Hi everyone!
Im working on a google map project where the user can type in a address and gets the result of nearby restaurants ploted on a google map.
So far no problems. I've created a ajax call where the backend outputs and xml and then with jquery I create the markers.
But now to my problem.
With this ajax solution anyone can easily with firebug or other webdeveloper tool access the xml result that contains all names, latitudes, longitudes of the restaurant I have.
I want to somehow protect the data that is showed.
How can I do this?
How can I plot google map markers with php without jquery? Can it be done?
thx in advance!
Google Maps Markers for an interactive map (using a the GMap2 object in the API) must be created on the client side (in Javascript) and are therefore vulnerable to reverse engineering the data.
If you want to generate the map data on the server, then you are limited to static functionality on the client. You can use the Google Static Maps API to build a URL on the server, which includes the information about the markers you want to display and the region that the static map will show. This approach sacrifices some usability for the client (no dynamic zooming, panning, marker popups etc...) to protect your data.
N.B. A determined engineer will still be able to access your data (albeit with some difficulty) by:
Parsing your static maps URL to determine the map region
Analyzing the image data to find markers and determine their locations.
The only way to protect the data is to render the map before sending it to the browser. Doing that will take most or all the cool features of google maps away since you'd have to display just an image.
Any data that is accessable by google maps is accessable by someone with firebug.
Some things you can do to make life difficult for someone trying to grab your data:
In your server code, examine the headers to see if the request came from your client page. If the request came from anywhere else, return nothing.
Encode the data that you return from the server. Decode it as late as possible in your client code, so that you only have the plaintext for one restaurant in Javascript variables at any one time. That way someone with Firebug can only directly read one restaurant at a time.
Have your server only return a limited number of locations at once, even if somebody uses Firebug to change the request parameters so that it asks for restaurants within a huge radius. That way they can only grab the cyphertext for that many locations at once to paste into their own code in which they've placed a copy of your decoding function.
Instead of grabbing the cyphertext for even that limited number of locations in a single call, send multiple requests that each return a very small number of locations, with an extra parameter specifying which chunk of restaurants is requested.
Its not foolproof, but for someone to grab substantial quantities of your data will either take them a long time, or require fairly sophisticated attack techniques, such as spoofing the request headers.
Simple answer - you can't.
Long answer
You could draw an image overlay on server-side, kinda like Wikipedia overlay in Google maps, but I don't think it's worth the effort.
You could also store a key in php session and pass it to JavaScript on initial page load and then don't return the data if data isn't requested trough Ajax with the correct key (which is unique per browser session). This would just protect you from simple bots which don't support cookies. More mess then gain.
Also remember that if someone were to write competing site using your server as data-source then they would still have to tunnel Ajax requests trough their own server because you can't do cross-domain requests with JavaScript therefore you would see a lot requests from same IP (their web-server) in your web-logs and you could easily ban that IP. (Unless they download all at once and then serve from their own server).
And is it really necessary? It's not like restaurant locations are top secret.
Related
my question for professionals I think may be stupid but I had a problem which regards to search for my solution for my problem. Technically I am developing social networking site and I want to integrate Google Map API and my question is, is there any way that I can download the crop image so that it stores to my server so that my web server doesn't need to request to Google Server again. If not, can you give an alternative solution that may fit to may problem and If yes can you give a hint or tip which it could possibly usable to my development process. I am newly in such Web API. Thank you. Regards
try to use something like this
<img src="https://maps.googleapis.com/maps/api/staticmap?center=-15.800513,-47.91378&zoom=11&size=200x200&sensor=false">
will look like
Using the static map api it will return you an img, then you can save it easily as a normal image, but my recomendation is just to have columns with the user's location stored in your database, the address or the coordinates (lat,lng).
Later on when you want to display the map just request it from google using the staticmap or the javascript v3 API.
Advantages:
You save bandwidth and storage space
Easier maintaining of your database and or files structure
Google's server probably has better response time and speed than yours
More dynamic: reverse-geocoding the location or using the coordinates you can display the static map, the normal map (which is not hard, I can tell you), Street View, Google earth and probably a lot of other stuff
You are not going against the Rules
Disadvantages:
Google's daily limits, which are up to 2500 or 1000 requests per day and 10 per second, you can look it up I don't remember. But, if you use tha JavaScript v3 to display the map, the prints are counted on the browser, so it would be 1000(in the worst case) prints per browser(per ip actually), so that means that each user can print 1000 maps per day. It's not really a problem, if your site gets that many views you are doing great xD
Right now I'm working on a service that handles reviews/recommendations of local restaurants overlayed on Google Maps. Basically Yelp, but restricted to a certain niche. Anyhow, since I don't want to have to load every location and review at once, I'm finally getting into using jQuery and AJAX calls.
The question I have is: How do I prevent other people from 'scraping' data from my ajax scripts on the server?
The main map/location info functionality needs to be public, in that users should not have to log in to use the application, so it may simply boil down to making it difficult to scrape. I'm hoping that one of you AJAX veteran out there can point me in the direction of a better idea, or some 'best practices' docs that I haven't been able to find yet.
So far all I've been able to come up with is:
The user-facing scripts open a short-lived session on the server and the AJAX calls will not run without an active session.
Send some sort of access key along with the application code and require that in all of the AJAX calls. But not sure how to best implement this in a way that's not trivially easy to get around.
You can't completely protect your AJAX web services. Even if you mangle your data and obfuscate your source code, it is trivial to just fire up a packet sniffer or debugging proxy, figure it out, and scrape from it.
What I would do is exactly what you propose... only users with an active session on the site can make calls. Then from there, throttle requests.
Even a busy normal user won't make more than a handful of requests per minute. You can analyze your logs to figure out what a good number would be. Even if you limited your service to 20 calls per minute, that kind of limitation makes it fairly useless for folks that want to duplicate all of your content.
Don't limit just on session data either... keep an eye on IP addresses. It's entirely possible to fire off a request and get a new session at any time. Periodically check your logs to see if anything is getting through, and adjust your strategy accordingly.
Finally, regularly search for your content. Google is a great tool for finding copyright infringers. If you use specific data, such as GPS coordinates, you can actually watermark the coordinates with a specific value in the noise area of the coordinate.
From what I hear, you want to protect the JavaScript side of the service. This is not possible as JavaScript is essentially fully open source (albeit not public domain)
Google offers a tool called Google Closure which can compact the script by removing white space and tabs. It can also obfuscate a document for you by replacing variable names and function names with random characters. It is customizable so you can tell it what you want. From what I can tell, Google uses it for their own website (evident by viewing the source of their pages)
I had an idea for a project involving a Javascript terminal utilising a specified PHP script as a server to carry out remote functions. I understand that the same origin policy would be an obstacle with such a project, but looking at google analytics, which I use every day, it seems they have a way of avoiding the problem on a huge scale.
Google Analytics, Google AdWords and practically all other analytics/web-marketing platforms use <img> tags.
They load their JS programs, those programs handle whatever tracking you put on the page, then they create an image and set the source of the image to be equal to whatever their server's domain is, plus add all of your tracking information to the query string.
The crux is that it doesn't matter how it gets there:
the server is only concerned about the data which is inside of the URL being called, and the client is only concerned about making a call to a specific URL, and not in getting any return value.
Thus, somebody chose <img> years and years ago, and companies have been using it ever since.
The modern way to allow cross-domain requests is for the server to respond with the following header to any requests:
Access-Control-Allow-Origin: *
This allows requests from any hosts, or alternatively a specific host can be used instead of *. This is called Cross Origin Resource Sharing (CORS). Unfortunately it's not supported in older browsers, so you need hacks to work around the browser in that case (like a commenter said perhaps by requesting an image).
You can get codes from third-party sites, but collecting data with them is restricted by the policy.
Google collects data with "_gaq" function array embedded by the 1st-orgine-site, and then Google sends the collected data as they are embedded in the http-request parameters.
http://www.google-analytics.com/__utm.gif?utmwv=4&utmn=769876874&utmhn=example.com&utmcs=ISO-8859-1&utmsr=1280x1024&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=9.0%20%20r115&utmcn=1&utmdt=GATC012%20setting%20variables&utmhid=2059107202&utmr=0&utmp=/auto/GATC012.html?utm_source=www.gatc012.org&utm_campaign=campaign+gatc012&utm_term=keywords+gatc012&utm_content=content+gatc012&utm_medium=medium+gatc012&utmac=UA-30138-1&utmcc=__utma%3D97315849.1774621898.1207701397.1207701397.1207701397.1%3B...
Google demonstrates clearly how tracking works.
I have a PHP code that will return a image.
the link is given to 3rd party. so, i need to keep track where the php request coming from. Because the PHP only return the image, I cannot use the Javascript code for Google analytics.
I know that I can get the information from the access.log, but i think I can't dump the access.log to GA for analyzing, right?
so, is there a way that I can do in PHP (e.g. sending a CURL ), send somethig to Google Analytics for tracking?
In practice, what GA will do is to issue a HTTP GET for a 1-pixel sized GIF image, in which the GET parameters will contain the information to store in GA servers. If you figure out the format of the GET request, you may be able to store the information you want to. You can use any net monitoring tool or browser plugin of similar functionality (like Firebug, etc) to understand the parameters that are passed to GA servers. These are nowhere to be found in GA documentation, although the architecture of this process is.
In practice, what you're trying to accomplish is the same as enabling GA for a javascript-disabled client. By limiting the information you can provide to GA to the one that the server obtains from browser requests you won't be able to get some detailed info such as the screen resolution, etc. On the bright side, the information that won't be accessible by this method is actually very little (and probably of little significance) and the web is full of resources on using GA for the javascript-impaired that you can use as example, eventually adapting to PHP and to your particular case.
Galvanize is an open source project that does what Miguel is describing. This is the blog post introducing Galvanize.
I'm creating a browser based game and at the moment I'm designing the script that updates the position of my character when he/she clicks on a different part of the map.
I am using a bit of ajax to do this which send a request to a php file called position_update.php. But for it to work I need to send two values along with it so it knows what the new position is, how do I do this? Below is my link that send the request to php file.
<a onClick="positionUpdate();"><img src="images/transparent.gif" border="0" /></a>
As a note, I'm using the php $_GET super global to retrieve the values when they're sent.
Thanks, Stanni
You need to hit the URL:
position_update.php?var1=val1&var2=val2
PHP will parse the get string into $_GET
BTW, you should ensure that degrades gracefully by having an equivalent href value that works for non-js users.
In case you need to encode the URL string, use the javascript function encodeURL():
sUrl = encodeURL("position_update.php?dir="+sDir+"&dist="+sDist);
And remember that in a client-server architecture, do not put too much implicit trust in the client. All of the application logic that handles game mechanics and rules enforcement should be contained in the server-side component.
A few years ago there was a really popular game called TetriNET (multiplayer online Tetris) that was designed without these security considerations. It took me about 3 days to crack the communication protocol and basically draw on other players' screens using server commands for creating/clearing blocks. It made cheating very easy using just a simple proxy.
So don't let the client 'tell' the server where the player is. Use the client only to display the interface, collect input, and display output. So have the client tell the server where the player 'wants' to move (direction, how far, etc.), and then have the server calculate the player's position based on what moves the player is legally allowed to make and his previous position.