I have a webpage written in PHP, HTML and, first of all, JavaScript. I want to block (deny access page and show a message) access my webpage for person who doesn't have enabled JavaScript in browser settings or doesn't support it, because then my page isn't correcly displayed and there are a lot of bugs (also security bugs !). I know that there is possible to write <noscript> statement in HTML, but then something other than this text is dispalyed and it also is removable (e.g. by Inspector function is browsers), I said that without JS my page contains bugs. So, my question : is there any way to block access* for users which doesn't support JS to my page using PHP ? Any other suggestions are welcome :)
*Block access means - deny access main page and show a message
This is not possible to do in a truly secure way.
Yes, you could just serve a page that is blank, and then use JS to actually load the content (e.g. via AJAX), but the problem is that JS must load that code from somewhere, and an attacker could do that too. But here's the real problem:
Users have control over their browsers. JS is client side code. An attacker may choose to run, not run, or change and then run your JS. An attacker may even run their own JS to call or replace your functions. Any security that relies on your JS is broken by default.
So while you could (and people do) show a warning message over your page that is then hidden by JS code, or use JS to load your content, it won't ever be secure.
If you really really really need this. I said three really because I think most of the time you can choose alternative to this.
Set a cookie using JavaScript and pass it along with your request to server and validate the cookie on your server with the passed request. If you are able to verify the cookie Your client has JS else not.
Better way would be to redirect js and non js users from single point. say in your index.html file you have have javascript code that will redirect your clients or visitors to different url. That way you know those users have js enabled else they would not be redirected.
You can make a "sub" page that loads its entire content via AJAX. This will not stop people from hitting your URLS directly though. Don't trust the client.
Other answers and comments already include a lot of details on why you really can't technically block access using Javascript, however, a simple workaround to do something only when JS is enabled, is to call a JS function after DOM loads:
<script type="text/javascript">
window.onload = do_something();
</script>
</body>
</html>
do_something() then could include simple things like switching block element visibility, e.g., hide the non-JS message, plus launch AJAX loader or do something else from the stuff that has been already suggested above.
Related
I'm looking for a solution similar to the php include method, except like at html's iframe tag, if I click a hyperlink on the included php, I don't want the browser to navigate the whole tab to the new url, but only navigating the included page without getting the parent page change/disappear.
UPDATE:
okay, thanks for the quick answers, seems like I didn't ask the right question:) so here is some background info: the whole page itself is a single-file website using the exactly same javascript+hiddendivs page changing method than that you just wrote. my problem is: I'm using a flat-file CMS to keep my News page managable by people having no coding knowledge. so I made an own template for the CMS only showing the news themselves. Then I embedded the CMS's index.php to my parent index.php with php include method and it looks really well, except my problem is, when I click "earlier posts", it navigates to the CMS's index.php and loads earlier news in there. I'd like it to load earlier news without navigating anywhere, just like at html's iframe method. (I will use iframe if there is no other solution, but its configuration would be really complicated if I wanted to stay cross-browser supportive)
From the action described it sounds like what you're looking for is not actually PHP but client side JavaScript. AJAX can perform exactly what you describe and there's a very easy library called jQuery to help you do this, with minimal effort.
http://api.jquery.com/jQuery.get/
http://api.jquery.com/jQuery.ajax/
You can bind your button to a JavaScript function which can then fire AJAX, grab the result of your other PHP page and display to the user in a .class or #id in the HTML, without leaving the current page.
If the behaviour your looking for is more advanced and "app like" you can also consider entire MVC JavaScript frameworks such as Backbone.js or Ember.js
The best thing you could possibly do is use jquery/javascript and manipulate a div (or the iframe) to where it navigates to X link when interacted with. You can actually change the url of an iframe using jquery and have it re-load to any url that you want. Reload an iframe with jQuery is a good example of how to do that. And for interacting with and digging through the contents of an iframe, instead of just changing the attributes of it, take a look at http://developer.vimeo.com/player/js-api.
Do keep in mind that the 2nd link is for a media player, BUT it still shows (and in a very simple way) how to interact well with iframes. You could use jquery to insert an id or class to the links in the page originally loaded into the iframe, then have the script on the 'parent page' navigate the iframe to one of the links when it's clicked. Just toy around with it some and have fun with it; a learning experience doesn't always have to be like a personal hell. I'll check back later and see how things turn out!
To do this you must understand what you are dealing with.
The *.php page loaded into user's browser is a processed and parsed page.
This parsing occurs at the server-side, and processed by the PHP processor on the server.
Now, after a *.php file is processed any interaction with it is lost. The only thing a user (client-side) sees is the result of this processing. Hence, to communicate with this page an information must be sent.
Normally, browsers send information on requesting a page. That is how the HTTP protocol works.
Since the user is the client-side, he must send relevant information (headers, variables, etc.) by the rules of the protocol. This means, a user must request the page and by this request the data will be sent.
AJAX technology allows you to open an HTTP request dynamically, on the background, while the page is still running with no need to refresh. It sends the relevant data according to protocol's convention and allows you to trigger a callback function to handle the answer when it arrives from the server.
Here you can find a beginner's tutorial, that will provide the necessary information for you to start.
P.S.
I would strongly recommend you not to use common external libraries like jQuery, node.js, Backbone.js etc. at the beginning. These libraries are tools that were created to simplify code writing for advanced developers. They may confuse you and mess up your programming logic and learning path.
Good luck!
Sounds like you want new content to appear on the page, without the user being directed to a new page. You can achieve this with jQuery. This is a quick example.
HTML:
<p>
Page 1 Page 2 Page 3
</p>
<div>
<div id="content1">
This is page 1.
</div>
<div id="content2">
This is page 2.
</div>
<div id="content3">
This is page 3.
</div>
</div>
jQuery:
$('#content2, #content3').hide();
$('a').click(function() {
var id = $(this).attr('id');
$('#content' + id).show().siblings().hide();
});
Live Example: http://jsfiddle.net/VxZKs/1
Is there any way possible to detect if a user has disabled JavaScript after load of the page so that <noscript> tags are rendered? Server side or client side is fine.
You could try putting an image inside the <noscript> tag, which would point to a php file of yours, which in turn it should return an image. This could allow you to know in the server that the user has Javascript disabled.
How to identify the user: you could rely on the session, or set an ID to the url of the image.
You could use the answer on this question as an example on how to server image files from a php script where you could add your logic to detect if the user has js disabled:
Return a PHP page as an image
Here is an idea I got from a book long time ago
<script>
document.cookie= "js_enabled=true";
</script>
Use the above on some first page that you see. Then check for that cookie on the next request to see if javascript is enabled. Of course this has the same flaw if cookies are disabled.
no... any kind of such detection after the page is loaded would have to be detected with js, and if it's disabled, it can't even do anything if it is.
Why not just render the NOSCRIPT tags all the time? That's the point of that tag, to provide content when JS is disabled. If the user is seeing what's in the NOSCRIPT's then they clearly don't have JavaScript enabled.
You could also have a JavaScript AJAX call fire at page load. If your server recieves a request for the page, but then does not receive the AJAX call by the client within the standard loading time frame, then the server can assume the client doesn't accept JS. Not perfect mind you, but you are dealing with client-side JS here.
I don't think there is really a good way to do server-side JS detection. <noscript> is the semantic way to specify non-javascript content - so I suppose rather then detect if JS is disabled, you should detect if it is enabled. You can hide the detection by default, and put a <style> block inside the <noscript> to unhide.
Hey all..here a question from GJ in Holland.
I am busy with my first AJAX web programming and really like the idea where one php file (index) is loaded and from there xmlhttprequest are able to load and refresh content of the div's without refreshing the page.
Things are running good so far and about 4 div sections get different contents depending on which menubuttons you press (all through getdata functions and xmlhttprequests).
My last step is to integrate an extra autenthication div. I am trying to implement a nice jquery fade in fade out system with a login.php with the input fields for user name and pass; a process_login.php which compares the data with mysql and returns if theres a match or not; and finally a secured page where the user can logout when succesfully authorized.
These pages seem to work seemlessly when i load the login.php directly in browser.
When i use getdata and xmlhttprequest on the login.php to load it into a div section on index.html nothing works anymore because it seems it can't use the functions anymore which are declared on the login.php page.
Reading ajax for dummies doesn't give me any answers although i am sure there must be an easy to understand logical explanation for this fact.
I can't get my head around it..please any info is welcome...greets
GJ
Javascript loaded through ajax does not become part of the window. You have to explicitly execute it (e.g. using eval). There's no direct solution to this problem, so you need to come up with a model for your application to know about the resources that are needed by something it loads through ajax.
The best way to do this is to create some application-wide convention - e.g. set up a cross reference of pages & script files, and use $.getScript to load them on demand. Ideally you would check to see if a resource is already loaded before trying to load it again.
Here's a simple idea you could use. In the output of your login.php add a tag at the top, e.g.
<span id="script" style="display:none">login,/scripts/login.js</span>
Then after an ajax call that loads a page, do something like this:
data = $('#wrapper').find('#script').html().split(',');
if (!window[data[0]]) {
$.getScript(data[1]);
}
So basically you're passing some info in the HTML that the loader uses to figure out what it needs. The first parameter is a namespace, so you can check if it's already loaded. The 2nd is the path to the script.
You could flesh this out to account for more than one script, use JSON for the data format, etc.. but this is a basic idea.
Yeah, you could always just include all your scripts up front, too :) however loading on demand is a good idea for any nontrivial application, so you don't clutter things up with scripts you don't need. The login script's only going to be needed once per session after all.
As to why.....I dont know why this behaves so.
However as to a fix/workaround. Im in a similar situation currently where im loading in pages (actually asp/jscript rather than php). What ive discovered is that the scripts you write in the page thats being loaded in, are not available anymore when loaded through AJAX. I have experienced the same problem if the page being loaded contains an applet or other html object type of tag.
A solution to this is to move your scripts to an external file on the server, from there your page will be able to reach them regardless of whether it was loaded by AJAX as a panel or is a standalone page
Example: (this is obviously jscript rather than php but the loading will be similar.)
Page login.asp contains in <head>
<script type="text/javascript" src="scripts.js"></script>
I am building an AJAX deep-linked site.
I want PHP to load all the HTML code of the page if the user is trying to access the site with a Javascript non-supported browser or if it is a search crawler. Basically PHP will return the whole page.
On the contrary, when the user is trying to access the site with Javascript supported browser, I want PHP to return only the template code, and let Javascript (AJAX) take care of the rest. Basically PHP will only load design elements and let Javascript populate them with content.
I looked into PHP's get_browser() function, however it seems it is not such a reliable tool. What is the industry's practice see if the browser supports Javascript or it is a search crawler using PHP?
Background:
Why I want the site to have this behavior.
Since I want the home page to load just by loading the address: example.com, which does not send any query to PHP, PHP returns the HTML code of the home page. This however causes issues when the user tries to load the following page: example.com#foo. So, for this example, PHP will return the home page and once the home page is loaded, Javascript (AJAX) will change the content around so that it shows proper content for #foo. This will make the user to see the home page, therefore load time will be slower and user-experience will not be so nice. However if my PHP script can figure out that if the use with Javascript supported browser is trying to load the page, it will only return the template of the web site, which has no content) and the javascript will populate that template with content whatever is supposed to be displayed for #foo. On the other hand, if the Javascript non-separated browser or a crawler will try to access the page example.com#foo, home page will be returned.
I am using SWFaddress (http://www.asual.com/swfaddress/) library for the deep-linking.
Edit
Thank you guys. I did not think of using <noscript></noscript> before.
Here is what I decided to do. PHP by default will load pages such as example.com or example.com#foo (which is essentially the same as example.com from PHP's point of view since fragments by definition are not sent to the server) blank (just visual template) with <noscript> tag inside for the content of the home page. This way users with javascript will not see the home page and AJAX will populate the content of the page according to the #foo fragment. On the other hand, search crawlers and users without javascript will see a home page.
Thank you again. I think this is pretty simple and elegant solution. If you have any further suggestions, please post a comment or another answer.
You can't do this using PHP. What you can do though is use a noscript tag to redirect to another php page if they don't have javascript:
<noscript>
<meta http-equiv="refresh" content="0; URL=nojavascript.php">
</noscript>
It's not possible to accomplish this in the way you're trying to do it.
It's rare that someone has JS turned off and doesn't know it.
PHP doesn't get passed anything after #, only javascript can do anything with that. So even if PHP could determine if the browser has javascript turned on then it still couldn't read # anyways.
You could include a link inside some <NOSCRIPT> tags that point the user to something like example.com#foo?javascript=disabled.
Unfortunately, browsers do not report whether JS is enabled or not, so there's no way to know from a simple HTTP GET whether or not you should send JS reliant pages.
You should just build an AJAX query that sets a session variable for javascript enabled.
Run this AJAX query before any other information on the site is loaded and then do a simple redirect to the actual site.
You could do something like this pseudo code:
Index.php:
ajax(check_js.php);
redirect(main_page.php);
check_js.php
$_SESSION['js_enable'] = true;
main_page.php
if($_SESSION['js_enable'] == true) {
//execute page
} else {
header("Location: no_js_error.php");
}
Instead of the server trying to sniff our the user's settings, how about using unobtrusive javascript in the first place? This way, the page will degrade gracefully (to the desired state) if JS is not available.
Can I Stop or interrupt PHP script for particular time?
I would like to implement logic like below:
on mydomain.com/index.php there will be flash appear showing some intro of a product for suppose 20 sec. Once it complete, on same index.php page the home page of site will appear.
I am not aware about flash (action script).
Is it possible in PHP or Javascript ?
Usually "splash pages", as the're called, are made up of a seperate page.
In flash you can use the following code (Actionscript 3). Put it int the last frame, or use an event listener to redirecrect when the file is finished. The actual redirect looks like this:
getURL("http://www.woursecondpagehere.com", "_self")
Where you place it is up to you.
EDIT: I think that this is a reliable solution because this guarantees (if implemented correctly) that the page won't move until Flash is done. CSS and Javascript will work fine too.
There isn't a need to interrupt PHP in the scenario given. Though I think what you want is to load the rest of the HTML after a certain event occurs.
If thats the case then you can use AJAX to load the additional HTML from the server. Or you can use CSS to hide that content and show it after a certain point.
The META Refresh tag is probably not what you want since it will redirect the user after 20 seconds, regardless of how long it took to load your Flash file, then play it. Since the speed of the user's connection cannot be reliably predicted, you will probably end up with a poor user experience.
What you want to do is definitely possible but it will involve some interaction between the Flash object and the rest of your page. If you could do as Moshe suggested and simply have the Flash object redirect the user's browser to your actual home page with content on it, that would be easier.
If you insist on keeping everything on the same page, one way to do it is to call a Javascript function from the Flash object once it's finished playing. The function you call should be written to hide the Flash object and/or it's container and display the container () with all of your content that you're ready to show.
See this Codefidelity blog post for a quick tutorial on how to call JS functions from Flash.
Also, to clarify, you won't be interrupting or changing when your PHP script runs. That runs on the server before the page is created and sent back to the user's browser. All you need to do is structure the HTML/CSS of your page to have two DIVs: one with the Flash object in it and the other with all your normal page content. However, set the CSS to only show the DIV with the Flash object, then finally use Javascript to hide that DIV and show the one with the content in it.
Try this,
write the your flash (splash screen) <embede> code in index.html and simply use javascript redirect function with javascript timer functions to redirect to index.php where you actual content is there.
something like...
window.location = "http://your.domain.name/index.php"
or
location.href = "http://your.domain.name/index.php"
use setTimeout() to call redirect after specified time.