Let's say I have a script, that redirects to another page based on your type of input.
Now that site you're redirected to already has a long query string. So what I'd like to do,
is append some html code to the end of the site without actualy sending GET or POST requests, let's say something like:
<?php
header("Location: redirectedsite.php");
//send extre html img for example
$html="<html><img scr='img.jpg'></img></html>";
?>
Is that even possible? I know about sessions and cookies, but I'd like to see if there are any alternatives.
Once the browser redirects to the other site, the body of your page gets ignored and ONLY the other site gets shown to the user.
So, unfortunately, what you want is not possible; if the redirected site is under your control you could conditionally add more contents based on a GET parameter, but it would still not work in the way you've described.
In fact, this would probably be a security nightmare if you could append HTML to any another website.
It's not possible in that manner no, sorry. If you control the destination site you could, as you say, set a session variable that would prompt the destination page to append the code, but there is no way to do it directly in the way you want. And neither option is possible if you don't control the destination.
Nope. When you do a header redirect, the browser will go there straight away. You can't add some HTML in between.
You would have to do that on the target page, or show a proper HTML page that then uses another kind of redirect (using the legacy <META> or JavaScript, or a combination of both along with a link that can be clicked manually).
Aside from appending it as a query parameter, or using session variables, you can't do this. Is there any particular reason you don't want to use sessions?
Related
I have a webpage written in PHP, HTML and, first of all, JavaScript. I want to block (deny access page and show a message) access my webpage for person who doesn't have enabled JavaScript in browser settings or doesn't support it, because then my page isn't correcly displayed and there are a lot of bugs (also security bugs !). I know that there is possible to write <noscript> statement in HTML, but then something other than this text is dispalyed and it also is removable (e.g. by Inspector function is browsers), I said that without JS my page contains bugs. So, my question : is there any way to block access* for users which doesn't support JS to my page using PHP ? Any other suggestions are welcome :)
*Block access means - deny access main page and show a message
This is not possible to do in a truly secure way.
Yes, you could just serve a page that is blank, and then use JS to actually load the content (e.g. via AJAX), but the problem is that JS must load that code from somewhere, and an attacker could do that too. But here's the real problem:
Users have control over their browsers. JS is client side code. An attacker may choose to run, not run, or change and then run your JS. An attacker may even run their own JS to call or replace your functions. Any security that relies on your JS is broken by default.
So while you could (and people do) show a warning message over your page that is then hidden by JS code, or use JS to load your content, it won't ever be secure.
If you really really really need this. I said three really because I think most of the time you can choose alternative to this.
Set a cookie using JavaScript and pass it along with your request to server and validate the cookie on your server with the passed request. If you are able to verify the cookie Your client has JS else not.
Better way would be to redirect js and non js users from single point. say in your index.html file you have have javascript code that will redirect your clients or visitors to different url. That way you know those users have js enabled else they would not be redirected.
You can make a "sub" page that loads its entire content via AJAX. This will not stop people from hitting your URLS directly though. Don't trust the client.
Other answers and comments already include a lot of details on why you really can't technically block access using Javascript, however, a simple workaround to do something only when JS is enabled, is to call a JS function after DOM loads:
<script type="text/javascript">
window.onload = do_something();
</script>
</body>
</html>
do_something() then could include simple things like switching block element visibility, e.g., hide the non-JS message, plus launch AJAX loader or do something else from the stuff that has been already suggested above.
I have a PHP website that I send users to via a Dynamic URL like this:
http://mwebsitehere.com/?gw=1
well the page I send them too, works great with the code I am using to do certain things if the Dynamic content is set in the url. But whenever they click on a link on the page, which are ALWAYS changing, the Dynamic Content in the url is completely gone... For instances:
Lets say they are on the homepage that looks like this http://mwebsitehere.com/?gw=1, and then they click on a link that looks like this http://mwebsitehere.com/new-page/. Notice the ?gw=1 is completely gone from the url.
Is there a way to keep the Dynamic Links on every page if the url has dynamic content.
Like if it were to say ?gw=2 could all the links they click on or url somehow keep ?gw=2 on every page. Or if it said ?gw=1 for it to do the same thing.
Any help would be appreciated! Let me know if I need to explain my question better. Thanks!
I am also using wordpress, just in case you know anything wordpress specific! Thx!
the only reason to have get variables ?gw=2 in the url is if they are needed for that page, if you are wanting them for all pages,
have your scripts check to see if it exists in the $_GET array or $_COOKIES array, if its in the $_GET array but not it in the $_COOKIE array then set it in the cookies. That way your script will still see it,by checking the cookies.
No sense in cluttering the url with variables that dont need to always be shown.
If you want the exact same variable passed to every page, why not use
$_SESSION['gw'];
or
$_COOKIE['gw'];
to store "gw".
Otherwise you would have to pass it on via each link as follows
For example on page http://mwebsitehere.com/?gw=1
Link
There are a few ways you can do this.
You may use $_SERVER['QUERY_STRING'] and put it in every single link in your page. It will keep your links always repeating the same query string that your current file is.
You should try storing data in sessions! Then you can carry data from a page to another. Take a look at the PHP manual.
Good luck!
Let's say I have the following link:
www.blahblah.com/#!?page=index
How can I convert it to one of the following:
www.blahblah.com/#!/index (this one should be made with mod_rewrite)
www.blahblah.com/ajax/index (still mod_rewrite, but #! replaced with ajax)
www.blahblah.com/index (the page will load with AJAX like facebook, but #! will be hidden)
Can anyone give me examples of each of the questions above?
Thanks alot!
Anything after the hash (#) isn't sent to the server, so you cannot read it server-side. You can, however, redirect the user using JavaScript. The information you're looking for will be stored in the variable window.location.hash.
On page load, you can do something like the following:
hashString = window.location.hash.substring(8);
window.location = 'http://www.blahblah.com/'+hashString;
We're using substring to remove the first eight characters (#!?page=), so we'll be left with index.
Module rewrite only changes what the server sees. Module rewrite can't, change what the local browser sees, which is where the js is being run.
The way Facebook load, is through requesting the contents of the new page, then it updates the window URL instead of having to re-load everything. This is done, so If an item needs to be shared or linked the link is all up to date with what they're actually viewing, so when the page gets a fresh re-load, the browser loads the actual full php page, requested from the server.
The hidden # in a ajax page loading strategy is done by HTML 5 pushState.
In javascript you can use window.location.hash for this.
I am building an AJAX deep-linked site.
I want PHP to load all the HTML code of the page if the user is trying to access the site with a Javascript non-supported browser or if it is a search crawler. Basically PHP will return the whole page.
On the contrary, when the user is trying to access the site with Javascript supported browser, I want PHP to return only the template code, and let Javascript (AJAX) take care of the rest. Basically PHP will only load design elements and let Javascript populate them with content.
I looked into PHP's get_browser() function, however it seems it is not such a reliable tool. What is the industry's practice see if the browser supports Javascript or it is a search crawler using PHP?
Background:
Why I want the site to have this behavior.
Since I want the home page to load just by loading the address: example.com, which does not send any query to PHP, PHP returns the HTML code of the home page. This however causes issues when the user tries to load the following page: example.com#foo. So, for this example, PHP will return the home page and once the home page is loaded, Javascript (AJAX) will change the content around so that it shows proper content for #foo. This will make the user to see the home page, therefore load time will be slower and user-experience will not be so nice. However if my PHP script can figure out that if the use with Javascript supported browser is trying to load the page, it will only return the template of the web site, which has no content) and the javascript will populate that template with content whatever is supposed to be displayed for #foo. On the other hand, if the Javascript non-separated browser or a crawler will try to access the page example.com#foo, home page will be returned.
I am using SWFaddress (http://www.asual.com/swfaddress/) library for the deep-linking.
Edit
Thank you guys. I did not think of using <noscript></noscript> before.
Here is what I decided to do. PHP by default will load pages such as example.com or example.com#foo (which is essentially the same as example.com from PHP's point of view since fragments by definition are not sent to the server) blank (just visual template) with <noscript> tag inside for the content of the home page. This way users with javascript will not see the home page and AJAX will populate the content of the page according to the #foo fragment. On the other hand, search crawlers and users without javascript will see a home page.
Thank you again. I think this is pretty simple and elegant solution. If you have any further suggestions, please post a comment or another answer.
You can't do this using PHP. What you can do though is use a noscript tag to redirect to another php page if they don't have javascript:
<noscript>
<meta http-equiv="refresh" content="0; URL=nojavascript.php">
</noscript>
It's not possible to accomplish this in the way you're trying to do it.
It's rare that someone has JS turned off and doesn't know it.
PHP doesn't get passed anything after #, only javascript can do anything with that. So even if PHP could determine if the browser has javascript turned on then it still couldn't read # anyways.
You could include a link inside some <NOSCRIPT> tags that point the user to something like example.com#foo?javascript=disabled.
Unfortunately, browsers do not report whether JS is enabled or not, so there's no way to know from a simple HTTP GET whether or not you should send JS reliant pages.
You should just build an AJAX query that sets a session variable for javascript enabled.
Run this AJAX query before any other information on the site is loaded and then do a simple redirect to the actual site.
You could do something like this pseudo code:
Index.php:
ajax(check_js.php);
redirect(main_page.php);
check_js.php
$_SESSION['js_enable'] = true;
main_page.php
if($_SESSION['js_enable'] == true) {
//execute page
} else {
header("Location: no_js_error.php");
}
Instead of the server trying to sniff our the user's settings, how about using unobtrusive javascript in the first place? This way, the page will degrade gracefully (to the desired state) if JS is not available.
I just wanted to know, is there any possible way to change the URL that appears in the address bar of a webpage dynamically? Like, maybe there are two buttons on the webpage, and when the user clicks one it will (or won't it does not matter) refresh the page and the url will be mysite.com/page1, or if the user clickes the second button, the url that appears in the address bar will be mysite.com/page2?
I do not need it to chaneg the domain, just the part after.
Just wanted to say, that I DO NOT want to go to another page. This must be done on one page. It does not matter if it is done with JS, PHP, or via the .htaccess file, but it must do this with only one page.
Outside of changing the .location you only really have control over the window.location.hash.
window.location.hash = "boo"; http://mysite.com -> http://mysite.com/#boo
This is the only way to not go to a new page while changing the URL. All other methods will refresh the page or redirect the page:
window.location redirects user when changed
window.location.pathname redirects user when changed
window.location.search redirects user when changed
window.location.hash does not redirect user when changed
You can also just change the non domain path by using a relative url:
window.location = "page1"; // include forward-slash if necessary
// goes to http://somesite.com/page1
You can definitely (and easily) serve the same page off both /page1 and /page2 and have the buttons navigate respectively to one and the other -- "refreshing the page", as you say (i.e. loading it up again from the server, or browser cache), and of course change accordingly what appears in the address bar, too. However, I don't see what's the point of doing that.
I don't quite understand what you want.
Is it that in both cases, you want the same page to be shown but with different urls ?
In that case, you could write a .htaccess file to redirect to the same page for both /link1 and /link2 and point the button to either of the links.
Just to update this question in case others come along.
This can now be handled via javascript using pushState(). There's a couple of libraries (such as History.js) that aim to ease implementation across different browsers currently without proper support. However, if you'd like see a simple usage example without the use of such libraries, feel free to check out the following article on Hawkee
Dynamically change URLs using Push and Popstate