I saw a few questions out there already about ensuring site access comes from QR code scans, but they seemed to be focused on analytics purposes (tracking where traffic was coming from), whereas my interest is in security/privacy.
I want to set up a site that can only be accessed when a provided QR code is scanned. In other words, I don't want the URL that the QR code possesses to be able to just be manually typed/pasted in for site access via other means.
I've been googling this issue for a bit with no luck whatsoever. I'm trying to think of a way with referring URLs or other means to ensure that a person arrived at the site by actually scanning the provided QR code.
EDIT: The solution would need to be scanner-independent as well (i.e. I cannot force users to download and use a specific QR scanner app) and cross-platform (Android + iOS + WinMo + BlackBerry, etc.).
Now I submit the issue to you wonderful folks.
We got something the same at our company. We provide a link like:
zxing://scan/?ret=http%3A%2F%2Ffoo.com%2Fproducts%2F%7BCODE%7D%2Fdescription&SCAN_FORMATS=UPC_A,EAN_13
Where {CODE} is the code which is returned in the QRCode. So what you can do is create an url like above (see more info for a link). And then put a encrypted data in the QRCode, so only if this url is clicked by the user and the data of the QRcode is correct. People can continue to go on your website. This way if the qrcode is leaked, they won't know the site. And if they know the site, the code is encrypted.
If people scan the barcode by clicking on your website. The zxing will open a new browser with the URL and the {CODE} filled with the scanned code.
But, people do need the barcode scanner from android or iphone.
More info:
zxing download / homepage
zXing scanning from w
You can't ensure that the URL came from scanning the QR code, that isn't possible. QR codes are just a method of encoding text, once the user knows the text they can do whatever they want with it.
You can, however, restrict the usefulness of the QR code so even if it is leaked it isn't useful. If possible, I would start by generating the QR codes on-demand with a random seed and have them expire shortly thereafter. This would make it so even if the QR code were leaked, it wouldn't be useful for very long.
About the best you can do is set a query string in your QR code. Something like:
http://www.example.com/myapp
Could be changed to something like:
http://www.example.com/myapp/?qrcode=1
This can then be handled in PHP with:
if(!isset($_GET['qrcode'])) die();
The problem with this, of course, though, is that anyone with the URL could simply navigate directly to that URL in their normal web browser.
This isn't something you can prevent, however.
You can also check whether $_SERVER['HTTP_USER_AGENT'] claims to be a mobile phone. Here's another question on the topic.
You could add parameters, but ultimately QR codes are just a method of encoding text, so whatever you encode can be typed into a browser if someone knows what's encoded.
If you are making post call to any web URL from QR code, then whatever body you are sending with it, will not be visible unless user went through QR scan mode.So by just entering Web URL user will not able to access web URL contents.
Related
I am not sure this is correct SO to post on, but if not admin please feel free to move it to relevant SO or suggest me to move it.
I am using a contractor to help me create a website for some project. He has coded the entire custom website in PHP.
One feature that I requested was that links posted on the website should have the preview feature that we see in Facebook (FB) like in attached picture.
But he keeps saying that I can only use embedded code to create such preview feature. When I show him the FB preview he says FB is probably using technology of its own. Currently if I post the link from youtube to my test website it shows up as text like: https://www.youtube.com/watch?v=jtkUtNzaFPI&t=1909s
My question is:
What exactly is FB using? Is this easy to implement for any PHP developer or is it really time consuming implementation.
"he says FB is probably using technology of its own"
His answer to your question is utter nonsense, and indicates only that he doesn't want to do what you're asking. You hopefully aren't paying him very much.
What Facebook is doing is kind of sneaky, but structurally simple. The order of operations is:
User enters text on Facebook page.
AJAX request is sent to Facebook server with text.
Facebook server parses and sees that there's a link in there.
Facebook server makes a server-side HTTP request to link destination to find out more.
Facebook server parses response for anything it can add to the input template that the user is seeing.
Facebook responds back to user (maybe web sockets? maybe a response to that earlier AJAX request?)
Client-side code on the Facebook page updates what the user is seeing.
Steps 2-6 intuitively sound like they may take a lot of network time, but these tend to be very quick services (Facebook itself, YouTube, etc.) so that's usually not a problem.
The main concern here are Step 3 and Step 5. That's where Facebook is using some custom logic that it likely spent considerable effort defining. There may be libraries which help with that, likely made in response to the demand for this exact feature. I don't have any to recommend, sorry.
The technical implementation is the easy part. Determining from the user's text what data to fetch could be difficult. Determining what data to put in the page could be difficult. That depends on the scope of what you want to implement.
For example, it may be difficult to detect if the user has entered a variety of things you can respond to, but it may be easy (with a regular expression perhaps) to detect if the user has entered what might be a YouTube URL. So if you reduce the problem space to just YouTube previews, then you may be onto something. If you can successfully parse that YouTube link, you're in business. Now you can hit a YouTube API and get information to send back to the page.
Continue with that pattern for other small problem spaces (previewing a link to an image, previewing a link for another popular site, etc.), and you can over time add that same feature.
I have qr code that generate code to my website www.myweb.com. But I want to customize : If visitor website generate code from QR code use smartphone it will redirect to www.myweb.com/qr.php. This the algorithm scheme:
If visitor website -> QR code
redirect to www.myweb.com/qr.php
Else
redirect to www.myweb.com
Any trick for that on PHP language, without change my QR code because I have already print on all collateral, like sticker, card name, etc ? I have search but not find yet.
If the link from the QR code is simply www.myweb.com, I'm afraid you are out of luck. There is absolutely no difference between reading a QR code and accessing the link and manually typing in the address.
The only possibility is you may be able to catch certain visitors if they are using an app to read the QR code, subsequently view the target page in-app, and said app has something identifiable about it's User Agent string. I have not experimented with this, but I would suspect this is actually not the case.
How do you retrieve the username of someone on Youtube who is using your application with PHP? I'd prefer to do this without the API but if needs be point me in the right direction because i don't know what to download , I've visited the google developers site / place already.
I found some code from 2009 but it was to retrieve usernames from a youtube video and it didn't work. I tried reading the contents of page with the fopen() and file_get_contents() but it always appears as if I'm not signed in whereas I am signed in via FireFox.
Don't know if this makes a difference but I was running this on EasyPHP via localhost
Thanks
You can't, by design. You do not have their session cookie server-side where you're using fread. Youtube determines whether you are or are not signed in based on that session cookie, and you do not have one on your server.
If you want their YouTube user name, use a client-side API in JavaScript or simply ask them for it with a text input field. It is impossible to find it server-side, as it should be. Your server has no business finding out my Youtube username without my express permission and interaction.
I have been told to work out a means of calculating whether a user has accessed a website from scanning a QR code or by accessing through normal methods. The company are using Google Analytics. Ideally the system would calculate what country the user is in when the QR code was scanned, although I think Google analytics does most of this for me.
My initial idea was to have a blank redirect page in the middle of the QR code and the full site, and put some separate analytics code in to that. Alternatively I could perhaps throw in a PHP referrer script that alters the analytics code based on the response, but this would still require a landing redirect page.
I'm a bit of a newbie, and this is quite a big client, so I thought I'd ask on here before starting anything that might not be the best method!
That’s one good option. Another would be to use a query string parameter in the URL, like this:
http://example.com/page/?from=qrcode
If you have control over the QR codes, you can add a GET variable to the URL, and then in your index page, you merely test for the QR-code GET variable and {do magic} if it is set or has a certain value.
I would use an intermediate page, as it gives you one point of entry for all QR encoded URLs.
From the QR code:
http://yoursite.com/qr.php?url=http%3A%2F%2Fyoursite.com%2Ffoo.php
Anywhere else:
http://yoursite.com/foo.php
Then on qr.php, you would simply use a header() redirect to $_GET['url'] after you're done with whatever statistics you're going to record or analyze.
Well if you can change the QR code:
-change the info to something like www.client-site.com\landing.php?referer=qr
You can check then in your landing.php
If you can't (then it is messy):
-when accessing through QR code then the HTTP_REFERER is empty and the client is using a phone with a certain browser, you can use this info to determine if he is using a phone and accessed the page directly (90% of cases people use Google before goint directly to a site- in this case you have a HTTP_REFERER)
Hope this helps...
I would build your URL for the QR code using Google's Analytics URL builder.
That way, you don't have to create custom filters are anything. Also, if you ever create new QR codes in the future on any other marketing material, you can track which marketing concept worked easily, rather than just saying that it was just a QR code that brought them to the site. Good luck.
I am trying to implement a website which among other things, let users invite other users to specific pages. Unfortunately the link address of those pages are fairly long, and often cross the 70 characters limit. SO when I add them to the mail, even if I start a new line before the link, still the link address is cut halfway, and then the email client (gmail, for example) assumes the link ends at the end of the line. SO when the user clicks on the link, they experience it as broken.
I am coding all this in PHP, but the problem seem to be general.
What is the standard solution to this problem?
Place the URL in <> brackets. Most mail clients will parse the URL correctly and make it clickable, even when wrapped.
<http://www.somereallylongdomain.com/somereallylongdirectory/somereallylongfilename.html>
You could use a URL shortener to redirect to the longer links. Bit.ly has an API with which your code can interface for this purpose.
I don't know if there are better solutions, but you can implement a url shortener with http://yourls.org/ or with other tools...
Create your own URL shortening solution. There are several ways you can go, depending on the complexity of your requirements:
if you're using only a few selected urls which are always repeating, use apache rewrite
if the url is user specific or changes in other ways from case to case, use a database table that stores a short url and the original url
if you don't want or can't implement your own solution, use an existing url shortening service via an API, but make sure not to expose security relevant information