I am looking for a way to let php act as a browser, does anyone know how to do that? I now how to get pages and how to send get/post forms, but How do i let php interact with AJAX and javascript on a web page?
Don't. PHP is not designed for this sort of thing. While conceivably possible, this'll take an extraordinary amount of work.
Use something designed for this sort of use case, like PhantomJS.
And please, don't be evil. Using this to get around valid anti-bot restrictions would be lame.
Related
I have researched APIs and I generally understand how they work and how to use them (HTTP request to API, get data and parse it, etc.), however, for my project I need to use data that I collected myself so I can't just use another database for example. I'm quite new to this so I don't understand a few things. I'll try to explain my plan as clearly as possible. Please let me know if any additional explanation is required.
I have an HTML form which can be filled out and saved. This form is not supposed to be local, but rather on a server
I read a lot about XML-files and API's and I also saw many similar questions on here but I'm not sure what applies to my instance.
I wanted to store the information from the form in an XML-file. Some people said, that this could be done with JavaScript, some people said this would require some server-side script. What applies in this case? I would guess that I need a server-side script but as I said, I'm kinda at loss here.
I thought I could simply use JavaScript to store whatever is entered into the form and use python or php to create an XML-file in which I store this information. This XML-file would then be used by the API. This is were I have trouble understanding.
The edited form is supposed to be saved (on the server I guess, so several people can access it), so you can go back to it later and edit it again. How exactly would I implement an API here? Can I just "make" my own XML-file, which the API uses as database? Is there any better way to do this?
I know this probably seems like a stupid question but I really want to understand this so bear with me. I'm very much overwhelmed by this task so I appreciate any help.
I am designing a website, and I really want it to be as secure as possible.
I have a private folder that cannot be accessed (.htaccess) which contains all my php classes (and similar structures), and a public folder that has my Javascript, CSS and a PHP file for the Javascript(via AJAX) to interface with, which in turn accesses the classes in the private folder.
Now here is my issue, and for the life of me I just cannot seem to get my head around this one:
If someone was to look at the js code they would see the commands / data being sent to the publicly available PHP Script (as described above), therefore getting an idea of what commands to use interface with that script and potentially gain access to stored data etc.
now I know that ajax wont work remotely etc but as long as you got the commands from the ajax script you could interface directly with it, so i thought i would do a referrer check on the interface script and that worked perfectly until I realized how easy it was to spoof your referrer header!
does anyone have any ideas on how to secure this. if this just sounds like complete garbage tell me and I'll try and break it down further.
AJAX and JS are client-based - everything they do, any user can do. If you expose an API method to AJAX, you expose it to the user - there's nothing you can do about that. That's your design choice. You could of course obfuscate your API calls, but that doesn't really do anything other than make it less user-friendly.
The bottom line: don't trust any user input, regardless of whether it came from your AJAX code or somewhere else.
Well, someone scripting your site directly would only be able to access the same stuff he already can in UI, right?
If you have an script function doAdminStuff(), you would check server side if the user is logged in AND is an admin, before taking any actions
Relax, dude.
This is SPARTA! WEB.
Every site in the world is "exposed" like this. That's the way the web works, Ajax or non-ajax based.
You can't help it, yet there is no harm in this. There is nothing to secure.
Here are my recommendations:
Use SSL if you are not already.
Use a (software) token for all requests that you want to protect.
To discourage others from reading your javascript files, you can obfuscate them. Dean Edward's packer is a famous one.
Write a script that sniffs logs and data for potentially bad activity. If you are not logging all the activity you need to (like if the apache logs are not enough) consider writing activity to your own log.
don't be paranoid, just filter input params, maybe you should switch on SSL so you ajax requests content will be hard to sniff, etc.
Are you using the ajax-thing only for security-reasons or for any other reason? Because you can build up an architecture like this (a PHP-file as "gateway" and all other PHP-files in access-restricted folder) without using ajax as well. If you want to check out, you could take a look at the default folder structure of Zend Framework. This structure has the advantage that there is no logic visible for your users at all.
Also important is that IE (at least IE 6 & 7 I think) does not send a referrer at all by default so this probably wouldn't work anyway.
I have a PHP webservice that I need to add exclusive access to. This I could do with md5sums or similar, but my problem is that I also have a website that calls the webservice from javascript. So any keys, md5sums, and what I can think of can be read in the javascript and does not provide much security. For example an url like http://my-webservice.com?supersecretkey=omg is easy to read in the javascript and replicate.
What would be the best approach? Sessions? Oauth? I have researched a bit, but I keep running into the problem that most examples are not so that they can be called from javascript.
For something like this, I would go with HMAC:
http://en.wikipedia.org/wiki/HMAC
Securing a javascript client with hmac
I think you should rethink your architecture here. Calling secure web services with javascript is not the way to go. Maybe create server resources that can authenticate the javascript call and perform the necessary data query and return it to the javascript function in Json.
Also bear in mind that not everyone has javascript enabled in their browser, so it might be good to change to a server based call altogether.
I know this is very unlikely, but maybe there is another solution.
What I want to do is retrieve JavaScript generated data from an external website. This isn't for an exploit, but rather a test.
I noticed Google cannot index Ajax generated content.. but could they, and more importantly, how?
I guess that is a better way of putting it.
You certainly can do it on a case-by-case basis. However you wouldn't use a tool like cURL. Instead, you'd use something more sophisticated like a browser or javascript interpreter (Rhino springs to mind) to interpret and run the JS and then retrieve the values from there.
We're in the first steps of what will be a AJAX-based webapp where information and generated HTML will be sent backwards and forwards with the help of JSON/POST techniques.
We're able to get the data out quickly without putting to much load on the database with the help of a cache-layer that features memcached as well as disc-based cache. Besides that - what's essential to have in mind when designing AJAX heavy webapps?
Thanks a lot,
Probably the best thing to have in mind is that your app shouldn't be AJAX-based. It should work fine if the user's browser has scripts disabled. Only then should you start layering on AJAX. Stackoverflow is a great example of this. AJAX really improves the experience but it works when it's disabled.
Another thing I like to do is to use the same PHP validation functions for both server-side and client-side validation (as in sending an AJAX request to a script containing the same PHP function) to keep the amount of cross-language code duplication to a minimum.
Read up on Degradable AJAX.
Security for one. JavaScript has a pretty notoriously bad security profile.
These are the two that always get me:
What happens when the user clicks multiple items that may trigger multiple requests that may return out of order?
What happens when a request doesn't come back for one reason or another (timeout, server problem, etc.)? It always happens eventually, and the more gracefully your system fails the better.