I've run into a situation where one of my company's clients is building a website with our service, but would like to include on our site the podcasts that get posted into a table dynamically generated on a page of their main business site.
I've done a bit with ajax before, I know one of the biggest hurdles is using ajax to access content on a site hosted on a different server. From my research I gather that JSONP is the best solution in a situation like this, but for argument's sake let's say I know nothing of how their server is configured (and have no realistic way to find out) and that I don't know much about JSON (which is true).
I probably shouldn't hope for a silver bullet in a situation like this, but can someone point me at least in the right direction?
Thanks!
Create your own service with PHP that calls the AJAX service, that way you can call any remote service you want but the ajax call is to your domain. I can provide an example if you like.
You can use curl in situations like this.
If you can use jQuery, have a look at jQuery AJAX cross domain, otherwise, throw one of the following header functions into script that serves the request and see if this helps.
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Origin: http://permitted_domain.com');
This is something that the client browser supports, so your mileage may vary
for a non AJAX/Javascript solution, URL fetching mechanisms like file_get_conents() (note this configuration) or using cURL can be used to achieve similar (if not more inline) results
Related
I want to fetch the response from adobe analytics which I get in network panel of browser and display in it the page. This there any way to read the response through php. I don't have access to core files. i work as third party implementation team.
The short answer is you can't. php is server-side. Assuming you did the standard javascript Adobe Analytics implementation; well that's client-side. Your server can't see that stuff.
The longer answer is redeploying Adobe Analytics through a server-side implementation. Basically you setup the code but have it point to your server and then you forward it to adobe (proxying), and so now it is exposed to you server-side.
The alternative answer is depending on what it is you are actually trying to accomplish, you can make use of Adobe Analytics' s.registerPostTrackCallback function. Basically it lets you register a callback function to be called after every s.t or s.tl call, and it gives you the full/final request URL sent to the AA collection server. You can then make an AJAX request to pass it to your server and do whatever with it. Or since you mentioned displaying it on page, maybe consider using javascript to render it on the page? But if you're looking for actual response stuff (headers, content) well you're out of luck on this option.
The other other alternative answer is.. this almost sounds like you are looking to make some kind of browser plugin? If so, then on a plugin/extension level, the request/response stuff (including header stuff) is exposed on that level. But again, ultimately this is really a client-side solution..
But first step back and more clearly define what it is you are trying to do. Or if you've done that already, then try (more clearly) to convey that here.
I am trying to access JSON from this location which is not available to the public (unless you are within the company firewall),
http://12.34.56.789:8983/app/collection/select?q=*%3A*&wt=json&indent=true
My application is located on this web server,
http://www.mywebapp.com
I know that running an AJAX call to a different domain is out of the question, so I was wondering what techniques I could apply to get that data?
JSONP is not an option as I do not have control to attach a callback to the data that is located on that private server.
Thoughts?
use file_get_contents().It reads out the raw data, and returns that as string.
Write a proxy script and put it on your domain. All it has to do is to get the data an respond it to you. Your domain will be the same, Ajax will work and no-one can see, where you get the data from. - of course its slower than a direct request.
So to give an official answer to the comment, JSONP is the thing you are looking for, but it's not without it's downsides though. You can find a good, short tutorial on it here:
JSON versus JSONP Tutorial (sorry don't care to re-write it).
I am designing a website, and I really want it to be as secure as possible.
I have a private folder that cannot be accessed (.htaccess) which contains all my php classes (and similar structures), and a public folder that has my Javascript, CSS and a PHP file for the Javascript(via AJAX) to interface with, which in turn accesses the classes in the private folder.
Now here is my issue, and for the life of me I just cannot seem to get my head around this one:
If someone was to look at the js code they would see the commands / data being sent to the publicly available PHP Script (as described above), therefore getting an idea of what commands to use interface with that script and potentially gain access to stored data etc.
now I know that ajax wont work remotely etc but as long as you got the commands from the ajax script you could interface directly with it, so i thought i would do a referrer check on the interface script and that worked perfectly until I realized how easy it was to spoof your referrer header!
does anyone have any ideas on how to secure this. if this just sounds like complete garbage tell me and I'll try and break it down further.
AJAX and JS are client-based - everything they do, any user can do. If you expose an API method to AJAX, you expose it to the user - there's nothing you can do about that. That's your design choice. You could of course obfuscate your API calls, but that doesn't really do anything other than make it less user-friendly.
The bottom line: don't trust any user input, regardless of whether it came from your AJAX code or somewhere else.
Well, someone scripting your site directly would only be able to access the same stuff he already can in UI, right?
If you have an script function doAdminStuff(), you would check server side if the user is logged in AND is an admin, before taking any actions
Relax, dude.
This is SPARTA! WEB.
Every site in the world is "exposed" like this. That's the way the web works, Ajax or non-ajax based.
You can't help it, yet there is no harm in this. There is nothing to secure.
Here are my recommendations:
Use SSL if you are not already.
Use a (software) token for all requests that you want to protect.
To discourage others from reading your javascript files, you can obfuscate them. Dean Edward's packer is a famous one.
Write a script that sniffs logs and data for potentially bad activity. If you are not logging all the activity you need to (like if the apache logs are not enough) consider writing activity to your own log.
don't be paranoid, just filter input params, maybe you should switch on SSL so you ajax requests content will be hard to sniff, etc.
Are you using the ajax-thing only for security-reasons or for any other reason? Because you can build up an architecture like this (a PHP-file as "gateway" and all other PHP-files in access-restricted folder) without using ajax as well. If you want to check out, you could take a look at the default folder structure of Zend Framework. This structure has the advantage that there is no logic visible for your users at all.
Also important is that IE (at least IE 6 & 7 I think) does not send a referrer at all by default so this probably wouldn't work anyway.
I want to write a PHP script that performs a routine task in a web app I use. I am trying to figure out the easiest way to submit a form, click a link, and get some information. What's the easiest way to do this (keeping the session open, etc.).
Javascript would be a better solution than PHP. You can use it in tandem with PHP to submit a form that references the same page, ie. <form method='index.php' action='post'>
If method is GET then you ought to be able to work it out form the URLs of a few real world attempts.
It POST then you are probably SOL unless it's your own web page./app and you know what $_POST it expects ... unless you find a tool to snoop your HTTP traffic and get the POST info from observing a few real wrold examples.
You can use CURL in PHP to simulate submitting data, clicked links, etc., I suppose, but a client-side scripting language like Javascript--as opposed to a server-side language like PHP--is more suited to what you're describing. I'd need more info to give you a specific example.
You will not be able directly emulate those events in PHP as web apps use Javascript on the client side and PHP is a different language and operates on the server side.
Firstly, I would see if there is an open API available for the web app you're wondering about, e.g. Gmail: http://code.google.com/apis/gmail/ . Not all APIs can do what the web app can do, so you'll need to check the documentation to make sure the API does what you want and has an easy way to interface with PHP.
The other option is to essentially reverse engineer how the web app communicates with it's server. Most all web apps operate by sending POST or GET HTTP data in some sort of serialized format like XML, JSON or text. You can use something like the Firebug add-on for Firefox to view POST/GET data. If you know what the server sends to the client and what the client sends to the server, you can essentially write a script using something like CURL to emulate the client in PHP instead of JavaScript. This would take quite a bit of work and probably involves a lot of trail & error.
Is it possible for a web page using Javascript to get data from another website? In my case I want to get it for calculations and graphing a chart. But I'm not sure if this is possible or not due to security concerns. If it is considered a no no but there is a work around I would appreciate being told the work around. I don't want to have to gather this information on the server side if possible.
Any and all help is appreciated.
Learn about JSONP format and cross-site requests (http://en.wikipedia.org/wiki/JSON#JSONP).
You may need to use the "PHP-proxy" script at your server side which will get the information from the websites and provide it to yours Javascript.
The only reliable way is to let "your" webserver act as a proxy. In PHP you can use curl() to fire a HTTP request to an external site and then just echo the response.
You can't pull data from another server due to the same origin policy. You can do some tricks to get around it, such as putting the URL in a <script> tag, but in your case it wouldn't work for just parsing HTML.
Use simple_dom_html, to parse your data server side. it is much easier than doing it in JavaScript anyways.
A simple way you might be able to do this is to use an inline iframe. If the web page you are getting the data from has no headers, or you can isolate the data being pulled in (to say an image or SWF), this might work.
cross-domain javascript used to be impossible, using a (php-)proxy was a workaround for that.
jsonp changes this entirely, it allows to request javascript from another server (if it has an API that supports jsonp, a lot of the bigger webplayers like google, twitter, yahoo, ... do), specifying the callback-function in your code that needs to be triggered to act on the response.
the response in javascript will contain:
a call to a callback-function you defined
the actual payload as a javascript-object.
frameworks like jquery offer easy support for jsonp out of the box.
once you have the raw data you could tie into google chart tools to create graphs on the fly and insert them in your webapp.
Also worth considering is support for XMLHttpRequest Access Control which is support in some modern browsers.
If the service provider that you are trying to access via a web page has this set up, it is a very simple call to XMLHttpRequest and you will get access to the resources on that site without the need for JSONP (especially useful for requests that are not GET, i.e. POST, HEAD etc)