I run a link shortener, the users get paid for visitors which are using the short url. They see a landing page, and with a click at "skip" they are redirected. But some of my users try to cheat, instead of giving their visitors the short url like example.com/a/53425, they give them http://example.com/a/pugt.php?url=53425 with pugt.php are 2 sql queries performed:
the target url is retrieved from the database
the creator of the url gets +1 point per visitor.
That means that the visitors are redirected without seeing the ads at my landing page, and the user gets his points. Is there any way to hide this php file, or to perform this sql queries in a smarter way?
This is the source code of the "skip" button at my landing page:
$url is the id of the short url like 53425
<section class="example">
<br/>
<br/>
<center><script src="//go.padstm.com/?id=345791"></script></center>
</section>
The best way is to create a token for every url. Add a new database column named token or anything you like.
So your url should look like:
http://example.com/a/pugt.php?token=e49s73tr6198e76dg4&url=53425.
Your php script will update token every time a visitor views your ad and set the new token for next url. Without valid token no one will be able to bypass your add.
Yes Vaze the better way to deal with the hidden urls is to encrypt the url by using urlencode as it is right at your requirement. In this way the users can't understand the url and you will have what you need. And at the time of the backend php magic you need to urldecode your url in order to do the things same as you are currently doing.
Related
Question: Is it possible to modify the current URL that's shown in browser's address bar and browser history?
To be specific, I only want to modify the URL that is visible to the user; I don't want to trigger navigation. (I have a Gatsby app, and Gatsby is using Reach Router.)
Motivation: I have a gallery of images that the user can click and navigate to URL such as /images/?id=52. The advantage of this approach is that /images/ can be prefetched to enable instant rendering of the page. However, this scheme is unfriendly to users who have disabled JS, as they will see no images at all when they navigate with query parameters. So I have also prerendered pages like /images/52/ that work without JS. So what I want to do is navigate the JS users with query parameters, but then modify the URL that they see to a URL that can be shared with anyone including non JS users.
What I think you're looking for is either window.location.replace() or window.location.assign()
Replace is merely visual, so if the user were to copy the URL to share with their friends you can manipulate that url that they see and copy.
Assign loads a new document, as if the URL you passed it is the one that got the document.
https://developer.mozilla.org/en-US/docs/Web/API/Location/replace
https://developer.mozilla.org/en-US/docs/Web/API/Location/assign
Edit: a comparison
Difference between window.location.assign() and window.location.replace()
I believe you'll need to create a NodeJs server to handle this sort of action. It can take a query parameter from the URL ('images/?id=52') and then return the user to the URL 'images/52'.
Or you may be able to use the 'gatsby-source-filesystem' package.
I have a URL with a query string attached to it. After the page loads, I am removing the query param using
history.replaceState("","",location.href.substring(0,location.href.indexOf("?")))
But when user hit refresh button its displaying error screen from my application since expected query param was not there in URL. I can use post action there but I would like to avoid query params with page refresh working fine. Is there any solution for this ?
If you're using a query parameter and then removing it, then the user hit's refresh and there is an error saying it's expecting a query parameter, then your code (and logic) is lacking.
My suggestion, if you want to avoid query parameter after the page initially loaded, is to save the parameter in a cookie or even a session if there is code-behind. Then if the user refreshes without the query parameter, check if the cookie exists, if the cookie exists, show them the page normally, if not, instruct them that they did not visit the URL through the correct channels.
However, like I mentioned, I think your logic here is flawed, because if the user wants to share your URL to the outside world, and you removed the key piece of information that makes the page load successfully, then you will have a lot of confused people on your hands
edit
You might want to investigate SEO friendly URL's to pass your query in to, so instead of: yoururl.com/?firstname=joe you can do yoururl.com/firstname/joe
Upon completion of an ajax call I would like to direct the user to an html page, but at the same time passing a hidden variable (this variable contains sensitive information and should not show up in the URL).
How can I accomplish this?
window.location.href = 'userpage.html?id=14253';
But with the id remaining invisible? Can I POST the id somehow while sending the user to userpage.html?
You should not be checking user credentials on the client side of your website. Regardless of how the ID is being passed to your script, it can be replicated without you being able to check if the request is valid.
To start being even remotely secure with what information is granted to a user, you need to be checking it via the server side. With every request, ensure the user is authenticated to view such data.
If I were you, I would look into using PHP sessions as the first line of defense for checking if a user is authenticated. Doing so will at least keep the information about a user out of a replicable space that can be viewed by the user.
Look up 'php session login tutorial' on Google and you will find plenty of simple tutorials which should get you on the right track.
Example Tutorial
No matter what, the information you pass along is insecure. You can submit a post request using XMLHttpRequest objects if you'd like (or use a framework/library to make AJAX calls) -- but the user could still spoof the data and get different results.
ID enforcement should be done in the backend. Does the requested ID match the ID of the user signed in? No? Don't show it. etc etc.
The setup is basically having Page A with anchor links as such
<a href="/index.php/iframe-wrapper?http://www.[desired link].com">
upon click, the URL is written as such in the users browser
http://www.[site].com/index.php/iframe-wrapper?http://www.[desired link].com
an iframe calls what comes after the querystring through javascript and displays it in the frame through
var query = window.location.search.slice(1);
basically being able to have URLs on Page A display in an iframe on Page B
im stumped on how to remove the querystring from the end result (maybe through htaccess?) (as it is modifiable on any user browser leading to all sorts of vulnerabilities)
if anyone would be able to help me out with htaccess or some other similar method, i will be deeply grateful
I'm not aware of any way that .htaccess could help decrease the chance of vulnerabilities. You're still accepting a query string and using that as the iframe source, which means anyone can still just submit any URL in the query string regardless.
A more secure way to handle it might be to create a database table containing all of the potential URLs. You could enter them manually, or if they change frequently you could have a secure form where authenticated users (or admins) can administer them.
Then in the query string of the link you can simply pass the id of the table row which contains the URL you want to use, and retrieve the appropriate URL for that ID server-side using PHP.
In this way, the iframe can only ever display one of the URLs that are stored in the database. Someone could still enter whatever they want in the query string, but it won't matter because if it's not the ID of a valid URL you can display an error message (or a default URL or whatever other fallback behavior you want).
I've looked at a couple different analytics programs (like Google Analytics) that will tell me what URL my users have entered my site from, and which URL they are going to when they exit.
It certainly must be possible to gather this data somehow, I just can't find any code examples of how to do it. I would imagine that it involves the javascript function onBeforeLoad, I just don't know how to get the URL from that point on. This is a pretty important feature, as it will help me to tailer my website more towards my users specific needs.
I appreciate the help,
Sorry, I think I was unclear originally.
One of my other sites uses a service called StatCounter, and they have a section called "Came From". This shows where users were at directly before they visited your page. So, for instance, if someone google'd "Inside Out Ministry", and found the link to my site www.insideoutministry.com, my stats page would show that the user Came From www.google.com .
What would be the code to do this?
A simple approach would be to have a db with ip, time, lasturl and firsturl fields. Every time someone calls a page, it get's checked if his IP is already in the db. if not, a new entry gets written with firsturl as the actual url and i with his ip. Every time now he loads a new page on your site, the lastpage field gets updated. I don't know how exactly to determine that he's left the page, e.G. if he hasn't accessed any page on your sithe within 10min.
To track the first/last page your users visit, you just track all pages the user visits, and the one with the earliest timestamp is the first, and the one with the latest timestamp is the last.