PHP curl and Infusionsoft Cookie - php

I have a simple web form that feeds into Infusionsoft. Not my call. I had been submitting it fine with curl to run an AJAX routine, to eliminate then going to Infusionsoft's domain and a thank you page - instead just displaying a thank you/error msg based on the return. All good so far. The problem I've run into is with the affiliate cookies. Apparently each time I set up an affiliate it generates them a url to my sign up form that has their affiliate data in it and sets a cookie in the url (http://www.example.com?p=XXX&w=XXX).
I'm getting that stripped out with my curl routine. How do I keep a 'url cookie' enabled when submitting through curl? I apologize if my terminology is incorrect, this is beyond the scope of what I usually do and would appreciate any correction.
I know it's a curl_setopt but don't understand them enough to make a qualified decision. I basically just need it to keep alive the session that was started with the url. I know this post is lacking, but unfortunately so is my understanding.

The affiliate cookie is tied to the infusionsoft.com domain and you can't access that unless your script is on the Infusionsoft domain. The only other way to do this is to use some hacked version of the instructions on this page - http://kb.infusionsoft.com/index.php?/article/AA-00878/0/How-can-I-track-affiliate-activity-if-I-capture-leads-or-process-orders-through-the-Infusionsoft-API.html
Best,
Jordan

You can do it with modern browsers, because you can make a CORS AJAX request to the hosted version of the web form on InfusionSoft's site. You have to mimic all of the form fields and names, including the hidden ones. So you will need to submit the form to their hosted WebForm version and use Firebug or Chrome's dev tools to watch the HTTP request. Then you will have to submit your form, using the same form fields/names to wherever the action attribute of their hosted form is pointing via an AJAX request.
I have implemented this successfully using AJAX, it just doesn't work on IE 7, 8, and 9 because of CORS AJAX security issues. My workaround for those browsers is to use cURL as a proxy to submit the form. The only downside for those special case browsers is that they don't receive the cookie that shows which URLs they've visited in their web profile in InfusionSoft.

Related

Is ajax post using jquery secured?

I would like to ask this because if no quite sure that it secure.
I am planning on changing my page to ajax based registration. So my data will be inserted using jquery ajax post.
But if someone uses firebug and see where my post is being sent, they can use other form of firefox addons to post data on that url and can easily register without going to my page.
Although I can validate the request first where it is comming from though but that would be extra codes and work.
I will also add server validations for my form since someone can register without validation using the direct url that they will see on firebug.
I just wanted to know if there is already a standard procedures in applying ajax based data post.
But with ajax based select / fetch is cool and very useful.
Currently this is what I am planning on doing on my registration page.
validate that all request's must come from my registration page.
might use a transaction / request code
might use cookie
might use session
might use date time comparisson
if validation fails I should have a form validation on server side
to clean my the posted data before inserting to db
Never trust a UI.
Whether you do an Ajax post or a standard post, people can figure out what you are posting and create their own client. Even if you use https, the person controlling the browser can see what is posted and decipher the protocol.
You need to create your service so that it is not vulnerable to a user handcrafting a client.
If a user can use their browser to register on your site via Ajax, they can spoof the registration using some other programming language. There isn't anything you can do to make it so they can only register from your site via Ajax.
You can implement tricks to make it difficult for them to figure out, but you can't make it impossible. They can spoof the referrer, load other pages to get the required cookies/session variables, spoof Ajax request headers etc.

Jquery form doesn't show submission message on web server but it shows submission message on local host

i am messed up with a strange problem. My Form works fine on local machine but when i upload this to some web server, it does not work fine . Without uploading online, when i add some values and click Submit. It shows ThankYou message. But When it is uploaded, after adding any value, when some values are added and Submit pressed, values are entered to database but it doesn't show Thankyou message rather it just remains as it is. Please, suggest some solution. What should i do to make it work fine online ?? Should i send the single HTML file that contains the form ? Have a look at form here: http://dl.dropbox.com/u/33855631/lon_dec/form.htm
i also tried it by uploading to different servers like bluehost etc but no solution.
You're indeed making a cross-domain request (to http://www.londondeclaration.com/wp-admin/admin-ajax.php), which your browser doesn't allow. Either host the front-end and back-end on the same domain, or (if that's not possible) host a proxy to the external source on your own domain.
As #PPvG already mentioned this looks like cross-domain scripting. In general, it is possible to perform croos-domain scripting, but you must set the according HTTP headers as specified here. That's what happens in detail:
user accesses a web page on DomainA including some JavaScript (i.e. jQuery)
user submits button and jQuery fires request to your server on DomainB
result is returned to the users browser, but per plicy the client forbids the scripts from DomainA to examine the response retrieved from DomainB. It's important to understand that security is enforced on the client.
How to solve the problem: Your application on DomainB must set the correct HTTP response header, so that the browser allows your jQuery script from DomainA to work with the response from DomainB:
Access-Control-Allow-Origin:DomainA
This may still not work in all situations. I.e. Internet Explorer does enforce fairly rigid rules when it comes to HTTPS, if I remember correcly cookie management is a problem as well.
EDIT: In Google Chrome you can easily see that this is the problem:

Login to different site

I would like to enable an "auto login" button for my users. By pressing the button the users will be logged in to a different site with the username and password that I have added inside the code.
My site uses php and this site is written on asp.
Is this possible?
Thanks in advance
You'd have to use CURL in PHP in order to send the POST data to your ASP script in the remote site.
Nevertheless, the ASP site might have some inner-validations which can lead to refuse your request, it's worth a try, though!
To set CURL to user POST, check out the setopt CURL function options, you have to set the CURLOPT_POST option to TRUE, but you might find that (depending on the ASP site), you need to activate/deactivate other options.
Cheers!
This depends on the website you're trying to login to.
In a website not using a key-based system for each visitor this can be achieved pretty easily.
First navigate to the page yourself that contains the login form and show it's page source.
Jot down every <input>-tag's name and value and determine which one is the username & password. Also note the form's action to see where the data is going towards.
Now you can use curl to send a user to the website, just inject the post data and apply your own username & password to it.
A. If you don't own the remote site:
Have you tried to post your authentication parameters directly to the ASP.net page? Then you could also try using CURL but either way, be rest assured that the site owner might lock you out anytime by implementing simple CSRF protection.
B. If you own the remote site:
You can share sessions with a unique key using a common database.

What Differences Are There Between Form Submissions and cURL Requests?

I'm trying to submit data to SalesForce.com, but I'd like to do it through AJAX. Since there are restrictions to deter XSS, I'm having jQuery use AJAX to submit to a PHP page on my server and then having that page simply forward the formdata it's passed along to the proper URL.
If I submit the form with JS turned off, everything goes through fine. If I turn it on, Salesforce confirms receipt of the data (in debug mode), but it's not showing up in my queue, or anywhere really, in SF. SF spits back all of the fields it was passed, and it's spitting back every field that I have in my form, properly filled out.
Are there any differences between submitting something through this method (jQuery's $.ajax() to PHP cURL) and through the native HTML Submit button? Something that could be causing SF to register the data, but register it differently? I've tried adding CURLOPT_HEADER/CURLOPT_HTTPHEADER information
Well, the only thing that's different that you can't fake is the IP address of the request. Depending on how tough the protection is that salesforce is using, you may not be able to spoof from a separate IP address (it would detect and deny the request).
Everything else should be 100% fakeable (headers, etc). What I would suggest is that you get firebug or TamperData and look at the raw headers being sent to salesforce from your browser normally. Then replicate that exact request from PHP. If you need other information, you could detect it in JS and pass it to PHP (Cookie information, browser info, etc)...
$.ajax() transmits cookies from the client browser; and it also adds a "X-Requested-With: XMLHttpRequest" request header.
Maybe try adding the (external) IP address of the machine that is running the php code to the list of trusted networks in salesforce. Login to salesforce, and go to setup -> security controls -> network access, and add the IP there.
I ran into a similar problem and had to add the ip address of the server that was running the java app that connected to sf and this fixed the problem for me.

PHP login form on local site to access asp.net remote site

Is this possible?
I want to have a PHP login form on my website. When the user enters a username and password and clicks submit, they should be directed to a remote website logged in (therefore skipping the login form on the remote site).
As mentioned in the title, the remote site is built using ASP.NET.
I've tried to search for a solution this but really not finding anything so some help and advice would be welcome.
Thanks, Mark.
I've had the same situation where I needed to post a remote form. If I remember correctly,I did the following:
create http handler (I used Zend_Http for this).
first fetch the page via GET.
search response for all form elements and their values.
set those values in the http handler.
set your own values (such as username/password).
execute POST
asp.net apps create forms that are a bit ugly. They use a lot of hidden values in their forms (at least in my situation). There is a change you need to enable cookies.
Hope this helps.
Do you own the remote site ?
If no, the only solution is to submit the remote form with curl, by posting via POST/GET the right parameters. You have to check the html source of the remote form to know what parameters you have to pass.
Nethertheless, this solution will be broken as soon as the remote website will implement some CRSF protection on their forms.
Have you tried to post directly to the ASP.NET form from your php script?

Categories