So I'm creating an app for a specific website, which has comments on certain articles/entities or whatever. I already know how to fetch those comments with RSS, but I'm also curious if I can implement a reply functionality from the app itself. The site doesn't have an API for that, but I know that when you write a comment, it sends a POST request with the contents of the form.
Is there a way to find out what that POST request looks like, so I can send a similar one from my app? The end goal is to be able to reply/post new comments from my app to that website.
Any thoughts? Just in theory.
Is there a way to find out what that POST request looks like, so I can
send a similar one from my app?
Use some debuger, like FireBug for FF or DragonFly for Opera.
so I can send a similar one from my app?
It would be not secure if anyone could see the nature of requests and make such requests in their apps. Apps may be bad and send spam.
There should be some Captcha or CSRF protection.
If there is - you plan will not work.
If there isn't - it is security hole.
My advice.
Better create some API an call it from your APP.
Simple HTTP, XML-RPC, or SOAP.
This will be more secure and nice usefull thing to know.
Look at the page which sends the post request. If the HTML code or javascript is simple you can understand which is the POST data sent to the server. Otherwise maybe you have access to the server and can look at the code there?
Point your browser with Chrome or Firefox (with the Firebug plugin) and open the inspector (Control-Alt-I / Command-Alt-I), then the "Network" tab. There you'll see real-time requests and responses to the server.
If you need to implement authentication from your app, google "cookie jar" and your language.
Related
I am not sure this is correct SO to post on, but if not admin please feel free to move it to relevant SO or suggest me to move it.
I am using a contractor to help me create a website for some project. He has coded the entire custom website in PHP.
One feature that I requested was that links posted on the website should have the preview feature that we see in Facebook (FB) like in attached picture.
But he keeps saying that I can only use embedded code to create such preview feature. When I show him the FB preview he says FB is probably using technology of its own. Currently if I post the link from youtube to my test website it shows up as text like: https://www.youtube.com/watch?v=jtkUtNzaFPI&t=1909s
My question is:
What exactly is FB using? Is this easy to implement for any PHP developer or is it really time consuming implementation.
"he says FB is probably using technology of its own"
His answer to your question is utter nonsense, and indicates only that he doesn't want to do what you're asking. You hopefully aren't paying him very much.
What Facebook is doing is kind of sneaky, but structurally simple. The order of operations is:
User enters text on Facebook page.
AJAX request is sent to Facebook server with text.
Facebook server parses and sees that there's a link in there.
Facebook server makes a server-side HTTP request to link destination to find out more.
Facebook server parses response for anything it can add to the input template that the user is seeing.
Facebook responds back to user (maybe web sockets? maybe a response to that earlier AJAX request?)
Client-side code on the Facebook page updates what the user is seeing.
Steps 2-6 intuitively sound like they may take a lot of network time, but these tend to be very quick services (Facebook itself, YouTube, etc.) so that's usually not a problem.
The main concern here are Step 3 and Step 5. That's where Facebook is using some custom logic that it likely spent considerable effort defining. There may be libraries which help with that, likely made in response to the demand for this exact feature. I don't have any to recommend, sorry.
The technical implementation is the easy part. Determining from the user's text what data to fetch could be difficult. Determining what data to put in the page could be difficult. That depends on the scope of what you want to implement.
For example, it may be difficult to detect if the user has entered a variety of things you can respond to, but it may be easy (with a regular expression perhaps) to detect if the user has entered what might be a YouTube URL. So if you reduce the problem space to just YouTube previews, then you may be onto something. If you can successfully parse that YouTube link, you're in business. Now you can hit a YouTube API and get information to send back to the page.
Continue with that pattern for other small problem spaces (previewing a link to an image, previewing a link for another popular site, etc.), and you can over time add that same feature.
Now we are using standard google analytics script dc.js to create utm-cookies by http referrer and http url of the visitor. Now google stops creating utm-cookies since Universal Analytics.
Is there any way to mimic utm-cookie creation logic by referer and url using internal or external solution?
PS. Please, don't advise to get rid of utm-cookies. The main question is: "is it possible to create cookies by the same logic which google does?"
That is not realy easy. You can use the PHP function $_SERVER ['HTTP_REFERER'] but:
The address of the page (if any) which referred the user agent to the
current page. This is set by the user agent. Not all user agents will
set this, and some provide the ability to modify HTTP_REFERER as a
feature. In short, it cannot really be trusted.
As far as I know, the Universal Analytics HAS a way of tracking referrals using _ga cookies and it works very nice. If you work with PHP (hosted GA), then you will have problems but with JavaScript woks fine.
If you whant to follow AND _utm cookies with javascript, you need to create some "push" script what will collect that data but I think Universal Analytic have that option automaticly.
Read THIS blog please.
I have a jQuery script in a clientDomain.com/show.php page that shows some data loaded from a serverDomain.com/echo.php page using jQuery.getJSON(). I want that only allowed domains can show the data because I don't want that unauthorized people install the script in their own website without my permission. Is there any way to restrict the response of a jQuery.getJSON() only to certain domains? The solution should prevent also the use of iframe by the client. In conclusion, the data should be seen only if someone visit directly serverDomain.com/echo.php page or one of the allowed client domains. Thanks in advance for the support!
My request/response script works like the first example in jQuery.getJSON() | jQuery API Documentation
I can only code the client jQuery script (that will be ditribuited to the allowed domains) and the serverDomain.com/echo.php page (that is my property).
Don't do that. Use auth tokens instead that are updated regularly. Anybody can fake an HTTP referrer.
Here's a good answer on SO which covers resful api authentication: REST API Token-based Authentication
On many places (Google, Yahoo, Stack Exchange... ) I found that Ajax coding (for example php+Ajax login system) is not, and cannot be secure enough. So many reserve about Ajax security, and nowhere you can find an example of secure Ajax code.
At the same time, all this sites (even Facebook, Twitter...) USES a lot of Ajax code, for registering and loging users, for commenting features etc. Seems like Top Secret matter.
So, could someone show an example of secure php-Ajax code ?
An AJAX request is just like a normal browser request, just in the background. So if you would normally have a login form that posts data to your checklogin.php, you can do the same with AJAX and its equally secure.
Another thing to keep in mind is with cross site javascript calls. This is used for example when you are creating apps on facebook to transfer data from/to your server. These request have to be signed to make sure the data is comming from a valid source. This is done by using a secret and public key. These sites use oauth to handle these request. You can also implement this in your own site, but for any regular authentication (login/post messages/etc) this will not be needed. Just code like you would if it were a regular request.
Excuse me if the title is plain idiotic with respect to the contents.
We were debating a model for an interaction-heavy site in which there will be
site.com
api.site.com
on the same server. the site.com is powered by PHP and api.site.com will be powered by an alternative web framework. The same or different servers answer the two domains.
The rendered site makes AJAX calls to api.site.com.
Securing this is easy if the application were 'all PHP'. The session feature can prevent HTTP requests that allow:
an unlogged stranger from accessing a user's data
a legitimately logged-in user from requesting another user's data
Question 1: How do you secure the internal API so that we can be sure about the legitimateness of each request?
I have googled up AJAX and same origin policy, but I didnt get far with them.
I am thinking randomly generated 'tokens' that will be acknowledged by both domains.
Question 2: Is there a specific name for this model?
You should take a look at JSONP. jQuery has a good example on it: http://api.jquery.com/jQuery.getJSON/
You need to add jsoncallback=? to the URL to make it work.
$.getJSON("http://api.flickr.com/services/feeds/photos_public.gne?jsoncallback=?"
With this, you can avoid the Same origin Policy
The jsoncallback will be a timestamp, which should be echo-ed by the PHP script which outputs the JSON like this:
jsonp1277656587731(/* rest of the JSON here */);
With the number here ofcourse being the randomly generated string, or timestamp in case of jQuery JSONP