So what I am trying to accomplish is this; I have people cold-calling potential customers. When the caller gets a potential client on the phone and has them interested, they transfer the client to a sales agent to seal the deal.
During the initial conversation, the cold-caller collects some info in a form I have online such as name, phone number, address, etc. I need the cold caller to be able to transfer those values to the sales agent when they pass the phone call over.
The cold-caller and the sales agent are in two different buildings across town from each other, and the sales agent uses an online form to collect data as well. Capturing the values is not the problem, it is the pass from one agent to another that I cannot figure out.
I thought maybe the cold-caller could post the form to a Google spreadsheet, but I do not know how to get those values to populate on the second form when the call is passed. I need the transfer to happen within a few seconds, so sending a URL with the captured values in an email won't work due to email being unreliable in the speed department.
Anyone have any thoughts on this? I can use HTML, jQuery, or whatever. I would need help if it has to be done in AJAX....
Thanks!
Ok.
This is customer side:
Customer put data into form, send this data to server.
Server must save this data for agent.
This is agent side:
Browser send check requests (maybe automatically, maybe agent need click some button) for new data from customers.
If exists new data you should place this data into form on agent page.
$('#first-form').submit(function() {
$.post('/another-destination', $(this).serialize(), function(r) {
alert('Data sended to another destination!');
});
return true;
});
Looks like you are wanting to use HTML5 and Javascript WebSockets to be able to push data from one browser to another.
Ajax requires polling, meaning a query has to ask the server for new information.
This can be accomplished by saving and comparing the last updated timestamps from a session variable.
Websockets push data to a connected peer when it is updated allowing for data to automatically populate as it is submitted, much like a real-time chat system.
If you are stuck on PHP you should take a look at Ratchet since it is fairly straightforward and minimalistic to implement in comparison to many of the alternatives.
http://socketo.me/
Chat demo using ratchet http://socketo.me/demo
Add in a RDBMS to create, read, and update the data and you have a powerful real-time application.
Related
I'm developing a javascript memory card game. At the end the user has the ability to submit his score to a database. The best 4 scores will win a prize.
At the end of the game a lightbox opens containing a form, where the user inputs his firstname, lastname and an email address. The score will then be posted to an api via ajax. Also the score is included in the post request.
An experienced user can easily lookup the score submit request in the browser dev console and could easily send a fake score via curl or an own build ajax request.
What would be a good way to prevent cheating here?
Generate a UUID for the user's session and store it in their cookies or JS local storage or something. Then save the score tied to this UUID in the db. Then save the name and email also tied to the UUID.
Basically don't calculate/send the raw score on the client side. Send the raw answers from the game to the server and let the server calculate and save the score.
you may try something like this
if(#isset($_SERVER['HTTP_REFERER']) &&
$_SERVER['HTTP_REFERER']=="http://yourdomain/ajaxurl")
{
//Request identified as ajax request
}
This will make sure the referring site is yours. I've heard this can be hacked by modifying headers... but it is only a game, and if they can get passed XSS and checking referring http and can generate their own headers, they deserve to win....
Here's the scenario. A customer already has an eCommerce site where they are collecting shipping address info and credit card data. However, they sign up with a SaaS service that allows them to easily change their credit card form to also collect fullnames and emails (not credit card info) into a marketing system for other purposes. So, they paste a jQuery snippet into their page from the SaaS service and add some "data-" attributes to their form and form field tags so that the SaaS service knows what to intercept and where to what SaaS account to post the data.
Okay, but then a security problem occurs. Let's say we have two separate customers in that SaaS system. One is named Jack and owns jack.com, and his account ID is 100001. The other is Nancy, nancy.com, and 100002. Jack could add the snippet into his form and add some "data-" attributes, but then screw up and set his account ID in one of those data- attributes to 100002 instead of 100001. This would mean that Nancy would suddenly see Jack's data in her account. Not good! The fix, of course, is to have some setting in Jack's SaaS account so that he only accepts data from jack.com, and Nancy only accepts data from nancy.com.
But then a potential exploit happens. All a hacker has to do is create a spoof page on his own server where he forms similar JSON and, via a /etc/hosts file change on his workstation, makes it appear that he's jack.com. He could then fire in thousands upon thousands of bogus marketing form information into Jack's account because the SaaS service thinks it's coming from jack.com.
Is there anything I can do in the jQuery code, or the PHP code used by the SaaS service, to ensure that a hacker can't spoof like that and that only Jack's real customer data gets sent?
ANSWERED QUESTIONS
Q1. "How do you identify Jack and Nancy? By domain?"
A1. Jack has his domain jack.com. Nancy has her domain nancy.com. Each use this marketing SaaS service, but each are also co-opting an eCommerce form they already had before they signed up for the SaaS service. They were told in the SaaS docs, "Just drop the scraper.js in your form page and add these data- tags to your form tag and html input, textarea, and select tags so that the scraper.js can intercept those form submits temporarily, glean the marketing data (full name and email, let's say) from that form, and then let that form submit on its workflow that you already had. The data- attributes would identify which account is to be used, as well as which marketing campaign and sub-campaign where this data should be stored at the SaaS service." However, in the jQuery of scraper.js, it was going to pass in the JSON the location.href property so that it knows what domain was used -- jack.com or nancy.com, in this particular instance. Trouble is -- the location.href can be spoofed by a hacker who sets up an /etc/hosts file entry of 127.0.0.1 for jack.com on his workstation and runs a copy of the same JSON code.
Q2. "What if you could use a callback mechanism from SaaS.com to jack.com? So, one of your data- attributes would specify the callback function to receive data back from SaaS.com, and then only save data when it gets the right response?"
A2. Now that's an interesting take. Yeah, so I could like drop an extra PHP page on jack.com that emits "OK". When SaaS.com receives a JSON data post from jack.com, it sends a request to that second PHP callback page on jack.com with file_get_contents() to ensure it not only gets the OK response back, but also gets a match on IP address and SSL certificate data. If the two are different, then most likely the request was a bogus hacker request and the transaction can be security logged and rejected. (I can do the IP address verification easily, but am not certain how to verify the same two SSL certificates in PHP, if that's even allowed or possible.) Of course, IP addresses can be spoofed.
Another layer of security on this is that this second PHP page can use a public/private key exchange communication check between SaaS.com and jack.com instead of simply emitting "OK".
Q3. "Why would you want to intercept payment information and send that off through Javascript?"
A3. Absolutely not. Never specified sending payment information in this question. Was saying something like Full Name and Email, instead. Yes, SSL communication would need to be used as well in order to send that data securely. And, we'd have to use JSONP to get around the CORS problem.
Q4. "Wouldn't that require jack.com to have everything saved in a database for verification? If so, why bother with the SaaS app?"
A4. Nope. Not at all. Check out the answer A2. With that mechanism, the SaaS app receives the data, but doesn't trust it until 2 things happen:
It calls back to jack.com to a second page, and ensures that the response it gets back has the same IP address as the one that sent the form data in the first place.
It does a public/private key exchange check (which the hacker can't spoof obviously unless they have server access) in that second page to ensure that IP spoofing wasn't occurring.
Q5. Wait a minute. A2 and A4 have a problem. The IP address of the initial sending request will be from the user's workstation, not the server. So, you can't validate IP that way. You'll have to use another mechanism to validate that someone completed the form at jack.com and that it wasn't from a hacker spoofing jack.com.
A5. You're absolutely right. Forgot about that I guess because I'm slightly distracted on another project. I'll have to give this some more thought.
TL;DR: If you're using a purely client-side integration (just javascript), there's no way to completely secure the request.
Accidentally/intentionally sending data to the wrong client
You can mitigate this by using non-sequential, random UUIDs as account IDs. For example, if an account ID looks like 100001, then someone might try using the account ID 100002; however, if the account ID looks like c3f80e491d44cd91664a0459a0777ed01, it's statistically unlikely that someone will be able to send data to an unknown account.
Intentional spam/fictional submissions
This is a problem with any form that stores data on the internet; I'm not aware of any way around this without help from some server side code.
You can generate a one-time token to be included with the json payload - this can be something like a dated JWT token secured via HMAC, or a set message encrypted with a shared secret key which would then be de-duped by the SAAS server.
If you're going to start involve server-side programming, then this additional negotiation process becomes a bit irrelevant - it's far easier to the just give the e-commerce site an API key, and let them post the customer information over when they receive an order.
I'm looking at a domain registration site that looks like it uses jquery to process users data inputed and to register domains.
What I was wondering is if it's possible for users to be able to fill in data on a form on my website and then when the user is ready to complete payment, be taken to the actually domain registration site where all the data they typed in on my site will be posted to the domain reg site.
So basically, the users fills in a load of info on my site, AND attempts to check for domain availability on my site. Once the users has found the domain they want, they will be redirected over to the actual domain reg site where all their info will be posted.
Now I know if the domain reg site used PHP to process all the stuff, it wouldn't be a problem. But they don't use PHP.
Do you guys reckon this could be possible?
I'm not sure this would be possible in any amount of time that would make it worth it to you. Without knowing any of their back-end code, it's going to be extraordinarily difficult. Edit: I should add that I did look through some of their jQuery code and it looks as though they're using ajax .post() to submit data. Where this data goes and what responses are expected is anyone's guess, though...
That said... there are quite a few domain registrars that offer real APIs to let you do what you want... or even let you go one step further and offer the ability to register domains directly through your website. Sometimes you can set your own price, as well.
Here are links to some of these APIs:
Namecheap: http://developer.namecheap.com/docs/
GoDaddy: http://www.godaddy.com/reseller/domain-reseller-api.aspx
eNom: http://www.enom.com/resellers/Interfaceinfo.asp
I'd personally recommend NameCheap, but for the purposes of your question, any of these should do.
I can't make any promises but say you used jquery ajax to pull in the form the would have to fill out. Said form would then be on your client side so in theory I think you could use their input ids to fill out the form using javascript/jquery. All this would technically be client side. To bad that other site does not have an api for purchases.
Do you have control over the domain registration site? There are many ways you can send the user's input over to that site, but of course it has to be looking for this posted data and know how to handle it. PHP is not necessary to handle the data that is passed in. For example, if you send your info to the domain registration site via a form GET method, the info will become part of the URL, which can be accessed and parsed via javascripts window.location property.
For my next application i would like to implement something that has a feature like the facebook wall but let me explain a bit. For those of you who used facebook you know that when somebody posts a message on your wall, and you are logged in to your account, you will get a notification immediately somewhere in the lower left corner. Lately they even pushed this a little bit further and if somebody comments on it the comments are updated as you visualize the page, it's like an instant chat.
My application will be developed in PHP, I will use Zend Framework to do it. I'm interested in the basic principle that makes the facebook wall behave like that (updates in real time). I know there is ajax involved but I can't really tell how is the javascript triggered when the user is doing something. Or even more, how to push back to a user some info that was added after he viewed the page. For example, let's say that a somebody adds me as a friend. I would like to see a notification saying "X has added you as a friend" if i am logged in. I hope you understand what I'm trying to do.
If you can tell me some basic ideas, maybe provide some links that have this information I would be very grateful.
Thank you for your time in reading this.
you need to look at comet , reverse ajax , ajax polling
If some event is triggered, then store the event on database (with ajax or without ajax).
You will be needing a script in server to check if some event has been triggered or not. This script should be able to check events that are stored in database.
You need to execute script in step 2 periodically. This can be acheived with with ajax (javascript or jquery) and a function settimeout (on javascript) to send ajax request to server periodically.
Changes are sent from server. So parse the response and update in page using javascipt and jquery.
So, it can be summarized as
Register an event (for one user)
Check the event (for other user)
Parse the response and update the page
There are several elegant ways to do this as answered by others.
The best would be the start the project and ask for help where ever stuck.
It is only partially possible to keep an HTTP connection open, so the best option is probably to poll for changes. You can send a request each second to see if anything is changed since time 'x'. On each response you send along the server time. With the new request you send the time of the old request and the server can return any events that happened inbetween.
Also you can read something about AMQP. You can send a message to recepients inboxes (after some actions in your system) and then read inboxes after start or with some time interval.
Good day to all.
I created a moderated chat (each question/answer/whatever have to be moderated). Now my only problem is that I don't know a way to simulate lots of users that type something and after the post is moderated get a replay. So what I ask is if there is someway to simulate users typing something then press enter. (and for each some ajax to get the response). I can moderate whatever they type or if I can simulate a moderator is even better.
Thank you for help.
Try using a dynamic web testing tool that supports sample data injection - Loadzen has a dynamic data feature: so you would record your test using their Scenario Recorder, then you would generate sample data sets for each of the recorded GETS/POSTS and attach them to your recorded scenario.
This will effectively have the same effect as simulating loads of users sending and responding to each other with sample/dynamic data, you could mix the data sets to make sure that it's random on both the answerers and askers side.