We have an archaic website done completely in HTML 4, and I've been tasked with coming up with a way to have the user input their email address to access/download files.
After submitting their email address, it can either take them directly to the pdf file or be redirected to a "Thank You" page that has a link to the file.
We would then be able to see a list of the email addresses & who downloaded what.
I was told server side scripting language is required. To be honest, I have basic skills in coding, and I am completely stumped by this task. Any help (explained in simple terms please) would be greatly appreciated.
Thank you!
Jen
Your solution is going to be broken down into 2 parts, both server-side. Firstly, you will need some server-side code to handle the user input, and a database to store a mapping from email addresses to file names (although this can just be a text file sitting on the server).
Server-side script
You have a world of choices when it comes to server-side scripting languages, from the insanely popular PHP, which while supported from the majority of web-hosting companies, is riddled with bad design problems and (to my mind) should be avoided at all costs. However, it is still completely adequate for your purposes.
On the other end of the scale is the lightning fast node.js, which allows you to program your web application using JavaScript; this is arguably a more pleasant means to do so, but hosting is typically more expensive and geared towards web applications with large user bases.
There are many other possible solutions in between, but for argument's sake we'll assume you use PHP.
Database
The role of the database is simply to store the relationship between the email addresses and their respective file download paths. Again, there are a whole host of different solutions, and some may argue for or against them. One of the least-trusted solutions (but unfortunately, incredibly widely supported and tightly knit with PHP) is MySQL, which again for argument's sake, we'll use.
How it works
Your web application will first of all check for any user input (i.e. the user's email address submitted from an HTML form). Then:
If the user has not submitted anything, then output a page with an HTML form on it, which might look something like this:
<form action="thispage.php" method="post">
<input type="text" name="email" value="Enter your address here" />
<input type="submit" value="Get my file!" />
</form>
When the user clicks the submit button, the entered email address will be sent to thispage.php (or whatever you decide to call this script).
If the user has submitted an email address, (i.e. the user clicked the button in the above form), then we query the database with the email address to find out where the user's file is. There are a million-and-one tutorials on how to do this - there are straightforward examples for PHP here.
Once the file path has been retrieved from the database, you can either output some HTML as a 'Thank you!' page, with a link to the PDF file, or simply redirect them immediately by using the following code, where $URL is the URL of the file.
<?php
header('Location: ' . $URL);
?>
There are again alternatives to how you do this - if you want to keep the PDF file hidden from unauthorised eyes, you can store it somewhere on the server, inaccessible to the outside world, and then simply output the contents of the file into the page. This might look something like the following, where $path is the path to the PDF file on the server's filesystem:
<?php
header('Content-type: application/pdf');
echo file_get_contents($path);
?>
I hope this gets you started. If you need any more guidance, you're already in the right place to ask!
It depends on how much protection you want. If you want to make sure the file is completely inaccessible for people who don't input their e-mail address, you can block the file with the .htaccess file (in Apache). Then make a page to retrieve the file to download if the session that you previously set up was okay. I don't think that would be necessary from what you said. The other option is to make a page with a simple form, with action="somepage.php". On that page you would then retrieve the e-mail with $_GET or $_POST (that is, if you are using PHP), then save it in the database or a text file or something. (You could even send it to your e-mail) Then:
1) If you are using the protection I mentioned before, then set the session as OK (you can do this with session_start() at the beginning of the file and then include $_SESSION["gave_email"] = 'true';). Then test that variable to see if it is true. If it is true, redirect the user to the PHP page that shows the file. (The appropriate syntax for a check like this one might look like this:
(if isset($_SESSION["gave_email"] && $_SESSION["gave_email"] == true)
//you show the content, then reset the $_SESSION variable to false
2) If you are not worried about security, then simply redirect the user to the page you want (either directly to the file or to another page that contains a link for download).
To forward with PHP you can use header('Location: page.php'), where page.php is the page you want. The whole thing seems pretty simple, so if you have some more specific question in this, please ask it.
Try google feedburner. Its allow you to valid download verification When someone subscribe on your website using feedburner then download will be possible. The feedburner subscription is refresh in every 10 hour.
http://feedburner.google.com/
Related
I am currently diving into php and html and working on a simple redirect just for the purpose of showing database content through an url.
I know you can generate an URL in 2 ways, probably more but these two are the reason why I started this question:
php:
<?php
header('Location: example.php?parameter');
?>
html:
<form action="example.php" method="post">
<!--input fields etc -->
<input type="submit">
But now I was wondering "What is the best practice regarding these two options". Is it just a personal opinion with what you like the best and what is the best suitable way in a situation or is there something else I am overlooking.
I am not trying to start a discussion here, just interested in what is 'normally/commonly' used.
Thanks in advance!
These two pieces of code do fundamentally different things, even though in some cases the user-observed behavior may be very similar.
This is a server-initiated redirect:
<?php
header('Location: example.php?parameter');
?>
Basically this is the server's way of telling the browser that it should browse to another location. (The browser can ignore it, but doesn't really have a reason to ignore it.) Additional details can be added to the response to tell the browser if this redirection is temporary or permanent, or has other conditions regarding it. But at its simplest this is just the server saying "I don't really have anything for you here, go over there for your information."
This is a client-initiated form POST:
<form action="example.php" method="post">
Well, "client-initiated" in that the actual action of POSTing the form comes from the browser. The server probably gave that HTML tag to the client to tell it to do that, but the client is free to change it if it wants. (There's no reason to do so, though.) The point here is that this is a means by which the client sends data to example.php. It has nothing to do with redirects, it's just sending data to a specific resource on the server.
The server can respond to that data with a redirect, or a rendered page, or any other response.
These might be used in conjunction in a number of ways. Let's say you have page1.php and page2.php. On page1 there is a form, and after that form is submitted you want the user to see page2. This is where the user-observed result might be indistinguishable.
page1 can post to page2 and page2 can handle the submitted data and then display. Or page1 can post back to page1, handle the submitted data, and redirect to page2. To the end user, there's essentially no difference. The main difference is in how you organize your code. In that regard, sure, personal preference comes into play. But this isn't the only scenario in which either of these tools are employed. For example, you might want to submit values to a completely different page for a completely different reason, or redirect on a page request for some server-side reason completely unknown to the client.
As you develop more complex web applications you'll find certain patterns work well in certain situations, and personal preference will begin to conform to those patterns. In the end, these are just tools to perform actions (redirect the client to another location, send data to the server) and your overarching patterns and practices simply make use of the tools.
The HTTP location header and a HTML form are not really comparable.
The header should be used if you want to create a redirect during the execution of PHP. The form should be used if you want to submit user input from the client side (browser) to the server side.
HTML anchors are the best way to provide links on a web page:
Click
In most cases you use html forms or links. header() is used mainly if you want to redirect an user after the code is executed (e.g. after a successful login, or when is not authorized to access a restricted page)
So I was just told that having this sort of thing visible whenever someone views the source on your front end is insecure:
<form action="http://www.somedomain.com/form.php" method="post">
Basically, that someone being able to see the php file that the form submits to is dangerous. Is this the case? If so, how do I make my visible source secure while still having the form submit to our hypothetical "form.php"?
first of all , php source code can't be viewed unless you restrict access to it via htaccess or other ways , secondly , your front-end source code must always be public because security issues aren't treated from the front to the back-end , thirdly , your php file's source can't be viewed like a css file or javascript code
if you want to restrict direct HTTP access to form.php , you could use .htaccess
i use this solution , some files are marked as somefile.php, but some util files are either stored in a folder or marked as utils.inc.php , so i make sure that i restrict direct access to inc.php files and allow everything else
I personally do not see a problem with showing the page which the form submits too, because once the user submits his/her enteries, the action="" will re-direct the user to the page stated anyway, so either way they will see where they will end up. Whether in the URL bar or the form scripts.
Just ensure you sanitize the user-input data before passing it through your database.
Depending what your using for your Database Interaction; there will be functions available to protect you from injection
Security by obscurity is a good policy in only very select, specific cases. But knowing where forms submit to – that's actually the nature of web forms. There's now way around that.
Even if the URL you submit to is somehow dynamically created for some kind of impression of security – just have a proxy between the browser and the server, and the entire HTTP dialogue is open to be read.
i have a webshop running, and every couple days an empty mail is send, like an order. Is this most likely google?
I have a file called send2.php, it takes all info from session, all post data, and sends it via mail. after that it redirects to a "thank you" page.
Can and will google send empty forms just to see whats in send2.php? What would be the best way to prevent this from happening?
Add a file called robots.txt to your root directory and place this in it:
User-Agent: *
Disallow: /path/to/send2.php
Keep in mind that this is not a perfect solution. This will prevent (co-operating) web crawlers from visiting your page.
Reference: http://en.wikipedia.org/wiki/Robots_exclusion_standard
A better solution involves user authentication (ensuring that the agent prompting your script is not a bot).
As others have mentioned there are a variety of way of getting around benign bots using empty() checks and robots.txt. However, these rely on the bots respecting your site. Many bots will attempt to inject values into the form (meaning an empty check won't work) and these bots don't care about robots.txt (I wouldn't be surprised if robot.txt:Disallow actually encourages some bots to target your site under the presumption that you may have something sensitive... but that's just conjecture).
Your best best is going to be a "human-check". Either implement a captcha/recaptcha solution, or some other logical test that's difficult for computers to solve or parse/understand before you allow submission: "What's this animal? [photo of common animal]", "Solve this simple equation [(12/4)+1]", etc etc.
These checks will have to be server-side. They generally involve setting a $_SESSION variable with the "answer" to the challenge task when the form is first loaded and then checking that the value they entered against this session variable once they submit the form. Never rely on Javascript to do validation for you (as you mentioned you are doing in your comment to x711Li). Javascript validation is purely done as a convenience to users (so they can see issues before they submit) or to reduce loads on your server (so you don't have to run/log lots of failed submissions). Any person or bot can bypass or manipulate Javascript validation, so make sure whatever method you end up using involves a server-side check.
If the mail your receiving is blank values as the values have not been set throughout the session then, why dont you check for those values before sending the mail, its true that the culprit is most likely a crawler, and many of them (inc bingbot) will not listen to a robots.txt file, plus a robots file is the first place a hacker looks for for info gathering.
<?php
if(!empty($_SESSION['some_info'])){
mail(...);
}
?>
I've developed a web application in PHP and MySQL. One part of the system I've been putting on hold for a while now, is allowing my users to create a simple form inside my application, and once they're done, copy and paste some code which I generate into their existing remote websites (IE: Contact Form) where this form should appear.
When visitors to their site enter their data into that "contact form" or whatever they've created, it should save the info into my application database where the users will be able to access it. It must be unobtrusive.
Is there anyone who can give me a good starting point on how to achieve this?
Im a little confused on what youre asking. Are you asking if there is a way to automatically copy the generated form to the clipboard, or how you set the form up to allow it to post data back to your own server?
If its the former, Bradley above pretty much explained it. If its the latter, then there are a couple of ways that you can go about doing it.
If you want it to submit the form without actually redirecting back to your own site, then you need to submit the form via AJAX (read XMLHttpRequest, or the $.ajax() function if youre using jQuery). The only problem here is that it violates the same origin policy since youd be submitting from a different domain. To fix this, you need to setup your webserver to allow cross domain requests so that it'll actually work.
JavaScript cannot access the clipboard to save (copy) text to memory. A general way around this is to use an invisible flash movie and place it over an input button so that 'clicking' the button triggers the flash script, which can utilize the clipboard.
I've used ZeroClipBoard in the past to do this, and I believe some of the syntax highlighting plugins out there use it as well.
http://code.google.com/p/zeroclipboard/
I'm looking to make a simple PHP microsite that allows the download of one of my bands tracks in exchange for an email address. I know I could use Bandcamp but I want to do it myself ;)
I found a microsite from a band I like that does exactly what I want so I tried to pick it to pieces. The site is http://threetrappedtigers.heroku.com. This site basically gets you to enter your email address which it then must put in a database (unless it finds a match for that email address in the DB).
You can then view the download button and downloads the file without revealing the source url of the file. The href for that button is "download/" leading me to assume that there is an index.php in the download directory, which must require some sort of session id (presumably set up when submitting your email) to stop people linking directly to it. However the file also does some work that I don't know about in order to obscure the link.
The other aspect I don't understand is that on the page where the email is inputted there is a hidden input that submits a random authenticity_token when submitting the email address. I can't quite work out why that is necessary either.
Apologies for this horribly specific question but I've been trying to work it out all morning and can't quite get my head around.
Thanks,
Rich
What you can do is this:
User enters an email address
Verify (or not, depends on your wishes) by sending an email with a link that contains a token. i.e.: http://myawesomband.com/downloadtrack.php?token=asd#%$dhj123
downloadtrack.php validates the token and loads the sample track with file_get_contents() and offers it as a download (see specific headers on the php.net site)
The advantage is that the user doesn't know where the file is located (it is best if you place the sample track outside of the webroot.
[EDIT]
For your hidden input field token: This might be used to confuse bots and other scripts that will only post the 'email' field in large quantities. If the token isn't sent and doesn't match the $_SESSION['token'] value the request isn't handled. This works because scripts that do these kinds of attack generally don't accept cookies so their $_SESSION array is never reloaded.
you can have a look at this as it does what you want, either use cake or take some ideas
http://book.cakephp.org/view/1094/Media-Views
https://github.com/cakephp/cakephp/blob/master/cake/libs/view/media.php
you can see in the render() function its mostly about setting the correct header