Hey,
I own http://ilikeyou.tk/ which is a facebook like website.
Basically, users can add a phrase and/or a photo and like it on facebook.
Recently, when I tested a few stuff I found out that when I insert </
in the text box and create the page, it messes up with the like list.
(You can try posting </ and going back to homepage, scroll down to 'Recent Like' and watch it)
In sites like twitter and facebook, this stuff never happen.. so there might be a solution..
Any suggestions?
P.S;
Also, when i try to insert the photo link (http://profile.ak.fbcdn.net/hprofile-ak-snc4/188178_139794909415037_3755895_n.jpg) the whole index page goes down (I can still go to like pages like ilikeyou.tk/1/ but cant access ilikeyou.tk ... ).
When deleting the link from the database its all working fine again.
P.S2;
Sorry for my bad English
Thanks in advanced.
You need to call htmlspecialchars on all data coming from your database before displaying it on your page. Failure to do so not only causes problems such as the one you see, but it is also a big security issue: it allows cross-site scripting (XSS) attacks on your application.
So if you have $phrase coming in from anywhere (not only your database), it's wrong to do this:
echo $phrase;
You have to do this instead:
echo htmlspecialchars($phrase);
You can search SO or Google for "XSS" or "cross site scripting" for more information.
Well of course. I could also be inputting this into your text field:
<script type="text/javascript">
window.location = 'http://mysite.com';
</script>
This would steal all your visitors and send them to my site.
You cannot trust user input. Ever. And you should never trustingly insert user input into other content unsanitized. I hope you're at least aware of SQL injection?
For output into HTML, you can either remove anything that looks like a tag using strip_tags or escape characters that have a special meaning in HTML using htmlentities. Possibly you should use a mix of both.
Related
This is an awkward question but I am helping edit a site and there are some text fields in the MySQL table that I wanted to edit. One of the edits I wanted to do was add a hyperlink.
So I went ahead and put in <a href = " etc. etc." </a>. When I save it and view the website, the website injects the site's URL before my link breaking the link.
e.g. I am working www.example.com trying to insert a hyperlink to www.google.ca
It will output as www.example.com/www.google.ca instead of www.google.ca
I am pretty new to PHP/MySQL so I'm not sure if this is common or what is causing this. I tried looking at the file itself and the css to see if there was something causing this. I am not sure if this is even a normal thing or if there is a workaround it that I'm unaware of.
If anybody has ideas on where I should look (if they suspect it's the site that's injecting it), please let me know.
As I mentioned in the comments above already:
Google
is a relative url and will output as http://yoursite.tld/www.google.ca
Google
will output as a correct link.
I have a PHP website based on codeigniter. It uses Mode View Controller and has articles. Each article has id and is displayed by Articles controller. Once an article is displayed the url looks like http://localhost/ci/articles/show_article/245. Now the problem is any one can enter number like 246 123 222 and view the articles at random. am not comfortable with this. I want readers to go the way things are organized in the site and want to stop them from directly accessing the articles from URL.
How can this be achieved in PHP / codeigniter.??
This cannot be done. You cannot control what a user types into the web browser.
You can't control user outside the browser area, and if you could. you should not.
Alternatively, you could use encoded article Ids by your own pattern to make it unpredictable. when these encoded article ids are received, decode them back and show the articles accordingly.
It's impossible to do this, and there's also no reason that you should be uncomfortable with it. You can't prevent client-side requests. I think anyone trying to use your site properly (assuming it is set up properly) won't try to go through articles out of order.
If you absolutely must, what you can do is something like set a _SESSION flag for what articles they have visited and if they try to get to one out of order, redirect them.
i have got a price comparison website.
You can click on a link of an offer and i'll get $1 from the shop.
The problem is: crawlers crawling the whole website. So they "click on the links".
How can i prevent them from clicking? Javascript is a bad solution.
Thank you!
I've been thinking about this the wrong way.
I agree with everything that #yttriuszzerbus says above - add a robots.txt to the file, add "rel=nofollow" to links, and block the user agents that you know about.
So if you've got someone who's now trying to click on a link, it's either a live person, or a badly behaved bot that you don't want clicking.
So how about doing something strange to create the links to the shop sites? Normally, you'd never, ever do this, as it makes your site impossible to index. But that's not an issue - all the well-behaved bots won't be indexing those links because they'll be obeying the robots.txt file.
I'm thinking of something like not having an <a href= tag in there - instead, generate the text of the link adding underlining to the font using a stylesheet, so it looks like a link to a normal user, and then having a javascript onClick function that redirects the user when they click on it. Bots won't see it as a link, and users won't notice a thing.
You could:
Use "rel=nofollow" to instruct crawlers not to follow your links.
Block certain user-agent strings
Use robots.txt to exclude spread of your site.
Unfortunately, none of the above will exclude badly-behaved crawlers. The only solution to actually prevent crawlers is some kind of JavaScript link or a CAPTCHA.
I also have similar project.
My problem was solved only by block certain user-agent strings.
Another problem is that I don't know every "bad" user-agent's, so when a new crawler enters the site, I add it to the blacklist and retroactively remove its visits from statistics.
"rel=nofollow" and robots.txt not work at all for me.
I have an affiliate link on my webpage. When you click on the link it follows the href value which is as follows:
www.site_name.com/?refer=my_affiliate_id
This would be fine, except that the site offers no tracking for the ads, so I can't tell how many clicks I am getting. I could easily implement my own tracking by changing the original link href value to a php script which increments some click stats in a database and then redirects the user to the original page. Like so:
<?php // Do database updating stuff here
Header("Location: http://www.site_name.com/?refer=my_affiliate_id");
?>
But I have read some articles that say that using redirects may be seen by google as a sign of 'blackhat' techniques and they might rank me lower, unindex my site or even hurt the site that I'm redirecting too.
Does anybody know if this is true, or have any idea of the best way I could go about this?
Many thanks in advance
Joe
You could always do what Google does with search results. They have the link href normal, until the mousedown event. something to the effect of:
adlink.onmousedown = function(e) {
var callingLink = /* stuff to actually get the element here */;
callingLink.href = 'http://mysite.com/adtrack_redirect_page.ext?link=' + escape(callingLink.href);
}
Or something like that :P
So, Google will see a normal link, but almost all users will be redirected to your counter page.
Using a 301 redirect simple tells Google that the website is permamently moved. It should have, according to most random people on the internet and according to Google itself, no effect on your page-rank.
Actually I've read (can't remember where exactly) that this kind of redirect DOES HURT your rating. No, it won't "kill" your website nor the referenced, as far as I know (and please do check further), but it will hurt your site's rating as I said.
Anyway I'd recommend using some javascript to refer anything out of you domain - something like "window.open(....)" should do the trick, as Google will not follow this code.
There, refer to your tracking script which will redirect further.
You could use a javascript onClick event to send an ajax signal to your server whenever the link is clicked. That way the outgoing link is still fully functional, and your server-side script can increment your counter to track the clickthrough.
hi im using ajax to extract all the pages into the main page but am not being able to control the refresh , if somebody refreshes the page returns back to the main page can anybody give me any solutions , i would really appreciate the help...
you could add anchor (#something) to your URL and change it to something you can decode to some particular page state on every ajax event.
then in body.onload check the anchor and decode it to some state.
back button (at least in firefox) will be working alright too. if you want back button to work in ie6, you should add some iframe magic.
check various javascript libraries designed to support back button or history in ajax environment - this is probably what you really need. for example, jQuery history plugin
You can rewrite the current url so it gives pointers to where the user was - see Facebook for examples of this.
I always store the 'current' state in PHP session.
So, user can refresh at any time and page will still be the same.
if somebody refreshes the page returns back to the main page can anybody give me any solutions
This is a feature, not a bug in the browser. You need to change the URL for different pages. Nothing is worse then websites that use any kind of magic either on the client side or the server side which causes a bunch of completely different pages to use the same URL. Why? How the heck am I gonna link to a specific page? What if I like something and want to copy & paste the URL into an IM window?
In other words, consider the use cases. What constitutes a "page"? For example, if you have a website for stock quotes--should each stock have a unique URL? Yes. Should you have a unique URL for every variation you can make to the graph (i.e. logarithmic vs linear, etc)? Depends--if you dont, at least provide a "share this" like google maps does so you can have some kind of URL that you can share.
That all said, I agree with the suggestion to mess with the #anchor and parse it out. Probably the most elegant solution.