I need some references for cross domain php codes, as well as using javascript in the PHP. Reason why-
I am trying to create a PHP file that can be accessed from a certain site, I am making it so it test a key, as well as what website the user entered when signing up so that if someone tries to steal the script it will not work on their website.
I need to know how to do a cross domain PHP code, then I also don't want users see the Javascript I have written out, only a select bit. So basically it will be like this
$name_of_service({key:"H292H2723H20HC-0239C",options:"option"});
Can anyone explain to me my best bet on how to do this, as well as how to give a code to a user to get access to the PHP file such as...
$.get(php file);
or something of the sort. This is my first time dealing with all of this so I am a newb on the cross domain implementation. The first site does not allow for PHP Access we can only use it from another website server. Best explanations or best website explanation references please.
I appreciate anyones advice and tips. I don't need much more than just how to get it from end user to my server and hide my overall javascript from users, I mean I could encrypt it and then use a compiler though for those of whom know how to decrypt this isn't very helpful either. thank you.
For future reference:
Wikipedia already gives the answer here. You'll need to add a header Access-Control-Allow-Origin either in a .htaccess file or .php file assuming you are working in an Apache-based environment. Conveniently, PHP provides us the function header for this.
For your script to work with this, you'll also need jQuery to send the respective Origin header to the server. This can be done using jqXhr.setRequestHeader("Origin", location.href);
<script src="http://yourwebsite/file.php?key=blah&options=foo"></script>
Related
I want to sell a copy of my script to another person, my script is basically HTML AND CSS, but being a Checker, it needs a JS that passes the data to a PHP API and then it returns it to a of the index.
I know that the CSS and the JS are practically impossible to protect because they are on the client side, but I want to protect the Checker system.
How can I protect all my script? Can I put the PHP API on another server and from there transfer it to the of the shopper?
Or will there be a way to add code to the buyer's PHP API and have it check some data on my server, and if it is not there the Checker will not work?
In short, I want to AVOID leaving the PHP file in the buyer's script, because it is what makes my Checker work nd I want to prevent it from being stolen, since it is a personal checker.
Thank you very much in advance, I only know the basics of PHP and JS, currently I only master 100% HTML and all about CSS.
You could let the customer use your version of the software ( that you host yourself ) and restrict their access with something like an API key. You would need to check before each request if the api key is present and if it's still valid.
This would allow you to control who has access to your script, without having to "give" away your code.
API authentication, in itself, is a whole subject and can get very complicated. I would suggest you start with a simple API key and see how it works out for you.
The youtube channel fireship.io has a great video on the subject. I highly suggest you check it out.
You cannot really protect your JS because it executes on the user/customer computer. You can obfuscate it but it's a bad practice because it makes it had for your customer to debug and maintain their site and they will not buy your program.
In fact the customers are usually testing your service and integrate it before actually paying it.
You don't have to protect all your work, since copying the JS is pretty useless without the PHP. Only keep the PHP for yourself on another server.
my point is to create advertisment banner in a way, that it will be placed on someones server (say remoteserver.com) and still getting data, that I want to show from my server (say myserver.com).
That little issue, that bothers me, is how to do it. I have done some research, but obviously there are some restrictions about php include and maybe a little fewer about AJAX calls that goes cross-domains. But still I think I see those adds on the web every day.
And if possible the solution should mean anywhere from a few to none server configurations on remoteserver side.
Thank you very much.
/edit:
My original idealistic idea was to supply remoteserver with just <div><?php include 'myurl'?></div> and if anyhow possible I would love to stick to some simple solution like this, preferably using php.
I'm currently writing an Android app at the moment, that accesses a PHP file on my server and displays JSON data provided by my MYSQL database.
Everything works great and I love the simplicity of it, but I'm not too comfortable with the fact that someone could just type in the URL of this PHP file and be presented with a page full of potentially sensitive data.
What advice would you give me to prevent access to this PHP file from anyone except those using my android app?
Thanks very much for any information.
The keyword is authentication. HTTP-Authentication is designed just for that purpose!
There are 2 forms of HTTP-auth:
Basic: easy to setup, less secure
Digest: harder to setup, more
secure
Here is the php manual.
And this is what you can do in your android app.
There isn't really a fool-proof way to do this. However you can require the user agent to match that of your application. You can also hide a private key in your application that is passed as POST data to your PHP file. Now, neither of these will stop someone who is determined to get at the raw output, but it will slow down the people who are just screwing around killing a little time seeing what they can accomplish.
Why not only enable a valid response if the request is sent with the following header:
Content-Type=application/json
If the request doesn't pass it as the Content-Type, then you just terminate the script (as regular browsers usually want to get text/html or similar things). It's not really worth locking everything tight shut, as if your app can get the data from your server, any user would have the opportunity too.
I am designing a website, and I really want it to be as secure as possible.
I have a private folder that cannot be accessed (.htaccess) which contains all my php classes (and similar structures), and a public folder that has my Javascript, CSS and a PHP file for the Javascript(via AJAX) to interface with, which in turn accesses the classes in the private folder.
Now here is my issue, and for the life of me I just cannot seem to get my head around this one:
If someone was to look at the js code they would see the commands / data being sent to the publicly available PHP Script (as described above), therefore getting an idea of what commands to use interface with that script and potentially gain access to stored data etc.
now I know that ajax wont work remotely etc but as long as you got the commands from the ajax script you could interface directly with it, so i thought i would do a referrer check on the interface script and that worked perfectly until I realized how easy it was to spoof your referrer header!
does anyone have any ideas on how to secure this. if this just sounds like complete garbage tell me and I'll try and break it down further.
AJAX and JS are client-based - everything they do, any user can do. If you expose an API method to AJAX, you expose it to the user - there's nothing you can do about that. That's your design choice. You could of course obfuscate your API calls, but that doesn't really do anything other than make it less user-friendly.
The bottom line: don't trust any user input, regardless of whether it came from your AJAX code or somewhere else.
Well, someone scripting your site directly would only be able to access the same stuff he already can in UI, right?
If you have an script function doAdminStuff(), you would check server side if the user is logged in AND is an admin, before taking any actions
Relax, dude.
This is SPARTA! WEB.
Every site in the world is "exposed" like this. That's the way the web works, Ajax or non-ajax based.
You can't help it, yet there is no harm in this. There is nothing to secure.
Here are my recommendations:
Use SSL if you are not already.
Use a (software) token for all requests that you want to protect.
To discourage others from reading your javascript files, you can obfuscate them. Dean Edward's packer is a famous one.
Write a script that sniffs logs and data for potentially bad activity. If you are not logging all the activity you need to (like if the apache logs are not enough) consider writing activity to your own log.
don't be paranoid, just filter input params, maybe you should switch on SSL so you ajax requests content will be hard to sniff, etc.
Are you using the ajax-thing only for security-reasons or for any other reason? Because you can build up an architecture like this (a PHP-file as "gateway" and all other PHP-files in access-restricted folder) without using ajax as well. If you want to check out, you could take a look at the default folder structure of Zend Framework. This structure has the advantage that there is no logic visible for your users at all.
Also important is that IE (at least IE 6 & 7 I think) does not send a referrer at all by default so this probably wouldn't work anyway.
This is a question of security, so I am not looking for a solution on how to do this, I just want to make sure that it cannot be done.
Let's say I have a file called login.php and it's hosted online and running live, let's say on http://www.rimmer.sk/login.php
Now, let's image this file looks like this:
<?php
if (isset($_POST['register'])){
echo 'all is done !';
}
?>
Question: Can you, externally, send $_POST['register'] to my file, or can this be done only internally from files hosted within the same virtualhost?
It can be done. Everyone can send you a POST (or a GET, for that matter) request. There is no limit that forbids requests from outside your virtualhost.
(maybe not for you, maybe it is, but not everyone can set your $_SESSION, so an external domain cannot alter that)
In short yes it can be posted from the external site.
Yes this can be done very easily. Take a look at: http://php.net/manual/en/book.curl.php
Of course I can post from an external location, after all that's what the user's browser does when they submit the form. I can therefore write a script to post the register field to your server with ease.
What use case are you imagining? There are lots of security options (firewalls etc) but without knowing what you are trying to achieve, it's hard to give specifics.
One way of denying script attacks is to generate one time passwords on the server that you send to the browser with each registration form, then when you get a response back, check that the OTP is valid. This at least adds another layer of security.
But as I say ... without knowing more it's hard to be specific.
or can this be done only internally from files hosted within the same virtualhost?
Quite contrary. This cannot be done only internally. In fact, a form being sent not from server internals but from the user's browser