I have a main website (with backend SQL database), and I have satellite websites which are all separate domains. Each of these websites are hosted by a provider and have their own SQL databases, however, I don't want to maintain 6 or 7 different databases. Instead I would like just one centralised one.
What I would like, is that when a user submits a form on one of the satellite websites, the data is able to get transmitted and stored in the database of the main website. May have to be via a special URL or something - I really don't know.
Is this possible and if so, how?
I think AJAX may have something to do with it, but I cant seem to get to grips with it and it doesn't seem to work for me. SO I'm hoping this is possible using simple PHP. Any help would be appreciated.
Thanks in advance.
On the server where you are hosting the database, you can setup a PHP web service that would receive post requests from the remote forms and do the communication with the database. You can pass in your post request some extra parameters to differentiate between sources from which the requests are coming.
You will have to be extra careful with such a design idea, as your script would be receiving cross domain requests from different sources and might be prone to CSRF attacks unless you take some extra security measures by validating the sources and forms from which the requests are coming.
In addition to the above mentioned solution, you can also simply allow your sattelite sites to connect to your database directly if such a remote DB connection to your server is supported/enabled.
You can have your satellite sites connect to your central database directly as well. They don't have to be on the same servers.
All you need for that to work is a user account on your DB server which allows access from other addresses than localhost.
Yes, it's certainly possible, and probably better to do it server side with PHP rather than client side with AJAX, because on the client you'll run into XSS issues. You'll probably need to build your own API endpoints, and I suggest looking at this article for more info on making the requests.
You can generate post requests and submit to any domain. That's not a problem. Doing cross site requests can be problematic, but would like to see your code!
Related
I'm making a game in Unity which makes use of a remote MySQL database, hosted on a web server. Although it's entirely possible to communicate with a database directly from Unity/C#, I'm also aware of how easy it is to reverse engineer the app in order to find any hard-coded authentication information (such as URLs, passwords, etc)... So, because the server is a web server and not a VPS, that means that all database connections and modifications would need to be done via server-side scripting.
But the client app would still need to make requests to the web server, where some PHP scripts would handle the requests and perform the appropriate actions. So using a url with a php query string still revisits the original hacking issue, and even using HTTP GET/POST requests can easily be packet-sniffed without any decompilation of the game.
So unless I'm missing something, does the most secure way to do this involve a mixture of direct HTTP GET/POST requests, where the data is somehow encrypted/obfuscated? Maybe via HTTPS instead of HTTP? Or is there an even better way to do this?
Expose a RESTful API over HTTPS
If I have a wordpress website, and a user on the website enters some survey information, is it possible to send the results to a local server inside a company (assuming the website is hosted on some other companies server). From looking around I see people using the JSON formats and GET, PUT etc.. but I havent seen this demonstrated with wordpress. Is there a standard way to do this? I can see it is possible to send via emails, but I was hoping for something more like TCP/IP communications
If it must run through the front-ends WordPress installation, then the easiest way to be a simple HTTP POST request to a server you control. PHP has several different ways you can accomplish this with minimal effort.
The other way you can do this is just to set up a form that will send an AJAX response to your server. Just make sure your receiving server is configured to allow the originating domain.
I was wondering if i could easily access my PHP files on a different server other than the one currently being used by my website. I would like to do this so i won't have to give certain scripting files to my client and have the client access them from my own server. If it is possible, how can i set my files' permission so the client can easily access them.
thank you in advance.
There is something called CSRF Cross Site Request Forgery. It is basically a way through which you can prevent what you just asked for: Accept requests from remote forms. But, you want to provide this feature. So, instead of directly accepting form POSTs, you can provide an API to selected users you choose to, by authenticating them before providing them Access. But you will have to write code for the client so that he can use your API.
XML-RPC is somewhat related to what you want too. You should check it out.
So I was asked to look at reconstructing a section of a website which I didn't build. One of the issues I'm running into is a contact form which is being loaded through an iFrame from another server. Obviously, the form's action submits to the other server, and the information is stored in a database for the client to see later.
I've never had to deal with something like this before and I'm wondering if I need to go through some sort of API the host may be able to provide, or can I recreate the form so I can style it and just have it submit to the same server. Sorry for the noob level of this question, but I'm just looking to be pointed in the right direction.
While what you are planning to do, technically works (I have done it myself on several occasions), it is possible the remote host might reject POST data from locations other than itself.
For example, if your site is running at www.example.com and the host site is running www.host.com The server running at host.com will be able to determine if you are sending POST data from example.com. This again, is only a problem if they are cross site checking.
Since you don't have access to their server to know, you will just have to try it and see.
Actually, this type of reject might or might not happen: Since a server needs to read the referrer to reject, but the referrer isn't sent by each and any browser.
Additionally, beware of protection mechanisms like session ids. Or some kind of authorization hash injected into forms as a hidden field.
I have already heard about the curl library, and that I get interest about...
and as i read that there are many uses for it, can you provide me with some
Are there any security problems with it?
one of the many useful features of curl is to interact with web pages, which means that you can send and receive http request and manipulate the data. which means you can login to web sites and actually send commands as if you where interacting from your web browser.
i found a very good web page titled 10 awesome things to do with curl. it's at http://www.catswhocode.com/blog/10-awesome-things-to-do-with-curl
One of it's big use cases is for automating activities such as getting content from another websites by the application. It can also be used to post data to another website and download files via FTP or HTTP. In other words it allows your application or script to act as a user accessing a website as they would do browsing manually.
There are no inherent security problems with it but it should be used appropriately, e.g. use https where required.
cURL Features
It's for spamming comment forms. ;)
cURL is great for working with APIs, especially when you need to POST data. I've heard that it's quicker to use file_get_contents() for basic GET requests (e.g. grabbing an RSS feed that doesn't require authentication), but I haven't tried myself.
If you're using it in a publicly distributed script, such as a WordPress plugin, be sure to check for it with function_exists('curl_open'), as some hosts don't install it...
In addition to the uses suggested in the other answers, I find it quite useful for testing web-service calls. Especially on *nix servers where I can't install other tools and want to test the connection to a 3rd party webservice (ensuring network connectivity / firewall rules etc.) in advance of installing the actual application that will be communicating with the web-services. That way if there are problems, the usual response of 'something must be wrong with your application' can be avoided and I can focus on diagnosing the network / other issues that are preventing the connection from being made.
It certainly can simplify simple programs you need to write that require higher level protocols for communication.
I do recall a contractor, however, attempting to use it with a high load Apache web server module and it was simply too heavy-weight for that particular application.