As far as i know a trackback it's a recognised standard ping for a custom URL, right?
so, according to this how can i retrieve how many trackbacks for ?? and the URL of those 'trackbacks' ?
I never worked with those before, if posible i'd like to know howto in PHP or, if posible, in js,
any tip or clue would be wellcome
You must define an entry point, in all your pages, that will recieve all the trackback requests. The Trackback specification do it like this:
<rdf:RDF xmlns:rdf=""
dc:title="Foo Bar"
trackback:ping="" />
Where <rdf:RDF></rdf:RDF> is where you declare that this page uses Trackbacks and the parameters inside <rdf:Description /> are specific to your page. dc:identifier is your exact page URL and trackback:ping is the Trackback entry point.
There is no way in JS, as a client side language, to store the trackback count for each page, so the trackback:ping should be a PHP script that check the title from the request query and store it somewhere (DB, file, log...)
I made this VERY simplified Trackback entry point:
$theUrl = $_GET['url'];
if (!$theUrl) {
$theUrl = Sanitize::clean($theUrl, SQL) // Your anti-SQL injection method
$theId = getIdFromUrl($theUrl);
And, last but not least, is important to bear in mind that Trackback protocol is very prone to SPAM, as this answer states: Trackbacks in PHP
So on my site ( I have a page that parses the API and pulls back the images off their akamai CDN and displays them on the page.
The thing is all the images are served on HTTP ONLY, https is not supported.
I have an image proxy written in php:
header('Content-Type: image/png');
if(isset($_GET['img'])){echo file_get_contents($_GET['img']);}
This works perfectly, however, is NOT secure at all, I want it so that only my server can use the image proxy and as such a hash in the URL might be the best option?
I had thought of using:
Then my problem turned to, how to I put the private key in the javascript code without the whole world having access to it?
Any help much appreciated.
I have since written this script that is somewhat effective but still open to being circumvented:
$args = $_GET['q'];
$date = date('m-d-Y-h-i', time());
list($hash,$img,$auth) = explode("/", $args);
if($hash=="need" && $auth=="key"){
$checksum = md5($img.$date);
echo $checksum;
header('Content-Type: image/png');
echo file_get_contents('' . $img);
This can be called like so:
The auth code can then be plugged in to display the image:{code-here}/76030502.png
However it doesn't take long for someone to figure out they can set up a script to poll for a key every minute - any advice?
Generate unique tokens. You're on the right track with a hash, but if you keep your private key constant, it'll eventually get brute-forced. From there, rainbow tables say hi.
You're effectively going to have to borrow a leaf or two from mechanisms used to prevent CSRF abuse, as you're effectively trying to do the same thing: limit the user to one query per token, with a token that cannot be regenerated by them.
There are tons of ways to do this, and the usual trade-off is between efficiency and security. The simplest is what you've suggested - which is easily brute-forceable.
At the opposite end of the spectrum is the DB approach - generate a unique token per visit, store it in a DB, and validate subsequent calls against this. It is pretty DB-intensive but works out relatively well - and is virtually impossible to break unless the token generation is weak.
I have a music player that links to a song using the following syntax:
Is there any way that I could have that executed server side and then be displayed like (see below) for the user?
While searching, I ran across this...I like the idea behind having an external file that has the
// get-file.php
// call with:
$id = (isset($_GET["id"])) ? strval($_GET["id"]) : "1";
// lookup
$url[1] = 'link.mp3';
$url[2] = 'link2.mp3';
header("Location: $url[$id]");
then using: as the link...the only problem is that when you type the user goes straight to the there any way to disable that ability...maybe some code on get-file.php itself?
Ok, so I did a combination of things that I am satisfied with...although not completely secure, it definitely helped me obscure it quite a bit.
First of all, I am using the AudioJS player to play music - which can be found:
Basically what I did was:
Instead of using "data-src" as the path to my songs I called it "key", that way people wouldn't necessarily think it was a path.
Instead of using "my-song-title" as the name of the songs, I changed it to a number like 7364920, that way people couldn't look for that in the source and find the url that way.
I added + "mp3" to the javascript code after all of the "key" variables, that way I would not have to declare it in obfusticated link.
I used a relative path like "./8273019283/" instead of "", that way it would be harder to tell that I was displaying a url.
Added an iTunes link to the href, that way people might get confused as to how I was pulling the file.
So, now my inline javascript looks like:
<script type="text/javascript">
$(function() {
// Play entire album
var a = audiojs.createAll({
trackEnded: function() {
var next = $("ul li.playing").next();
if (!next.length) next = $("ul li").first();
audio.load($("a", next).attr("key") + "mp3");;
// Load the first song
var audio = a[0];
first = $("ul a").attr("key") + "mp3";
$("ul li").first().addClass("playing");
// Load when clicked
$("ul li").click(function(e) {
audio.load($('a', this).attr('key') + "mp3");;
My link looks like:
When you load it up in the browser and you view the source you'll see:
Then when you use Web Inspector or Firebug you'll see:
Falling - *which doesn't completely give the url away
Basically what I did was make the link look like it's an api-key of some-kind. The cool thing is that you can't just copy the link straight from view source or straight from Web Inspector/Firebug. It's not fool-proof, and can definitely be broken, but the user would have to know what they're doing. It keeps most people away, yet still allows the player to get the url it needs to play the song :)
*also, I got the php obfusticate script from somewhere on Stack Exchange, just not sure where.
Instead of doing a header redirect, add proper headers and include the audio file in your PHP code. Then, in your .htaccess file, you can disallow access to the directory where your audio files live.
If you are using amazon s3 service you can use signed url for your files. It will be more safe as you have to be signed user and also url can be expired. Read this.
No. This is not possible since it is the browser that interprets the HTML to make the page work properly. So if the client (browser) does not know where the mp3 is coming from then it will not be there to use.
On the other hand if you want to have the music switch songs by clicking a link then i suggest you look into some tools like
EDIT: The only way to probably prevent direct access to the file itself would be to read the file in instead of linking to it from the script. For instance on my image hosting site and if you were to look at the actual file path on my server, the file CVN5Qm.jpg is out of view from the public_html folder. There is no way to directly access the file. I use databases to take the image id, look up where it is stored, and then readfile() it into the script and display the proper headers to output the image.
Hope this helps
I use http_referer and I can controll the procedence of the link
// key.php
// call with:
if ($page_refer=="")
$id = (isset($_GET["id"])) ? strval($_GET["id"]) : "1";
// lookup
$url[1] = 'link1.mp3';
$url[2] = 'link2.mp3';
header("Location: $url[$id]");
I'm building a sort of analytics platform for fun this weekend and here is my desired effect.
User visits
Client sends Server via javascript id: 12345, and browser information. Server responds with a new id (ex: #23456), which is then pushed onto the current url (pushstate)
I was thinking of some kind of script that the Client includes from the Server that communicates with the servers backend, but is that not techincally XSS and unsecure? How do analytics people (Google, GetClicky, etc) do it?!
How can I achieve this like analytics sites do so the internet gods don't get mad at me for XSS, while still maintaing security, and ease of implementation. One included source.
I'd love anything you can do to point me in the right direction.
With jsonp. The idea is that the source of a script tag is the code you want to execute:
<script type="text/javascript" src="" />
edit: Yes, you create the script dynamically similar to an ajax response:
function getResponse(id){
var scrpt = document.createElement("script");
scrpt.src = ""+id;
Inside your php page:
$id = $_GET['id'];
echo "alert('$id');";
Something of the sort, anyway.
edit: completely forgot, but the point of jsonp is that you pass in a callback function. See here for some php documentation:
I am being forced to work with a database company that only support ASP.NET, despite my employers being well aware that I only code in PHP and the project doesn't have the time to learn the new syntax.
Documentation is scant, and meaning in thin on the ground. Can someone help translate what is happening in this script, so that I can think about doing it in PHP
QES.ContentServer cs = new QES.ContentServer();
string state = "";
state = Request.Url.AbsoluteUri.ToString();
QES.ContentServer cs = new QES.ContentServer();
the code instantiates the class method ContentServer()
string state = "";
Explicit the type var state as string
state = Request.Url.AbsoluteUri.ToString();
here you get the REQUEST URI (as in php) the path and convert it to one line string and put in the before mentioned string statte var
and here return the message without refresh the page (ajax).
The Request object wraps a bunch of information regarding the request from the client i.e. Browser capabilities, form or querystring parameters, cookies etc. In this case it is being used to retrieve the absolute URI using Request.Url.AbsoluteUri.ToString(). This will be the full request path including domain, path, querystring values.
The Response object wraps the response stream sent from the server back to the client. In this case it is being used to write the return of the cs.GetXhtml(state) call to the client as part of the body of the response.
QES.ContentServer appears to be a third party class and is not part of the standard .NET framework so you would have to get access to the specific API documention to find out what is for and what the GetXhtml method does exactly.
So, in a nutshell, this script is taking the full URI of the request from the client and returning the output from the GetXhtml back in the response.
It would look like this in PHP:
$cs = new QES_ContentServer(); //Not a real php class, but doesn't look like a native ASP.NET class either, still, it's a class instantiation, little Google shows it's a class for Qwam E-Content Server.
$state = ""; //Superfluous in PHP, don't need to define variables before use except in certain logic related circumstances, of course, the ASP.NET could have been done in one line like "string state = Request.Url.AbsoluteUri.ToString();"
$state = $_SERVER['REQUEST_URI']; //REQUEST_URI actually isn't the best, but it's pretty close. Request.Url.AbsoluteUri is the absolute uri used to call the page. REQUEST_URI would return something like /index.php while Request.Url.AbsoluteUri would give
//$state = $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; or something similar might be better in this case given the above
echo $cs->GetXhtml($state); //GetXhtml would be a method of QES.ContentServer, Response.Write is like echo or print.
I want to connect to public facebook page or group and list all entries from the wall on a personal website. I will use PHP on my server so that would be the best solution for me. Or javascript.
Could anyone explain or perhaps give a working code on how to do this? Or just all steps nessesary for making this?
If its possible to handle information about person, date, description ... for each post, that would be great! So my layout could be customized.
Thanks for helping me out here!
You need to run FQL on stream table and provide id of a page or group you are interested in as source_id (fb docs have some explanation and examples). Once you get stream data you can dig deeper and get user who left this post or any other data you need again through FQL.
There are many ways of running FQL - it could be done in JS API, PHP API, or through old REST API.
use the facebook graph api urls that they provide
python code using simplejson parser
keyword="old spice"
json = simplejson.loads(pageData)
for p in posts:
In JavaScript (jQuery).
You can use my spare access_token for viewing public groups or pages ;)
To get your own access token the facebook graph explorer can generate one for you (as well as test queries).
In Javascript we make a request to facebook graph, which returns a JSON object. The response looks like this.
The code below iterates though each entry and prints out the message, if you look at the link above it gives you the naming convention for the other data fields.
for example:[0].created_time;[0];
Hope that Helps!
<!DOCTYPE html>
<script src=""></script>
<ul id = 'list'>
var graphQuery = '';
var authToken = '145634995501895|477bb3c939123a5845afe90d.1-100002565213903|F1VA26jsYL7yBeq2iU6SZX_XXrs'
var url = graphQuery +'?access_token='+ authToken +'&callback=?';
for( i=0; i <; i++){
$("#list").append('<li>'+[i].message +'</li>');
// add some more here if needed
What you are talking about, as far as I can tell, is Web Scraping. What you would do is get the URL of the group, use the file_get_contents($url) command in PHP to get the file, and then analyze it in PHP.
I'd suggest brushing up on your regular expressions for this, as it'll be important to review the HTML that Facebook uses for the wall posts. You'll be able to get the information that you're looking for from the HTML.
I would post some example code, but that's on another computer, far far away. Still, should be a good start.
Edit: Adding in some example code:
$URL = "" (or whatever the URL structure is for the facebook group)
$groupPage = file_get_contents($URL)
Here's the link to the PHP pages on Regular Expressions: