i need to fetch a url with javascript/jquery and not php.
i've read that you could do that if you got a php proxy, but that means that it is still going through php. cause then it's still the ip of the server that is fetching it.
could one fetch the url entirely with only front-end, and thus fetch it with the client's ip?
There exists a Same origin policy for AJAX requests. This prevents Javascript on, say, this site, from making a request to gmail.com (with your cookies), reading your e-mails, and uploading them to the StackOverflow server. Javascript on stackoverflow.com can only make AJAX requests to pages on that domain.
As you can see, this is essential for security. Requests must instead be made by a proxy running on your web server - PHP can be used, but there are other solutions. For example, Ajax Cross Domain is an AJAX library that communicates with a Perl script running on the server to emulate AJAX requests for other domains.
It is also possible to make requests on other domains via a javascript include (script tag), image tag, etc. but in these cases you cannot read the contents of the page.
You cannot do this with an iframe either: scripts cannot see the internals of iframes unless they are on the same domain as the script.
So in short, use a proxy.
The problem is that jQuery would fetch an url with AJAX and AJAX won't operate cross-domain because of the potential security (as per the same-origin policy).
There are however ways to emulate this, if you load the page in an iframe you can retrieve the data by using innerHTML on the iframe. Here's an example script that uses jQuery: http://code.google.com/p/jquery-crossframe/
Related
I use a JSON API to get data for a website. I am aware of various methods that I could make it secure, but my situation is different from common methods.
Because of cross domain issues, I had to create an API folder with various PHP files that do cURL requests to the REStful API. I then request these local PHP files through AJAX on my site. On the next release it should be JSONP to avoid this issue.
Many of these JSON requests contain sensitive information so the first thing I did was check for the HTTP Referrer so people don't just grab the URL when inspecting the JavaScript code and try to run it on their browser. This is obviously not safe nor should I rely on it.
Any data I may try to post to the request will be through JavaScript so something like an API key or token would be visible and would defeat the whole purpose.
Is there a way I can prevent these PHP files to be run outside the website or something? Basically make them inaccesible for visitors?
This does not have to do anything with REST. You have a server side REST client, in which you call the REST service with cURL and the browser cannot see anything of this process. Until you don't want to build your own REST service for this AJAX client this is just a regular webapplication (from the perspective of the browser and the AJAX client ofc.). As Lorenz said in the comment, you should use sessions as you would do normally. That's all. If you want to restrict access to certain pages, you can use an access control solution, e.g. role based access control is very common.
When using PHP I can use file_get_contents or cURL to get a URL.
jQuery runs on the client
In jQuery there is a function called jQuery.getJSON(). Javascript is run on the client. What server is used for the download of the JSON code of the external URL? What information does the called URL know about? Does it know of the domain? The IP of the client user? It's a client language.
Prefered for many request
To make many requests, is it safer to do this with Javascript than PHP because it runs on the every client instead of one server point?
What server is used for the download of the JSON code of the external URL?
The one that the domain name in the URL passed to that function resolves to.
What information does the called URL know about?
It is an HTTP request, like any other. The usual information will be available.
Does it know of the domain? The IP of the client user?
Of course.
It's a client language.
… making an HTTP request.
To make many requests, is it safer to do this with Javascript than PHP because it runs on the every client instead of one server point?
You control the server. You don't control the client. JavaScript can be disabled. It is safer to make the request from your server.
(For a value of "safe" equal to "Less likely to fail assuming the service you are using doesn't impose rate limiting")
Because of the Same Origin Policy all requests made in JavaScript must go to the domain from which the document was loaded. It's a standard HTTP request, so the server will have the same information it would if a user was just navigating around (including cookies, etc.) From the phrasing of your question it appears you need to make requests to some external site, in which case making those requests from your server which is not subject to such a security policy would likely be best.
In jQuery there is a function called jQuery.getJSON(). Javascript is
run on the client. What server is used for the download of the JSON
code of the external URL? What information does the called URL know
about? Does it know of the domain? The IP of the client user? It's a
client language.
The code that runs your web browser is only on your PC, too, yet it is perfectly capable of retrieving content via the HTTP protocol from a web server, and has done so for several decades.
AJAX requests are no different. jQuery creates an XMLHttpRequest object that performs an HTTP request in a manner uncoupled from the general page context. As far as the server's concerned, it's just an HTTP request like any other.
The text contents of the result you get back happen to be written in JSON format, but the HTTP layer neither knows nor cares about that.
i want to get data from other sites using javascript executed from my website.
The PHPJS website has some nice conversions of PHP functions into Javascript.
In general, unless they expose the data with JSON-P, you can't thanks to the security considerations imposed by the same origin policy.
Recent browsers support a permissions system where a remote site can allow JavaScript running on a remote site to make a request. Flash provides a similar system, so can act as an intermediary. Both of these require the cooperation of the remote site.
The usual work around is to use a proxy service, either running on your own system (so JS makes the request to the same server, which fetches the data from the remote site) or a third-party service like YQL.
Javascript is limited by the same-domain security policy. The only way to get data from other sites is to use JSONP or build a proxy on your own host that lets you curl content from other sites.
Use jQuery:
$.post( 'http://some.website.com/file.js', function(result){
alert(result);
});
You may not fetch anything but JavaScript or JSON.
Or try this answer: How do I send a cross-domain POST request via JavaScript?
It has to be done server side - send an ajax request, run the PHP you want, and check the responseText property to see the results.
That really depends on what you mean by "data". Try using AJAX if its just for simple requests.
I've got two servers running jsp and php. I'd like the PHP page to call the JSP page for getting an output. I tried using simple Ajax and Jquery-Ajax, it doesn't seem to work. Why?
you can't use ajax cross domains due to security restrictions. you could send the data to an php-script on your domain and send the post-request from there with a function like this
AJAX cannot request pages from sites that reside in different servers. This will make it a cross-side scripting attack. Hence, you have to go only through your server side code. For PHP you can use curl to get information from other pages. You can now use the same ajax script and link it to the php page containing curl. Documentation of curl can be found if you give a google over it.
Im wondering what affect loading an external page with php has on a sites analytics. If php is loading an external page, and not an actual browser, will the javascript that reports back to google analytics register the page load as a hit?
Any JavaScript within the fetched page will not be run and therefore have no effect on analytics. The reason for this is that the fetched HTML page is never parsed in an actual browser, therefore, no JavaScript is executed.
Curl will not automatically download JavaScript files the HTML refers to. So unless you explicitly download the Google Analytics JavaScript file, Google won't detect the Curl hit.
Google offers a non-JavaScript method of tracking hits. It's intended for mobile sites, but may be repurposable for your needs.
You're misunderstanding how curl/file_get_contents work. They're executed on the server, not on the client browser. As far as Google and any regular user is concerned, they'll see the output of those calls, not the calls themselves.
e.g.
client requests page from server A
server A requests page from server B
server B replies with page data to server A
server A accepts page data from server B
server A sends page data to client
Assuming that all the requests work properly and don't issue any warnings/errors and there's no network glitches between server A and server B, then there is absolutely no way for the client to see exactly what server A's doing. It could be sending a local file. It could be executing a local script and send its output. It could be offshoring the request to a server in India which does the hard work and then simply claims the credit for it, etc...
Now, you CAN get the client to talk to server B directly. You could have server A spit out an HTML page that contains an iframe, image tag, script tag, css file, etc... that points to server B. But that's no longer transparent to the client - you're explicitly telling the client "hey, go over there for this content".