I would like to ask for something that I donĀ“t know if it is even posible.
Lets suppose I have a QR-code that, after reading, send to ascertain URL in my server with PHP. Is it possible to get any data from the device? The situation is, i want to deploy QR codes, that when reaching my server, can offer random prizes to the device user (or save it...) But I need some data, IMEI, phone number, so I know who are the winners.
Has someone ever had a similar need?
I have searched this whole site, but cant find any answer.
The only way this would be possible would be to write your own QR code scanner app & have the user install it. And even then, I'm not sure that this wouldn't violate some sort of security control on the device.
The reason for this is simple: the QR code simply encodes a static string like a URL. There is no provision in the QR code itself to insert additional data to the URL after the device reads it - this would have to be done by an application on the user's device. And while I haven't researched all the various QR code reading apps out there, I would be surprised if the most common ones did anything like this.
What you might do is play around with a QR code scanner: set up a web server with PHP, create a QR code that points to it, and examine the request that your server gets when the code is scanned. My guess is that you'll just find the standard HTTP headers, but you might find information in there that you can use.
But the best solution to this kind of functionality would be to have the QR code point to a web page with a form on it where the user can enter their email address. This has the added benefit that you can then collect customer email addresses (with full disclosure of what you're doing with that information, of course).
Related
I've built a ticketing system with PHP & MySQL that generates a barcode for each ticket. The current set up for scanning tickets is a simple web form and a USB barcode scanner. When a barcode is scanned, it submits the barcode's ID to the form and if it matches an ID in the database then the ticket is valid.
I'd now like to be able to scan tickets with a mobile device and am wondering which is the best route to go down. How I envisage it working is the the barcode (or QR code) will have a value like "9783546" and when it's scanned, it will point to a URL like http://www.myscanner.com/checkticket.php?id=9783546
(Perhaps this is not the best solution, if not please let me know.)
Another caveat is that I'd rather not hardcode the URL in to the qrcode itself, as it's liable to change.
I know there are QR code libraries for building scanners for iPhone and Android. Is there an advantage of using one over the other? Is pointing to the url like above the best way to handle this? Is there a prebuilt scanner that allows something like this already?
Apologies for the broad question, some points in the right direction would be greatly appreciated.
I was developing simular project. While researching i decided to stop on this library.
It is really easy for integrating with your project and it can handle many different types of barcodes.
You should check this library if it supports types of barcodes(QR codes) you needed.
And here you cand find example of integration zxing with android.
https://github.com/zxing/zxing/tree/master/android-integration/src/main/java/com/google/zxing/integration/android
But it is steel difficult to scan barcode very fast. You should aim on barcode and after 1-2 seconds it will be scanned. If you want to have fast scanner and if you want scanner to be able to scan barcodes at night time you should consider idea of buing additional device for scanning.
For example like this: http://ru.aliexpress.com/item/Mobile-Barcode-Scanner-for-Cell-Phones-of-Android-wp8-Bluetooth-portable-barcode-reader-data-collection-terminal/509789346.html
It can be easyliy integrated with you android devices through Bluetooth.
I have spend some time hunting around for a solution without success so I am hoping someone here can at least point me in the right direction.
The specific project flow is this:
user visits a Facebook app
user uploads a number of photos and chooses optional filters
user can preview a video which showcases their photos (the video has animation and audio)
user can then choose to download this video for their device/PC
Some givens:
server side is PHP on Linux/Apache
preview video is Flash
output format is variable (WMV/AVI/MP4)
I have found a couple of solutions but none seem to match this exact flow. I want the whole process to be automated/scripted so need a component that can sit on the server, accept commands from PHP and be able to handle dynamic Flash input and export to the chosen format. My client has a generous budget to buy software to do this.
If anyone can suggest a good software solution or indeed another method to achieve the same goal I would be eternally grateful...
Thank you!
I won't give the exact details of how to do this yet, but a brief outline of what you could do:
User uploads video (or it's already on the server? I'm not sure)
You use exec() or shell_exec() to run ffmpeg, which will convert the
flash file to another output, depending on the user's choice.
What I would recommend is writing a bash script or something that takes a command line parameter of the output choice (and input file of course), converts the file, and returns the location of the new file. You can use the output of exec() or shell_exec() in PHP to return the location to the user and allow them to download the file.
If you would like more details on a certain aspect, please comment, but I'm not sure if you've already looked into this method, so for now it's just a suggestion.
I'm currently developing a game using PHP and MySql.
I'd like to allow users to be able to show images using a BBCode parser (NBBC) but i've been made aware of a potential security problem.
Allow me to explain:
The user enters a URL into a textarea box using code such as [img]http://example.com/image1.png[/img]
The user can then edit image1.png on the external server into a server side script that stores the user information (ip ect) and so forth.
User uses information to do some potentially nasty stuff!
My question is, how do we prevent this from happening and protect the users details when detailing with external sources?
The obvious answer is to only allow uploads to your site, but in this case, that really doesn't seem too practical.
Appreciate any help!
Actually you can by changing
[img]http://example.com/image1.png[/img]
into something like:
<img src="http://yourserver/proxy.blah?url=example.com/image1.png" />
So that your proxy would load the image instead of the user.
You can't because to your script it will look like a genuine image and there is no way of detecting anything different.
Any body can use .htaccess/ForceType to change the execution type of any file, grab user information and serve up an image in response.
I wrote a simple script for rotating images in a users forum signature many moons ago and it demonstrates this process: http://blog.simonholywell.com/post/374221718/flickering-images
You don't.
The only information the malicious user will be able to get is user's IP address and referrer URI, so you only need to make sure that nothing valuable is transmitted by it, (like session id, which you can bind to IP address or transfer via cookies).
It wouldn't even be necessary to turn that image into a script. The remote server's access log would capture the image request as it would any other request to a server. IP, browser UA, referer, etc...
If you allow external resources in user-provided data, you have no control whatsoever over how those resources are processed. If this image was for an Avatar (say), then nothing says the remote user can't make their avatar a puppy initially, then change it something nasty later on after the initial puppy picture's been approved.
Nothing says that the user couldn't point the avatar URL to a server they don't own themselves, in which case that other server's operator would get annoyed at the bandwidth theft and make the avatar picture into a Goatse-type image to get back at the bandwidth thief.
In short, if you allow external resources, you lose control. Keep everything in house where you can keep tabs on it.
Despite the responses saying this isn't a problem, it is. There are several ways to create a malicious image file that executes on the user's PC. You also have no control over whether the user's browser will honor the MIME type returned by the 3rd party server so it could return an executable file instead of an image, even though you may only allow links to files with image extensions (.png, .gif, .jpg, etc.). That interaction is entirely between your user and the 3rd party server but because it's embedded in your page the user experience will be that any infection originated from your site.
But even assuming the remote server only sends an image, you don't know if the image is even safe. See:
gifar image vulnerability
Infected .png files
Malicious code hides in jpgs
Uploading the images to your site is no walk in the park either, as discussed here.
User uses information to do some potentially nasty stuff!
You're being overly paranoid here. If a user is vulnerable just by having their IP known, their machine is already infested with a hundred different pieces of malware.
You see them everywhere. Like the twitter and facebook buttons that show up on blogs and websites that display a number of "tweets" or "likes".
All I need to be able to do is display a number from my MySQL database based on two variables (username and an ID). It would probably be useful to encrypt the variables somehow so that users can't just alter the badge's code and display another user's number.
But more importantly, I just need to know how to use the HTML code like you find in social network badges and have it talk to a PHP script on my server which will calculate the number from the database based on the variables held within the badge.
Any clue where to start?
Edit: I'm not talking about the kind of badges like you find on stackoverflow, I mean the kind other sites let you paste on your blog/site. Like Digg lets you show that your site has been dugg 7000 times, etc.
You may wish to look up the GD library for PHP and related tutorials. Basically, all those badges consist of is a static image as the template with some dynamic text inserted on top, usually consisting of the username and a number (likes, tweets, etc..).
For the HTML code, you would do something similar to:
<img src="http://www.yourserver.com/yourscript.php?username=miki&id=1337" />
This will send a HTTP GET request to your script, causing it to execute. Your script can then communicate with the database, fetch the user's information, use GD to insert that text into a template and then return that to the browser with the correct mime type and content.
You're talking about calling a remote script, essentially.
I assume you mean something like this -
You are viewing your profile on your side. You have a widget that promises to display the total number of points you have, for example.
You offer a "code" button like youtube embed or facebook "like"
The user clicks this, gets a segment of code and is expected to be able to paste it anywhere on the internet where applicable and the code will generate an icon or something with presumably the username and their points.
First, you can do this several ways. The most cost effective, in my opinion, is to generate the user button on your server on update - like say your points meant "number of thumbs up your articles received" so it will be an integer value. Every time you get a thumbs up, you would re-cache the button and write it into a flat text file. If you're good, you would write it to an image and flatten it to a jpg or gif. If you don't know how to do that, you can write it to html and save the file as a user specific "slug" like md5(username).'.html' - that way every time the server is called, you don't need to pile on bandwidth with redundant queries and account look ups. You only serve the optimized image or html file.
Second - you can give the user an iframe that has the html in it. This is generally how facebook "like" does it for people that don't use the fbml method. Problem is, many sites see iframes as potential xss attack and will strip them out. So, in order to make use of the iframe you would need to have control of the domain, which may defeat the purpose of your request if the intention is to share your profile goodies.
Third, you can call a js file on your server that makes an ajax call to your database and serves the results. This is also most likely going to be seen as xss attack and you should probably not even give it much more thought.
I mentioned the iframe and js methods in case you were looking to provide an option for other people who run their own sites. The way "like" is used by site owners to show how many times their domain has been "liked" and so on. These people have control of domains so the iframe and js methods are logical.
So -
This answer may not have much in way of raw code for you, but it should help you start.
I would do the image method since it is safer. You would give the user an image tag with their slug in the src attribute. They can paste it anywhere and there is no way to re-write the number within the image. Most forums and places where you can just post to other people's sites allow images. Just do a google search on drawing images with php, as well as using the imagemagick library to merge text and images.
I work for a school district in which the teachers submit their lesson plans to their principals online.
They do this using an online form I wrote using PHP/MySQL and it uses TinyMCE for its textareas. One of the major features that was requested was for teachers to be able to save their incomplete forms as drafts to submit later. This was implemented, but the new problem I'm facing is that not all teachers have access to the internet at home, thus they cannot work on their lesson plans while at home.
Of course, they could cut and paste out of a word document or text file that they save on their laptops, but then they have to cut/paste one textarea at a time, and they complain about it.
So what I was thinking about trying, is making an offline application that looks like the online form, but saves the form in an xml format on their computer. Then they could open this file to keep working on it, or upload it to the online form later.
My question is: being that my programming experience is currently limited to a few web-related languages (php, javascript, html) what should I use to attempt to write this offline app? Winbinder? Adobe AIR?
I think your best bet will be to ask them to install Google Gears on their browser (comes by default with Google Toolbar iirc), which is ideal for storing content offline. And then as soon as they go online it's easy to sync the stored content back to your online server.
Gears API Documentation can be found here.
How are teachers currently working on their lesson plans offline?
If they're doing it in plain text, for example, perhaps you can simply add a file upload field. They would upload their file (which they worked on offline), and your web app would parse it and divide it up into the appropriate sections.
(If rich text is a requirement, they can use a Word doc.)
To aid with parsing, you could tell them to use section headers -- maybe special words in all caps -- or provide them an example template (which maps directly to the web form) to start from.
The idea here is that you may want to minimize the changes teachers will need to make. They're already used to what they're currently doing, so work with their current habits. It would be easier than having them change and do something new. Installing a new offline app on their computers is almost certainly a significant barrier.
(While I was typing this answer, Josh Curren submitted a similar one.)
I would save the form to a text file that they can save to their desktop, then upload it and read it into the form later. You would have to supply them with a template so that everything they enter is in the correct order.
One simple option would be to build a regular desktop app they could install locally and take with them. Have an upload function in the app that allows them to submit it when they are connected to the internet.
Another option is to use create an editable PDF of the form, then either a) submit those as a whole to the principal, or b) parse out the field data on the server side.
IF they are using Internet Explorer at BOTH school and home, you could give them the form in a webpage saved in the web archive format, *.mht. They fill out the form at home and save it in the same *.mht format. When they return to school they open the page and submit it.
This should work and may be simple to implement. I tried it on this post, but ran into problems somewhere between the captcha and the openid login. Give it a try on your form.
I've actually gone with Adobe AIR to do this.
With AIR, the form looks nearly identical to the one that's used online and even uses the same TinyMCE library. And I didn't have to learn much to get it going, just the AIR javascript API.
I'm also using AIR to write a few other apps and I love it.