I'm trying to enable screenshots of the page a logged in user is currently on. I've placed a button that needs to:
read in the content of the referring page
save it to a file
render that file as a PDF
redirect back to the referring page
The problem I've run into is that users are logged in and on pages that are very specific to them. I can't grab the page via CURL with generic credentials because the screenshot won't be applicable, and I don't have the user's credentials.
How can I read in the contents of the current/referrering page with PHP without access to the users credentials? I've tried file_get_contents which was not working either.
It sounds like your mechanism is going to be faulty anyway: you're not saving the page as it looks to them, but rather saving the page as it looks to CURL at some point in the future.
If you want an accurate solution, then you need to save a copy of the rendered HTML somewhere server-side as you send it out (you can use PHP's output buffering to capture it) and mark the file you save with some sort of key that goes to the user. If the user clicks the button, it sends that key to the server which you use to look up the saved HTML file, and process it as desired.
Significantly less efficient, of course, but there you go. Alternately, you can save just the parameters processed in the page such that you can re-render it with PHP if required. Still no curl involved, but less saving going on. Obviously you don't need to keep this cache information long; just a few minutes, so storing it in ram (e.g. memcache) would be sufficient.
I don't believe this can be accomplished ethically without obtaining the user's credentials.
Related
I am currently working on a project which can be best described as a online pdf library.
Users can log in and see a list of pdfs available. The user can click on one to 'check it out'
this then allows them to have access to view a pdf file for a specific time period after which it is no longer accessible.
there are two important rules:
The user can only view the pdf through the website and cannot copy it
After the time expires the user can no longer view the pdf
I was thinking of using swftools to convert the pdf to swf to disable the user from saving the pdf. But I still have a security issue:
how do I display a swf in browser without revealing its location?
thankyou for taking the time to answer this question. Please let me know if i need to specify anything.
Use a timed URL. Here's the insecure version:
http://www.example.com?file=123&expires=2014-03-06
Now, to be less obvious, encode those two params into one variable and make it look like the filename:
http://www.example.com/123-2014-03-06.pdf
But go one step further and hash/encode the values into something like a guid.
You can also do this on the server-side, by issuing a real guid and associating a filename and expiration time with that value.
so I've hit a potential problem in my site....it's a post-based system, with the posts being in text files. Uses some Javascript and a lot of PHP.
When you make a submission on the form on the homepage, you are sent to a page where data is posted and processed, but you don't see it because you get redirected back. Then the homepage is changed based on what the post you made says. All that was working fine.
But now I'm trying to add a new feature that modifies the post you made, based on a button you hit which submits a hidden form using javascript, and sends to another process and redirect page you don't see, and it works fine until the block that I realized today. I don't know how to specify that the post being altered is the right one.
I anticipate a good amount of users of this site, so my concern is what if user X makes a post while user Y is making a post, and the post of user X becomes the top post, so user Y's options actually change user X's post.....
I was thinking of adding to the main processing page (the one that happens when you first submit) a COOKIE or something that would make note of the number of the line that post will become, by counting the number of the lines in that file at the time and adding 1 to it. Then checking it against the user's number (each user has a number) to see if it's that user's most recent post....but the problem is I don't know how I would pass that value around to be read in the next page.
Setting a COOKIE is out I think because the page both redirects, AND reads and writes to files. The only output to the page though are currently var_dumps.
POST/GET is out because to my knowledge the user would have to do SOMETHING to submit it, and the user's not even going to see the page.
Writing to a file would be messy if lots of users are trying to get their own data.
I think what I may be looking for is SESSION variables...but I don't know anything about those except that they're used to login to pages, and this site has no login.
To make things more fun, when a user posts the same content within a minute of another user, the first user's post is replaced and it gets a little +1 next to it...which makes it harder to check it against the user's number....
AND in the end I'm trying to use AJAX (which I dont know yet) to make the updates in real-time...now THAT is going to suck. But for now I'm worried about my static little site.
Baby steps.
Any ideas how to go about this??
Use Session variables, just as you have alluded. They aren't just used by login pages, they are used by everything. Sessions are the equivalent of server-side cookies / server-side storage, so you don't have to worry (as much) about your users tampering with them.
If you want to make life more difficult for yourself, you can json encode your variables and store them as an object in a database or even flat text file. But really, read up on sessions.
All you need to know is session_start(); before anything else then $_SESSION['var']=$yourvar; to save data and $_SESSION['yourvar'] to retrieve it later (such as on another page).
I'm developing for a pre built php based system.
For restrains that I cannot explain, I cannot use any cookies, sessions or a db link.
I need to display a message only once to every visitor that comes in.
Any creative ideas you guys can think of?
Thanks,
Here are some ideas
Use browser's localStorage
Pass the message using post or on querystring. Not safe option
Use flash store. Same as #1 but don't need flash!
Use file disk but then you need to be able to remember who owns the file since multiple people would be on the same server. Without using cookies, I am not sure how to do this.
I personally like using localStorage. First page would create some javascript that stores a message on browser's storage and then second request would pull that message and display it.
While your restraints are somewhat curious I suppose you can add a value in your $_GET.
If a visitor visits www.yoursite.com/ they will see your message, all links displayed on that page include a $_GET var 'displayed' or however you wish to name it. so links will be like www.yoursite.com/page.html?displayed=1
Then you check
if (isset($_GET["displayed"]))
// don't display message
else
// display message
Not a very 'nice' approach, but it would work.
What about using IP Tracking and a flat file or csv. Something similar to that will display it only once per IP.
You can force PHP to pre-pend some of your own PHP code, including a session_start() call, with the auto_prepend_file .ini option.
This guarantees that whatever file you prepend is THE first thing executed in each script.
After that point, you've got a session (or even just a cookie) in which you can store your flags to hide that message on subsequent visits.
I have a web application and I want to make it run offline as well. In this application I just have a form and I am using PHP for submitting it. I am using a manifest.php file like the one described in http://building-iphone-apps.labs.oreilly.com/ch06.html .
The problem is that I need somehow to add the parameters from the form in the manifest, for caching the right file, for example the file welcome.php?name=aaaa and not the welcome.php . So I need to use a GET for the name in the manifest.php. But if I understood well the manifest file is created in the beginning before the form is submitted so the value on "name" is empty.
Is there a way to add these parameters in my manifest file for running the application offline as well?
Thanks
The only way you can do that is to list the files with their parameters in the manifest, so you would have to know all the possible parameters in advance and then use your manifest.php to spit them out, ending up with a manifest file that looks something like this:
CACHE MANIFEST
welcome.php?name=aaaa
welcome.php?name=aaab
welcome.php?name=aaac
...thousands more lines...
welcome.php?name=zzzz
NETWORK:
welcome.php
However, I strongly recommend you don't do it this way if (as it looks like) you want to present a personalised welcome page to the user. With this approach every user will download every welcome page, even though they only need to see one of them.
There are two approaches I think will work better:
1: Deliver personalised pages
If only thing which changes is this page, force the user to logon before accessing the welcome.php page, then use a session variable instead of a query parameter to deliver the personalised page. You then just need to specify welcome.php in your manifest and every user will cache one personalised version.
2: Write a full offline app
If your web app is going to have user specific data at every step you need to break down what are the common application components and what is the user data, and serve them separately. If your app is going to do anything offline it's going to be doing it with JavaScript, you should therefore use JavaScript to update the page in the browser rather than generating entire pages on the server side with PHP.
Most of your PHP pages are basically going to be templates which you will load with user data through JavaScript (you can still populate them the 'old' way for users who don't have offline capability in the browser). You will have at least one PHP page which delivers data in response to AJAX requests. For this approach you're going to need to learn about Local Storage and the various JavaScript APIs for managing the cache and detecting offline state. Once the user decides to install the offline version of your web app you download all of that user's data and put it in Local Storage, then use that data to update each page as it loads when the user is offline. Any changes made then need to be synced back to the server when the user is back online.
Due to applciation cache is loaded after the page it references to. You have to reload the cache by applicatonCache.update() when the parameters are available.
The trick to inject the parameters into the the manifest is to set cookies before invoking update(). Your serverside script gets the cookies and can generate the appropriate manifest content.
I have an affiliate tracking script that is currently being exploited by an affiliate. In the main, site I track the affiliate clicks using this url www.example.com?member=affiliatecode,
then I capture the query string $_GET['member'];
Problem is, an affiliate is exploiting this simple system and page loads on his site is being recorded as clicks going to mine.
What measures can I add to prevent this without changing the affiliate link to my site? An idea that I had is to check if my page has actually been loaded, but how would I do that in PHP?
Thanks
I don't quite grasp the exact problem (or more to the point, exactly how the affiliate is logging hits), but a solution may be to put a image on your page which should ensure that a browser has loaded it. So at the bottom of you page you should insert
<?
if ( isset($_GET['affiliate']) ){
echo '<img src="affimg.php">';
}
?>
And then in the affimg.php, you would log the affiliate and then output a 1x1 image (remembering to set the headers). The downside is that there is no way to stop an affiliate just simply putting that image in to his page and if the affiliate is using an iframe, the image would still be loaded.
A better way may be to simply do some tracking. Rather than just requiring that one page gets visited, change it so that you require two or more using a database to track the ip addresses.
There may be a better way, but then I don't know the exact details.
First, you can never be sure that a bot/script instead a human "clicks" on an image, this is a fact. Secondly, you can make things a bit difficult. An idea would be:
Deliver a banner including a unique link that is triggered via a Javascript-click-event, like:
<img src="http://www.targetsite.com/image.jpg" />
Save the token in your database before and give it a expiration time of some minutes. Then, only count the click if the token is valid later. So your affiliate has to change the "onClick"-Event or parse the source code to extract the token.
As said, it only makes things more difficult. You could also parse your affiliate's site source to see whether there, your banner is "clicked" automatically (which would be very cheeky).
Another addition would be to read a cookie on the client side and attach it to the generated link to implement a check if the client has already requested your target site.
Since you can't protect yourself completely from fakes, you can build several little tools like these that increase safety.
HTH