is there a way to send a AJAX post to a PHP page that is in a server that I don't have access? The server always send Access Control Allow Origin error, because I'm sending a post from my server (that I have access) to another server (that I don't' have access). It seems that this server that I don't own only accepts post from it.
Any code, tip? I found easyxdm to do that but I don't' know how to use it.
Yes, send the post using your php server(not javascript). That's your only option if you don't have access to the other server and they aren't returning proper CORS headers.
Related
I'm writing an app using php and have been looking into security issues. I'd like to know how the following code grabs browser information and how it is passed from the browser to the server:
$_SERVER['HTTP_USER_AGENT']
$_SERVER['REMOTE_ADDR']
gethostbyaddr($_SERVER['REMOTE_ADDR'])
Is this information encrypted when it's passed from the client PC to the server? Would it be easy for a hacker to steal this data?
Browser -> Apache -> PHP
Spoofing/Faking $_SERVER variables other than HTTP, is difficult as there are some handshakes between your Apache and Browser so if someone tries to spoof these variables he will not receive any response. For example if someone tries to spoof REMOTE_ADDR, it is probable that the request will not be completed.
On the other hand all the variables that start from HTTP_ are easy to spoof and they are sent to PHP just as received by Apache from the Browser. So for example user can write a Curl script with a custom User Agent (HTTP_USER_AGENT) and you will receive the response as it is.
$SERVER this super global var is passed from web server instead PHP, but some of them is reference by the HTTP request header, let say with prefix "HTTP" is generated by client (request header), and REMOTE_ADDR is the address on TCP level, not a arbitrary but also no guarantee.
HTTP_USER_AGENT is in plain text at header, easy to modify
REMOTE_ADDR technically is on TCP level IP address, require some equipment or specific software to fake Server.
Essentially the PHP script gets these variables from the web server. On the manual page, there is a list of the variable names, and their descriptions.
So to answer your question shortly, they are gotten from the Web Server you are using.
If someone was to try to fake an example, like $_SERVER['REMOTE_ADDR'], there is information on how it can be done here, though I've never looked into it.
Hope this helps in some way :)
I have a file in PHP receiving a POST from an Android application and it works correctly but it also works correctly if loaded from a browser. What would be the most correct and efficient way to prohibit this from happening?
Try testing for the user agent in the request $_SERVER["HTTP_USER_AGENT"]. With PHP you can use the get_browser() for more information given the user agent.
Note that any client could send fake a user agent, so this information is good hint, but as any user input, it must not be trusted completely.
If you own the Android application I would suggest sending a security token generated on the android app via HTTPS to your PHP app where it would be validated.
Add header while making the HTTP request.
e.g. Application Type
httppost.setHeader("Application-Type", "ANDROID");
This will differentiate between your calls and server may get to know if call is made from mobile with having this header while Browser doesn't.
Take a look at a page with phpinfo() on that from the android
You can check the Browser and OS, based on that you can chose what to do
Ok I guess this question may be similar to other in the "remote cookies" kind, but I'm not sure that other answers I've read are applied to my case anyway, so here we go.
I have two applications, a client and a server. The server "has" (I know they're actually stored client-side) a cookie and a page which uses it to print out a computed data based on the cookie.
If I access the server page directly, the cookie is taken into account and the data is output correctly.
If I call the same server page from the client via a file_get_contents() the cookie on the server page doesn't get read, and I get an answer computed with an empty cookie.
How to make the server read its own cookies when answering a similar request? Is cURL the only option?
You need to:
Make a request that gets a Set-Cookie header in the response (assuming the cookies are HTTP cookies and not JS cookies)
Store the cookies
Include the cookies in the HTTP request to the page that displays them
cURL is probably the sanest way to go about dealing with being an HTTP client in PHP when you need to pay attention to the headers. Another question gives some guidance about how to go about doing that.
Note that there is no way to send the cookies that the browser accessing your PHP script would sent to the remote server. They are a secret that belong to the browser and that server and will not be shared with your server.
I'm finishing an app that sends data as a multipart HTTP POST to a server.
Problem is that said server is not available yet, and I want a sort of 'dummy' server to set up that can receive an HTTP POST request like that and just store/spit out the end result so I can see what I'm sending.
I have a host and know my way around a web server, but I never had to deal with a situation like this.
Thoughts?
Consider using a web proxy to verify that what you sent is correct. I use Charles. Charles can also be setup to return fake responses.
you can use wamp to set up a server on your host and any php frameworks to get http requests such as codeigniter
When using PHP I can use file_get_contents or cURL to get a URL.
jQuery runs on the client
In jQuery there is a function called jQuery.getJSON(). Javascript is run on the client. What server is used for the download of the JSON code of the external URL? What information does the called URL know about? Does it know of the domain? The IP of the client user? It's a client language.
Prefered for many request
To make many requests, is it safer to do this with Javascript than PHP because it runs on the every client instead of one server point?
What server is used for the download of the JSON code of the external URL?
The one that the domain name in the URL passed to that function resolves to.
What information does the called URL know about?
It is an HTTP request, like any other. The usual information will be available.
Does it know of the domain? The IP of the client user?
Of course.
It's a client language.
… making an HTTP request.
To make many requests, is it safer to do this with Javascript than PHP because it runs on the every client instead of one server point?
You control the server. You don't control the client. JavaScript can be disabled. It is safer to make the request from your server.
(For a value of "safe" equal to "Less likely to fail assuming the service you are using doesn't impose rate limiting")
Because of the Same Origin Policy all requests made in JavaScript must go to the domain from which the document was loaded. It's a standard HTTP request, so the server will have the same information it would if a user was just navigating around (including cookies, etc.) From the phrasing of your question it appears you need to make requests to some external site, in which case making those requests from your server which is not subject to such a security policy would likely be best.
In jQuery there is a function called jQuery.getJSON(). Javascript is
run on the client. What server is used for the download of the JSON
code of the external URL? What information does the called URL know
about? Does it know of the domain? The IP of the client user? It's a
client language.
The code that runs your web browser is only on your PC, too, yet it is perfectly capable of retrieving content via the HTTP protocol from a web server, and has done so for several decades.
AJAX requests are no different. jQuery creates an XMLHttpRequest object that performs an HTTP request in a manner uncoupled from the general page context. As far as the server's concerned, it's just an HTTP request like any other.
The text contents of the result you get back happen to be written in JSON format, but the HTTP layer neither knows nor cares about that.