Is there any way to detect in PHP is GET request made by embed src in browser?
<img src="xxxxx.php">
I was trying use "REFFER", but it's very not good solution.
I don't know lot about http, but maybe if browser use tag, it send header accept image or anything like this what i can read in php ?
I just want create script what will display picture if embed, but if open in browser in normal way, like url it will redirect user to other page.
Is there any way to detect in PHP is GET request made by embed src in browser?
No.
If you hide your files in a folder outside the root, created a PHP file that all images routed through (image.php?lovely_duck.jpg) and then looked for $_SERVER['HTTP_REFERER'], that would be possible. But you can forge $_SERVER['HTTP_REFERER'] and it isn’t always reliable.
If you’re trying to find a way to stopping people getting your images, they’ll always find a way.
You can (but i would NOT suggest it) check the Accept header.
If the request was triggered by an <img src=... it should NOT contain "text/html".
Also described here
But again: i would not suggest using this.
At the moment that will break the download image functionality in firefox and possible other browser.
Additionally it won't prevent "evil guys" to download all your images because they simply can set the required HTTP header.
Related
I have a rotator link and I dont want to allow people to open it in iframe.
How to stop php process in iframe?
header("X-FRAME-OPTIONS: DENY");
does not work in firefox and chrome. my link is (EDITED)
Check the Access-control-allow-origin header.
It allows you to control which domain can access or frame your scripts.
You can choose between 3 values :
Only from the same domain
Only from a domain listed on a list you made
From anyone (wildcard)
Since PHP is never in an iframe but executed on the server side there is no way to reliably know if the request originated from an iframe on your site of not.
If your intention (which is not quite clear) is to make sure people don't put an iframe of your site on another site, then you can check for the referrer of the request etc. But most of it can be spoofed.
Update due to comment:
Then there is unfortunately no good standardized way of getting this type of information reliably. If you yourself had an iframe on your site and for some reason didn't want that to be able to call your script you could probably do this by adding some GET parameters via javascript or something. But since you have pretty good control over your own iframes this shouldn't be a problem.
But when it comes to determining of the request from the browser to your server originated in an iframe or not there is no information in the HTTP header to disclose this. The only thing you could possibly be informed about is if that iframe is from a page hosted on another domain.
But if you have an iframe on your own site, don't add any extra parameters to the request and access your script in it and then normally from the browser's main window the two requests will look the same on the server.
I'm not completely sure if I understand your question, but here's a list of things:
If you want to stop your page being loaded in an iframe, there's not easy way of doing that, if the browser is ignoring X-Frame-Options: DENY.
If you have a link the user can click that opens in the iframe, not the parent frame, you can use the base html tag, to specify to the browser to open any links you click in the parent frame, with <base target="_parent" />
If you want to redirect automatically, and that causes an issue when loaded in an iframe because you use headers to do it or something, you could probably use the base tag and some javascript to automate clicking on the link as an alternative
I want to load external websites inside div and make it a bit smaller to accommodate inside div more properly.
just like Google search do
I tried this:
$("#targetDiv").load("www.google.com");
but it is not working.
I tried iframe but it has still 2 problems:
scrolling is still enabled by pressing arrow keys & PGUP PGDOWN
how to make contents inside iframe smaller
Don't know which method i should use
which is more optimized
or any alternative?
What you're trying to do is not going to work. Unfortunately, JavaScript isn't allowed to make cross-domain requests for security reasons (reference: http://en.wikipedia.org/wiki/Same%5Forigin%5Fpolicy).
If you create a script written in PHP that resides on your own server that submits the request, that could work but the user wouldn't have a valid session and there's a risk that the URL (links) from the other site won't work if they're relative.
Example:
$('#targetDiv').load('load.php?url=www.google.com')
You could also have a look at jquery-crossframe. I've never used it but it claims to do what you're looking for.
The best option is to use an iframe element.
You are not going to be able to load a cross domain ajax call like that with jquery. from http://api.jquery.com/load/
Additional Notes:
Due to browser security restrictions, most "Ajax" requests are subject to the same origin policy; the request can not successfully retrieve data from a different domain, subdomain, or protocol.
If iframe is not an option you can retrieve the data via an ajax call to a php page using curl.
Francois is right in that your ajax requests are restricted to same origin policy. That means you cannot load contents from other websites directly. What your are trying to achieve, however, is possible if your source supports JSONP. If you want to specifically load google search engine results check out Google Custom Search API
I suspect that this is impossible, but I'm trying to be optimistic...
I'm running a site that uses jquery & php. Via ajax, I'm dynamically loading images to a page. The problem is that the paths to the images are visible when you view the source of the page. I'm trying to figure out if it's possible to prevent the path from displaying? I just don't want anyone seeing those paths or being able to access them. So, I don't know if there's some sort of magical programming solution or something to do with htaccess, but if anyone knows how to accomplish this, I'd appreciate pointers / links / or brilliance...
As the browser needs to know where to fetch the data from, it cannot be hidden easily.
But you can it make the "attacker" a little bit harder. E.g., you can give URLs with a script behind loading the given images. The script does so only if called with the correct Referer: header.
Are Data URIs an option for you?
If not, preventing hotlinking (via Referer) would be the way I would do it, possibly with some obfuscation (depending on your user base).
Everything that's visible to the browser is visible to the clever user in one way or the other
You can hide them from lamers, but not from programmers
Anti-lamer techniques can include:
1) setting data-mangled-src attribute to something like ROT13(real-src), then doing
$('img').each(function () { $(this).attr('src', ROT13($(this).data('mangled-src')))})
2) setting some data-id attr, then AJAX-requesting the src from the server
But anyway, the URL goes to the browser, then it's visible to the user
3) And, of course, you can load your images into flash 'viewer', which is probably the most advanced way of hiding them
So... If you make the load path an internal link in php Requested through Ajax that should hide the path in network inspector... By this I mean maybe query a db that generates a temp path to the image that expires...
Then with the loaded image you could save it a canvas element... Thus no src
There are a few ways you can go about hiding image URLs.
Use a plugin: you can use flash, a java applet, etc to load the images
Use a traffic cop: you can set the source of all the images to a single PHP script, with some kind of parameter to specify which image you want. That script can check sessions variables / referer / whatever you want; if everything checks out, you can do a file_get_contents() to load the actual url of the image, then echo that out to the browser.
I've created a website to help you hide the image src of your precious photos and images.
My website will hide the source path of your image, and it also allows you to 'Lock' your photo to a specific domain eg. example.com so that the photo will only display example.com and not on facebook.com or wherever the link to the photo is reposted.
http://hideimgsrc.com
It's easier and faster than a java script based solution.
I know of a few ways (i know there is probably more) to open a file in a browser after the user clicks on a link,
Use PHP headers to simulate a file download
Use an <a> tag to redirect the user to the path of the file
Use javascripts window.location to point to the file location
Iframe tag
Object tag
What is the most efficient, cross browser, or nicest way to open a file in a browser? Or, what do most companies use?
Well personally the best method is to create a script called download.php and then send the file hashes to that, Imagine you had a directory layout like so:
/downloads/
/2010/
/abc8755ghc7659c75678bf78968.file
/abc8755ghc7659c73278ef78998.file
/abc8755ghc7659c75678bf78968.file
/2009/
/abc8755ghc7659c75678bf78968.file
/abc8755ghc7659c75678bf78968.file
And then you had a script called download.php, You can then validate the users information to protect your actual files for scrapers etc.
Storing the files with no extension is ok, just as long as when the file is uploaded you can all the information and store it within your database, so that when we send the file we have the Content-Type, Extension, Original File Name, etc so we can send correctly
The reason for the hashing is that that parsers and scrapers can easily find the actually file on the server, so if a scraper look around your site and then has seen a title called My ebook 2010.pdf, He would not be able to download it form your server like http://mydomain.com/downloads/My ebook 2010.pdf as the file does not exists, it exists in http://mydomain.com/downloads/abc8755ghc7659c75678bf78968.file
Security is always the best measure, Also using PHP Would be able you to validate the actual user before your application decides weather the file should be sent or should b edenied
PHP Example script would be like so:
include 'all.the/files/needed.phhp';
if(!logged_in())
{
header('Location: /');
exit;
}
$FileRequest = FileRequest::getInstance();
$User = User::getInstance();
if($FileRequest->isValid)
{
if($user->canDownload($FileRequest->GetDatabaseID()))
{
$FileRequest->SendFile();
exit;
}
}
This way you can control download being sent, you never reveal your file location, and fiels are stored with a hash that would be hard to find.
All three will work. But, if you want to prevent outside domains (search engines, etc.) from accessing your files, you should use PHP:
getfile.php?id=1 OR getfile.php?name=file.txt
and check the HTTP_REFERER to make sure the request is from your domain.
Because different computers have different plugins, and different browsers and operating systems. If you want to be consistent, my recommendation is your first option, using headers to specify content disposition forcing the file to be downloaded. This will prevent inconsistency where some files open inside the browser, some open in a 3rd party external program.
This is also referring to files that are non images, such as PDF's. You should open images inside the browser. Non-flash movies are questionable as well.
Using download file is the most efficient, cross browser way!
The PHP method you described is just simulating a redirect which would achieve the same thing!
Javascript is the least accessible for people with javascript turned off!
Use an tag to redirect the user to the path of the file
This one. Give me a link I can click on to open using an in-browser handler. Or, so I can right-click on it and save it to my hard drive.
I'd say the best way is to link to the file using an <a> tag setting the attribute target="_blank" that way if the users machine supports opening the document in the browser it will do so. If not it will be prompted to download the file.
How to hide an iframe url in HTML source code.I have two applications one applications get an url of another application into its iFrame,so that it displays in its source code.I dont want to display another application url in the source code.
I think you would need to set the IFRAME URL via JavaScript. The Javascript could then be Obfuscated, so that the URL would not be in plain text... Please see the following link for the obfuscator:
http://www.javascriptobfuscator.com/Default.aspx
i.e. if it was jQuery...
$("#myiFrame").attr('src','http://www.google.com');
becomes:
var _0xc1cb=["\x73\x72\x63","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x67\x6F\x6F\x67\x6C\x65\x2E\x63\x6F\x6D","\x61\x74\x74\x72","\x23\x6D\x79\x69\x46\x72\x61\x6D\x65"];$(_0xc1cb[3])[_0xc1cb[2]](_0xc1cb[0],_0xc1cb[1]);
You can't hide it per say, but you can run it through something like TinyURL so that anyone interested would need to go an extra step. Anyway, that's the only thing I can think of. However, if you are displaying that page in a frame, what's the harm in having the URL in the source code? There really isn't a good, foolproof way to prevent someone determined from finding out the location of that iframe page.
You can create a php script which uses curl to call the url through localhost, then use this script as your iframe source.
If you have an issue with relative links and sub-directories, you can put your curl script inside the sub-directory.