I am wondering if this is a secure way to process credit card information. The site uses PHP and IS using an SSL Certifacate, but instead of submitting a form and getting $_POST variables. I want to try to use JQUERY AJAX and communicate with the user if their information was approved or not. But I am worried about if this method is secure. And example of my code is below.
$.ajax({
type: "POST",
url: "ajax_process_credit_card.php",
data: { cardnumber : cardnumber , cardexpmonth : cardexpmonth, cardexpyear: cardexpyear, chargetotal: chargetotal, ordertype: ordertype },
success: function(msg){
$("#status").ajaxComplete(function(event, request, settings){
if(msg == 'APPROVED'){
complete_registration();
}
else // ERROR?
{
var error_message= msg;
$('#error_message').html(error_message);
}
});
}
});
Would this be ok?
As long as you use HTTPS it doesn't really matter. Just ensure you use POST so the data never appears in an access log.
Note that you should get PCI certified if you are dealing with credit card data. Or maybe let another company deal with it and avoid all the trouble.
The AJAX methods are actually doing an HTTP POST behind the scenes, as your type is set to POST.
Be sure to do all connections over HTTPS.
If you are posting to the same site and you are posting to https, not to the http equivalent then I don't see how it could be any less secure.
Assuming that the URL of your page was server over HTTPS and that the URL your AJAX query is requesting is also server over HTTPS the communication should be just as secure as it would be if you were using a normal post0back to that same URL.
Just make sure that the URL you're posting to is server over HTTPS. On the server side you could also check that the request was made over HTTPS and reject any requests that were not..
Related
Some one is reading my page through cURL.
How can I disable its access to my page through cURL ?
He is using this method to read my page
function ajax(){
$.ajax({
type: "POST",
url: "../ajaxupdate.php",
data: { link: "58699768" }
}).success(function( msg ) {
$('#postcontent').html( msg );
ajax();
});
}
ajax();
It would be very difficult cause cURL offers tons of options and therefore may bypass pretty much any security, unless you ask for captcha or login/password with active cookies and sessions. Two things you could do is:
1.Block the ip in any way you like-in the script or using iptables.
2.Kill the script when you see his user agent so he/she gets nothing.
But as I said-there are millions of ways to bypass those-proxies, switching user agents and anything in between.
You can filter the connection of the annoying client by checking $_SERVER['HTTP_USER_AGENT'].
If it contains the string curl just return a blank page.
E.g.
if (preg_match('/curl/i', $_SERVER['HTTP_USER_AGENT']))
return;
Obviously it is not a 100% safe method since curl can set a custom User-Agent into HTTP headers.
i tried these two codes but it is not functioning.. i only want to ask for the data output from another domain from http://vrynxzent.info/hello.php
first code
$.post("http://vrynxzent.info/hello.php",function(e){
alert(e);
});
second code
alert(askData());
function askData()
{
var strUrlList = "http://vrynxzent.info/hello.php";
var strReply = "";
jQuery.ajax({
url:strUrlList, success:function(html){strReply = html;}, async:false
});
return strReply;
}
is there another way for this? or is it posible to do this? i want the "Hello World!" output to store in a variable in javascript..
Same old same origin policy.
The most common way to solve this is to do query in back-end (php in your case). I.e., browser sends ajax request to your host, which sends requests to other domain, receives response and sends it back to browser.
There're also some options if you own that other domain. JSONP, for example.
edit
Forgot to tell, this jquery plugin allows cross-domain requests through YQL. Tried myself.
http://james.padolsey.com/javascript/cross-domain-requests-with-jquery/
It doesn't work in all cases (in particular, if webmaster has banned robots from his site), but it's still fairly simple and usable.
Because of same origin policy you cannot make ajax requests like this to some other domain,.
i would suggest using a proxy in between,.
for that what you have to do is have a script proxy.php on your own domain and then your ajax request will be
$.post( 'proxy.php' )
then proxy.php would send a request to http://vrynxzent.info/hello.php using curl and send you back the response
By default this does not work because of the "Same Origin Policy."
There are workarounds... see: http://www.ajax-cross-domain.com/
I would like to using (Ajax) PHP or Javascript, Post information to http://en.lernu.net/cgi-bin/vortaro.pl then read the results back (Not from lernu.net).
I am trying to learn Ajax, PHP + Javascript, Nobody there know's how to help me. I would very much like doing this without touching Lernu's code, So if there is a way to do it all on my code, that would be great!
You need to proxy the request due to browsers preventing cross-domain ajax calls.
You can either do this with a PHP page on your site or configure url rewrite rules for your webserver.
You maybe able to do a simple post to your url with jquery in following ways:
$.ajax({
type: "POST",
url: "http://en.lernu.net/cgi-bin/vortaro.pl",
data: "name=John&age=21",
success: function(msg){
alert( "Data Posted to server: " + msg );
// you may additionally call other javascript methods here to do modifications to your page based on your request
}
});
Jquery is an excellent framework for javascript and I would highly recommend using it for most of your functionality. You might want to readup a bit about javascript and then start up with jquery.
You need to write a PHP script in your domain that forwards your POST to http://en.lernu.net/cgi-bin/vortaro.pl, then forwards their response back to the client.
You can then send an AJAX POST to your server with jQuery.
Help, if you can-
The situation:
http://foobar.com includes a remotely hosted javacript file (http://boobar.com/stuff.js).
The goal is to just get an alert from the remotely hosted php script on foobar.com
I have tried the following code in stuff.js:
$.ajax({
type: "GET",
url: "http://www.boobar.com/script.php?callback=?",
dataType: 'jsonp',
success: function(result) { alert(result); }
});
No luck.
$.getJSON("http://www.boobar.com/script.php?jsonp=?",
function(data) { alert(data); }
);
Also no luck.
On the php side I have tried both the following:
return json_encode(array(0 => 'test'));
echo json_encode(array(0 => 'test'));
In Firefox I get a security error. I understand that it thinks I'm violating the security model. However, according to the jquery documentation, I should be able to accomplish this.
The error seems to be a security feature of the Same Origin Policy: to simplify, you can only make AJAX requests for stuff on the originating server (http://foobar.com). One way around this is to make a simple facade on the originating server, e.g.:
<?php
// this file resides at http://foobar.com/getstuff.php
echo file_get_contents('http://www.boobar.com/script.php?callback=?'
. $possibly_some_other_GET_parameters );
?>
Then, from foobar.com, you can make an AJAX request for http://foobar.com/getstuff.php (which in turn makes a HTTP GET request from your web server to boobar.com and sends it back to the browser).
To the browser, the request goes to the origin server, and is allowed (the browser has no way of knowing that the response comes from somewhere else behind the scene).
Caveats:
the PHP config at foobar.com must have allow_url_fopen set to "1". Although this is the default setting, some servers have it disabled.
the request to www.boobar.com is made from foobar.com server, not from the browser. That means no cookies or user authentication data are sent to www.boobar.com, just whatever you put into the request URL ("$possibly_some_other_GET_parameters").
You can get data from another server asynchronously using script tags and json:
<script type="text/javascript" src="http://somesite.com/path/to/page/"></script>
You can use this to dynamically load a remote javascript (by created a new script element and setting the src attribute, then loading into the DOM), which could set a variable. However, you need to really trust the remote site, because the JS will be evaluated without any precondition.
There is a method called window.name transport or window.name method which uses a general browser bug(not sure if this is a bug actually). You make the request through an iFrame and the loaded page puts the information you need to the "name" property of the JavaScript window object of itself.
This method uses a "blank.htm" since it first navigates to the target page and then goes back to the blank.htm page to overcome the "same origin policy" restriction.
Dojo have implemented this and you can find a more detailed explanation here.
Also I have implemented a cross-domain XMLHttpRequest object based on this method in the library I have written which can be found here.
You may not be able to use the library since it will need 1 or 2 additional libraries which can be found here.
If you need further help in implementing it in your style, I'll try to do my best.
So what I ended up doing, since it was just a GET - no data need to be retrieved - I used JQuery to create a hidden iframe with the URL including the variables I wanted to pass set as the source. Worked like a charm. To all who provded feedback - Thanks!
How about this !! Using a php proxy.
Cross-Domain AJAX calls using PHP
http://www.phpfour.com/blog/2008/03/cross-domain-ajax-using-php/
jQuery .ajax also has a setting 'crossDomain'.
http://api.jquery.com/jQuery.ajax/
crossDomain (default: false for same-domain requests, true for cross-domain requests)
Type: Boolean
If you wish to force a crossDomain request (such as JSONP) on the same domain, set the value of crossDomain to true. This allows, for example, server-side redirection to another domain. (version added: 1.5)
I have a PHP page that needs to make a call to a external web service. This Web service call takes a bunch of sensitive data from a html form on the PHP page, e.g. SSN, and returns info related to that person.
The problem is that the web service call should be made as soon as the customer fills in the SSN field and the field loses focus, so the page cannot be reloaded in any way. I was thinking about using jQuery to make a call to the web service, but AJAX unfortunately requires that you are on the same domain as the requested resource. So I'm thinking about creating an local PHP page that makes the call to the web service and then use JQuery to call this new page.
Questions:
How do I use JQuery to call the local PHP script that makes the call to the web service?
Because the JQuery code will take sensitive data from a html form and send it to the PHP script, how can I encrypt the data?
To call your PHP file:
var url = "http://localhost/data.php";
var params = {
"SSN" : theSSN
};
$.get(url, params, function (){
// Do whatever you need here, once the data arrives.
});
To call the external webservice from PHP, I'd suggest using cURL.
To encrypt, I'd suggest using the HTTPS protocol instead of encrypting manually from JavaScript.
1) $.get("myscript.php", function(response) { alert(response) });
2) I wouldn't encrypt using jQuery, it would be slow and easy to decrypt. Enabling SSL on the server would be a better solution.
1: Ajax request example:
$.ajax(
{
type: "GET",
url: "http://yourdomain.com/yourpage.php",
success: function (msg) { //does something }
});
More details here
2: php XOR is a pretty good encryption algorithm, I use it myself for a project with sensitive data. you can find the function here.
Enjoy! :)
This probably won't help you in particular, but some webservices support something called JSONP, which adds a callback name to a normal JSON request.
However, chances are you will need to make some sort of local proxy, as not many JSONP services exist yet.
The way to go is enabling SSL on your domain, and doing the xmlHTTPRequest to the https of the remote service