I am creating a form handling service that will allow users to copy and paste a form action and the service will store the data in a database and redirect to confirmation page on the users website.
What I'm trying to achieve:
I would like to include some analytics on the form such as, time taken to complete each field, form views, form activation etc. I'm guessing this would need some javascript also pasted on the users page that would link to an external script (on my site). But my question is, how would this work in practice?
I can't use ajax as it would be on different domains and I also want as little code as possible to be copy and pasted by the user.
My question is not what specific code I need to use here, rather what approach do I take?
I'm thinking it will be similar to the google analytics snippet that they provide for tracking but im not 100% sure on how that works.
For cross-site requests, there is always the option of using script injection, as used with JSONP. For example, you could use jQuery.getJSON to pass some data as GET parameters to another site. Of course, only being able to do GET requests is a disadvantage. If you want/need to perform post requests, you could wrap your initial request in a web service, which basically converts GET parameters to POST parameters and forwards your request; YQL could do that for example.
Related
I'm working on a simple contact form right now that will just post to a /contact endpoint and update a message via ajax if success or failure. I plan on having other forms such as account settings work in this sort of way too so I can avoid having to refresh the page. I'm new to working with ajax and creating my own api's so any help would be awesome.
Basically what I want to do right now is verify that the post request/body is being sent from my website and not an external source. I thought about just checking the url with PHP but I'm not sure if this can be spoofed. Any help would be great, thanks!
One method is to create a unique ID/GUID when the form is created, embed it in the form (hidden field, JS var), and also store it to $_SESSION. When your script is called via AJAX, pass this value in the AJAX call, and then compare it on the server side. That way, you not only know it came from your page, but from the same session.
To check this things security i would pass a hash generated on the client (with certain rules) and check if the hash is valid on the server php endpoint. You can use $_SERVER["HTTP_REFERER"] to check if the domain matches but that can be easily spoofed and sometimes it may actually not even be available. I hope i answered the question. This is what i understood you were asking.
I'd like some help in taking data input from a user, using that input to complete a form on a different site and then collecting the results that the site outputs. Would it be possible to do this via PHP? If it helps/ additional info, the target site is in JSP.
The site in question is a result site for my university. It's done in JSP and there's no sort of API through which I can fetch the data. I'd like to be able to take user input ( unique student ID etc) , submit that to the result website, and fetch the results onto my own to do some calculations. Would it be possible to do this?
Any help would be appreciated.
well technically you can. if you create an http post request to that site you can send data to that site but the response will be the html code of the page. but as a security most of the sites usually protects their sites from such actions so they put a token inside their forms so that they can be able to know whether the form data is coming from their site or was submitted by external source.
you can try to send post HTTP using curl
here is a sample tutorial
https://davidwalsh.name/curl-post
It is not possible if the external site does not have APIs to provide the data. Normally cross-origin HTTP request would be disallowed for a web application. Read more about CORS Here.
I would like to ask this because if no quite sure that it secure.
I am planning on changing my page to ajax based registration. So my data will be inserted using jquery ajax post.
But if someone uses firebug and see where my post is being sent, they can use other form of firefox addons to post data on that url and can easily register without going to my page.
Although I can validate the request first where it is comming from though but that would be extra codes and work.
I will also add server validations for my form since someone can register without validation using the direct url that they will see on firebug.
I just wanted to know if there is already a standard procedures in applying ajax based data post.
But with ajax based select / fetch is cool and very useful.
Currently this is what I am planning on doing on my registration page.
validate that all request's must come from my registration page.
might use a transaction / request code
might use cookie
might use session
might use date time comparisson
if validation fails I should have a form validation on server side
to clean my the posted data before inserting to db
Never trust a UI.
Whether you do an Ajax post or a standard post, people can figure out what you are posting and create their own client. Even if you use https, the person controlling the browser can see what is posted and decipher the protocol.
You need to create your service so that it is not vulnerable to a user handcrafting a client.
If a user can use their browser to register on your site via Ajax, they can spoof the registration using some other programming language. There isn't anything you can do to make it so they can only register from your site via Ajax.
You can implement tricks to make it difficult for them to figure out, but you can't make it impossible. They can spoof the referrer, load other pages to get the required cookies/session variables, spoof Ajax request headers etc.
I'm looking at a domain registration site that looks like it uses jquery to process users data inputed and to register domains.
What I was wondering is if it's possible for users to be able to fill in data on a form on my website and then when the user is ready to complete payment, be taken to the actually domain registration site where all the data they typed in on my site will be posted to the domain reg site.
So basically, the users fills in a load of info on my site, AND attempts to check for domain availability on my site. Once the users has found the domain they want, they will be redirected over to the actual domain reg site where all their info will be posted.
Now I know if the domain reg site used PHP to process all the stuff, it wouldn't be a problem. But they don't use PHP.
Do you guys reckon this could be possible?
I'm not sure this would be possible in any amount of time that would make it worth it to you. Without knowing any of their back-end code, it's going to be extraordinarily difficult. Edit: I should add that I did look through some of their jQuery code and it looks as though they're using ajax .post() to submit data. Where this data goes and what responses are expected is anyone's guess, though...
That said... there are quite a few domain registrars that offer real APIs to let you do what you want... or even let you go one step further and offer the ability to register domains directly through your website. Sometimes you can set your own price, as well.
Here are links to some of these APIs:
Namecheap: http://developer.namecheap.com/docs/
GoDaddy: http://www.godaddy.com/reseller/domain-reseller-api.aspx
eNom: http://www.enom.com/resellers/Interfaceinfo.asp
I'd personally recommend NameCheap, but for the purposes of your question, any of these should do.
I can't make any promises but say you used jquery ajax to pull in the form the would have to fill out. Said form would then be on your client side so in theory I think you could use their input ids to fill out the form using javascript/jquery. All this would technically be client side. To bad that other site does not have an api for purchases.
Do you have control over the domain registration site? There are many ways you can send the user's input over to that site, but of course it has to be looking for this posted data and know how to handle it. PHP is not necessary to handle the data that is passed in. For example, if you send your info to the domain registration site via a form GET method, the info will become part of the URL, which can be accessed and parsed via javascripts window.location property.
What I'm trying to do is:
I have a form. I submit that form. In the code of the target script I want to make some validations. In a certain case, I want to make a POST to another URL. I don't want to just make a redirect to an URL.
I don't know if this is possible, that's why I'm asking.
I'm working with PHP.
Thanks!
To the people who suggested cURL: Building a request like so will send the data on behalf of the server not the client. I don't think he wants that.
He wants POST forwarding and that, if it were to exist (and I don't think it does), should be implemented by the browser.
What I suggest is to use an AJAX call to make the validation before posting. And then depending on the response you choose the destination for posting (on the client side).
To summarize: You request a validation from the client. You do that validation on the server. You send back instructions to the client. You post according to the instructions received from the server.
I'm not sure if you understand this, but any details of requests made by the user(client) are known in full by him. You can't make him POST to an URL, have a password in that POST, and not have access to that password.
Note: If it's easier you can read JavaScript and PHP instead of client and server.
It is definitely possible. You could use the PHP cURL library to easily create a POST request. But this might be overkill for what you are trying to achieve. Is it a possibiity to do the validation in JavaScript and change the form action attribute with JavaScript after submitting?
In what case would you need to post it to another PHP file.
Couldn't you simply use IF statements to redirect the script to another script depending on the results of the validation?