I'm trying to code with the facebook API
here it says : http://developers.facebook.com/docs/authentication/javascript
to get the access_token thing, but it's after a # and not a ?
so how can I get it ?
http://www.example.com/callback#access_token=...&expires_in=...
You won't be able to do it in PHP - you can only access it in javascript - the fragment/hash never reaches the server, it is processed by the browser
in Javascript, you can access the fragment using
window.location.hash
The fragment identifier is only used client side. The browser doesn't send it to the server, so you can't access it with PHP.
To quote the page you link to:
Your JavaScript library can read the token from the URL and store it in a cookie for future use.
You have to use JS to read it before it can be sent to the server.
Related
when use GET Method for receive JSON data , we can acsses the result directly from web browser , for example i send a mydata value from ajax to a main.php file and it process and get answer show a result some thing like below :
<?php
if (isset($_GET["mydata"])) {
if ($_GET["mydata"]=="hello"){
echo "hello world";
}
}
?>
but when a user call it in browser directly like http:mysite.com/mydata.php?mydata=hello recive answer . i want dont allow users to get answer of http request directly , and just can show it from ajax result of main page is it possible ?
You're asking how to prevent an ajax-only request from being accessed directly by copy-pasting the URL into the web browser; that is, only allowing the URL to be accessible via ajax on the main web page.
Well, there are a few things you can try:
Check the Referrer for the URL of the main page with $_SERVER['HTTP_REFERER']
Set a header in Javascript using xhr.setRequestHeader() and then ensure it's value by checking for $_SERVER['HTTP_X_....'] in PHP
Like Jay Bhatt recommended, check for the X_REQUESTED_WITH header, but be aware this might not always be set (see: X-Requested-With header not set in jquery ajaxForm plugin)
However, in any of these situations you should be aware that anyone who knows what they are doing can easily set any HTTP header, variable, or even modify the referrer which is sent to the server. As such, there is no 100% guarantee that your resouce can be accessed only via AJAX on the main web page. There is no control built in the internet to verify where a request is coming from, so anyone can easily spoof or fake it.
I have a URL of the form:- http://www.sboxeppp.com:88/phones.php?iden=true#6786
Now i want to retrieve number (6786) followed by # in server side. How can i do that?
anything behind the hash can only be accessed by client side scripts, since it won't be sent to the server you can use the parse_url() function
more here: http://php.net/manual/en/function.parse-url.php
You cannot do that. The part of the url after the hash is called a fragment, and it does not get sent to the server. It's only available to client scripting.
The only way that you could do this is by retrieving the fragment from JavaScript (using window.location.hash) and communicating this information to the server with an AJAX request specifically made for this purpose. Of course this means that the server will have to render the page first and get notified of the fragment later, which is a totally different workflow than what you want.
You can't do that, because it's a directive for browser only. You can use AJAX requests to send the required info to server.
Right, it didnt let me post that as an answer -
var hashNumber = window.location.hash should work.
hashNumber = hashNumber.substring(1)
See:
How can you check for a #hash in a URL using JavaScript?
Use parse_url:
parse_url('http://www.sboxeppp.com:88/phones.php?iden=true#6786',
PHP_URL_FRAGMENT);
Notice that the fragment doesn't get sent to the server if it's in the form's target property. Instead, just write the information in the fragment in a hidden element, like this:
<input type="hidden" name="_fragment" value="6786" />
And read the fragment from $_POST['_fragment'].
If the fragment is generated client-side (or somehow determined by the user), you'll have to create that element on the client. You can access the current fragment in JavaScript with window.location.hash.
I'm using some PHP pages do some AJAX stuff but I don't want them to be directly accessible. Facebook does a similar thing so for example: domain.com/ajax/my_ajax_form.php
If I was to load that page using AJAX it would work fine, but if a user were to try and loading the file directly by typing in that url it would do through an error so e.g.
if( IS FILE LOADED DIRECT? )
{
header ( HTTP/1.0 404 );
}
This isn't possible. You cannot rely on $_SERVER['HTTP_X_REQUESTED_WITH'], and even if you could, it doesn't matter. Anyone can send the same request to your server that your browser does, via POST or GET.
What you should do is validate the request, and return the proper result if it is valid. If it is invalid, do not return a 404. (Browsers can cache errors like 404. If your client-side code had a trouble, subsequent requests may fail!) If the request is invalid, return an error of some sort.
Again, it is impossible to secure stuff like this. You should be validating the session and request data. That's all.
You can look for the HTTP_X_REQUESTED_WITH header.
$is_ajax = array_key_exists('HTTP_X_REQUESTED_WITH', $_SERVER)
&& $_SERVER['HTTP_X_REQUESTED_WITH'] === 'XMLHttpRequest';
if (! $is_ajax) {
die('go away.');
}
Note, though, that it's not standard, but needs to be set explicitly on the requesting side. AFAIK, at least jQuery and Mootools set it though, probably most others as well, but don't take my word for it.
Simplest way is to only access that page via POST, and not via GET. Though keep in mind - if a browser can do it - then a hacker can too.
You have to use session variables, or more generally, cookies.
With cookies: (set in JavaScript)
JavaScript: Set token in cookie
JavaScript: Make XMLHttpRequest
Server side: Check token from cookie
Server side: Return JSON output or error message
Please note that this is no way secure! This just prevents easy linking.
With session variables: (cookies set in server side)
Server side: Authenticate user, set privileges
JavaScript: Make XMLHttpRequest
Server side: Check privileges
Server side: Return JSON output or error message
This method is as secure as the user authentication is.
I want to post to an external php file and get the result. It a php that i have hosted in my server online. I want the static page in my localhost post by ajax and load the html in a div. But I'm not able to do this.
$.post("http://www.site.com/index.php", { font: "panchami", input: "hi" } );
Is there anything wrong in this?
The Same Origin Policy prevents Ajax calls to external domains.
Popular workarounds include
JSONP
Embedding the data in an iframe instead
Using a server-side proxy the does the fetching (see #BrunoLM's answer for a PHP example; it is possible in any server-side language)
YUI's Get as shown in #Alex's answer
depending on what your use case is.
Javascript doesn't allow cross domain requests.
What you can do is a PHP file on your server that reads the contents of the other site:
<?php echo file_get_contents($_REQUEST['url']); ?>
Then make requests to your file, like so:
$.post("proxy.php?url=external_url", ...);
Or using GET, for example:
http://developer.yahoo.com/yui/get/
This kind of request is dangerous, it is called a Cross-Site request and is forbidden by most browsers. If you look in your error console you should see a message to that effect.
If you really have no alternative then you can consider using iframes, the src attribute can be outside the current domain and you can parse the information using javascript.
Hope that helps :)
one of my php page returns data like this:
<?php
//...
echo "json string";
?>
but someone else use file_get_contents() to get my data and use in other website.
can anybody tell me what can i do to prevent such thing happen.
i consider if i can get the request's domain name to echo something else.but i dont know
the function to get request's domain name.and if the request is sent by a server,that
will be unhelpful. My English is poor, to express doubts, please bear with.
you can also use sessions. if somewhere in your application, before the user gets the json data, you start a session, then in this page where you are outputting json data, you can check for the session variable. this way only users that have passed the session generator page, can view your output.
suppose you have page A.php that generates the session. use this code before outputting anything in this page.
session_start();
$_SESSION['approvedForJson'] = true;
then in your page where you are outputting json data, before outputting anything, call session_start() again. the beginning of your PHP code is a good place to call it.
then before outputting the json data, check if the session variable for approved users exists, or not.
if ( isset($_SESSION['approvedForJson']) && $_SESSION['approvedForJson'] ) {
echo "json data";
} else {
// bad request
}
You can use $_SERVER['REMOTE_ADDR'] to get the address of the client address. You can also check $_SERVER['HTTP_REFERER'] and block external requests that way, but it's less reliable. There's probably a few other techniques involving $_SERVER that you can try.
Your fighting an uphill battle here. I am assuming your serverside process that responds in json is being consumed via javascript in your users browsers... so there is no easy way to encrypt it. You might try some of the techniques used to prevent xspf (see http://en.wikipedia.org/wiki/Cross-site_request_forgery ). If you developed the client to pass along some session token that is uniq per client you could reduce some of the problem. But, chances are whoever is stealing your data is gonna figure out whatever mechanism you put in place ... assuming this is some sort of ajax type thing. If its a server-server thing then as sli mentions, setting up some restrictions based on the remote ip would help, plus setting up some sort of API authentication tokens would help even more (see oauth for some pointers)
You could also using .htaccess with apache block every external request to the page if it get's called internally or block every request that is not from your domain:
Google search thingie
EDIT
You could also use some php file which includes the file which can not be read. So for example you have file.php:
<?php
$allowedFiles[] = 'somefile.php';
$allowedFiles[] = 'someotherFile.php';
$allowedFiles[] = 'jsonReturnFile.php';
if(in_array($_GET['file'], $allowedFiles)){
include( "include/".$_GET['file'] );
}
?>
Then you can allow file_ get _contents() on that file and write a rewriteRule in your .htacces to disallow any request to the include/ folder.
RewriteRule include* - [F,NC]
That will return a 403 forbidden error for a request to that directory or any file in the directory.
Then you can do you JSON request to something like: file.php?file=jsonReturnFile.php&someothherParamReadByJsonFile=1
And when someone tries to get the file contents for the JSON file they will get the forbidden error, and getting the file contents for the include.php won't return anything usefull.