URLRequest = new URLRequest("http://yourdomain.com/isMember.php?userId=" + userId);
var urlLoader:URLLoader = new URLLoader();
urlLoader.addEventListener(Event.COMPLETE, urlLoader_complete);
urlLoader.load(urlRequest);
function urlLoader_complete(evt:Event):void {
if(urlLoader.data == "true")
{
trace("A valid member!");
}
else
{
trace("An invalid member!");
}
}
I want people to sign up to my site and give them a unique javascript snippet that they have to put on their site.
I have 2 questions.
1) Let's say I use the code below to track visit duration on their websites. The track below tracks when a person visits the site and leaves it but how can I make sure they actually leave the site and not just visit another page on that site's domain (meaning the user is still on their site). Cookies?
var timeLog = {
start: null,
end: null,
init: function(){
this.start = new Date().getTime();
},
sendResults: function(){
this.end = new Date().getTime();
var jData = { "client": "some-access-string", "start": this.start, "end": this.end };
var client = new XMLHttpRequest();
client.open("POST", "http://yoursite.com/process_info.php");
client.setRequestHeader("Content-Type", "text/plain;charset=UTF-8");
client.send(JSON.stringify(jData));
}
};
window.onbeforeunload = function() {
timeLog.sendResults();
};
timeLog.init();
2) I haven't done cross site scripting so I am wondering if javascript snippet calls the process_info.php script, would I be able try to set a cookie and also get $_SERVER variables such $_SERVER['HTTP_USER_AGENT']. Will that work since the actual php script will be on a different domain?
This code is not cross browser; it would be better to use Image to perform tracking, just dump all tracking data in the URL itself.
The advantage is that you can give a <noscript> snippet that includes an invisible tracking pixel as well without much modifications. The distribution and initialization of the script itself can be done with a small snippet like this that will insert a <script> tag in the body and run it.
Also, don't use .onbeforeunload(), that stuff is nasty. It's better to determine site departure by using session properties, such as time in between requests; if you don't receive another request within X minutes, assume the user has left.
Setting cookies from your PHP script should work as expected, as long as the cookie domain corresponds with the URL of your script (i.e. no third party cookies).
I'm trying to use jquery mobile to create a simple web app. At one point in the app, I need to get information from a php page to a javascript page, and then back and forth again (i.e., javascript will update the cookie, which will be read by php, which will then be read by javascript, etc.).
In order to test that I could set a cookie with php and then read it with javascript on the same page load, I created the following, working script:
<?php
include("../../../connectFiles/connect_dev.php");
setcookie("cookie_test","hello", 0, '/');
?>
<html>
<head><title>Cookie setting test</title></head>
<body>
<script type="text/javascript">
function readCookie(name) {
var nameEQ = name + "=";
var ca = document.cookie.split(';');
for(var i=0;i < ca.length;i++) {
var c = ca[i];
while (c.charAt(0)==' ') c = c.substring(1,c.length);
if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
}
return null;
}
alert(readCookie('cookie_test'));
</script>
Hello there, I hope you were able to see my cookie!
</body>
As I mentioned, this worked just fine. However, when I take the same code and try and implement it inside of a jquery mobile framework, I can't seem to find the cookie. It keeps coming up as "null." I'm guessing this has something to do with when the cookie is being accessed through the jquery mobile framework. I've bound the readCookie function to the pageshow function in jquery mobile like this:
$(document).on('pageshow',function(e, ui){
if (e.target.id == 'assessment') {
var objective = readCookie('objective');
alert("objective: "+objective);
Unfortunately, this results in a "null" cookie value every time. What do I need to do to be able to set the cookie in PHP and call it in javascript?
Ok, I'm not sure how this is normally done. But I've got a script that basically empties a div of content and then loads content from a div from a separate webpage, without reloading the current page. This works great.
It's taken from this example actually, from net tuts (great site btw)
http://nettuts.s3.amazonaws.com/011_jQuerySite/sample/index.html
And the guy who wrote this even though about handling the url's since the url don't change when using his method. So he wrote a javascript snippet that looks up the url and loads the content accoringly. Which is not working btw.
But I was thinking about people who don't have javascript enabled, or iPhone and iPad users ;)
Copying URLs and sending to a friend won't work at all.
So how is this typically done? And can it be done without javascript? Possibly by php?
I'm using this code basically:
$(document).ready(function() {
// Check for hash value in URL
var hash = window.location.hash;
if(hash==href.substr(0,href.length)){
var toLoad = hash+'.php #content';
$('#content').load(toLoad)
}
});
$('.dynload').live('click', function(){
var toLoad = $(this).attr('href')+' #content';
$('#content').fadeOut('fast',loadContent);
$('#ajaxloader').fadeIn('normal');
window.location.hash = $(this).attr('href').substr(0,$(this).attr('href').length);
function loadContent() {
$('#content').load(toLoad,'',showNewContent())
}
function showNewContent() {
$('#content').fadeIn('fast',hideLoader());
}
function hideLoader() {
$('#ajaxloader').fadeOut('normal');
}
return false;
});
See Tabtastic
In a nutshell, link to the id of the element you want to go to, and don't hide the content if JS isn't available.
You can't access the hash-part of the URL through PHP. You can only access that from the browser.
However, you could just change the code to using a normal GET query string instead. So put whatever you put behind the # symbol, behind ?hash= in the URL instead and work with it that way.