i've to create a "like" button as Facebook.
So this button will be on many web sites, that calls a javascript file hosted by me, which handle hover/click/etc.. action of button.
Now, how can I check if the user is logged or not in my website (Php with sessions) with js?
So if the user is logged the like button would change text and shows that user liked it, otherwise the user will be redirected(maybe a popup) on registration page.
How can I handle this type of cross-domain(js/ajax) request?
To enable cross-domain requests, add
header("Access-Control-Allow-Origin : *")
to the top of your PHP file.
Then do something like this :
<?php
if(isset($_SESSION['user_logged_in']){
echo "TRUE";
}
else{
echo "FALSE";
}
and take action on your page based on the value returned.
Related
I'm having a problem with the website that I'm making. I'm making a website where users will be able to go and watch a short video, after that they can Sign Up and get a link to verify their emails. The email goes to their inputted email and they have a verification link which leads to another page. That page has a button which leads to a Full Video. Now I want to prevent users from viewing verify page and the page where users see full video before they verify their emails. I'm fairly new to PHP and I tried something, I think it's not that good but I'm still learning.
I wanted to redirect users when they go to localhost/verify.php and allow them to go on the page when the URL is localhost/verify.php?verified=1, that ?verified=1 URL is being sent to their emails.
But whatever I type it redirects index.php
verify.php
if (stripos($_SERVER['REQUEST_URI'], 'verify.php')){
header('Location: index.php');
}
else if (stripos($_SERVER['REQUEST_URI'], 'verify.php?verified=1')){
header('Location: verify.php');
}
Is there any way I can do this better since the users don't have register option and I'm not saving any sessions.
Even if you are not creating users, you can have a table that just represents these email addresses that contains a key, email, verified(bool), verification_token(unique string) then in the controller for the verified route you can check if that verification token exists, mark the user as verified and pass them along to the video. This also allows you to store a that token in a cookie that you could check for anytime they hit that normal endpoint without the query parameter you could still treat them as verified. It's not full on auth, but it sounds like you don't want a full blown authenticatable user for these emails
I have a submit button for logging into my PHP/MySQL system. However, I would like to able to log in and at the same time take the credentials and store them in indexedDB when the button is clicked, is there any way of achieving 2 actions at the same time. So far if I include my javascript code for submitting to indexedDB, the login does not work, and if I remove the code, the login works.
What you could do is have your form take you to your first page, then do both the actions with all the data send to your form.
With a simple HTML/PHP form, this is simple. Submit the form to a new PHP page using action="submit.php". Then do your indexedDB call on this page, and echo out a copy of the form, complete with the data (POST or GET), but with your login page as the newactionthen echo a` tag like so:
echo "<script>document.getElementById('myForm').submit();</script>";
Then it will login via your login page.
If you want to save data in IndexedDB before logging in the user:
You can achieve this by calling a javascript function onSubmit. And inside that function, you can hit a GET/POST URL to save data in Indexed DB.
OR if you want to perform this task on the server side then One way of doing this is: Upon successful login or while verifying user's credentials, you can call a function to save data in your indexedDB. This function could be sync or async.
onclick="doSomething();"
function doSomething(form){
// do something
// do something else
// Finally submit the form
form.submit();
return true;
}
seperate with two ;
onclick="doSomething();doSomethingElse();"
You're good to go!
I am creating a user authentication system using PHP, JQuery, and AJAX. On submit, a request will be sent to 'authenticate.php' with data: username & password using AJAX. The PHP code checks a database for the record and returns 0 on success, 1 on failure. Then if the returned value is 0, the page will be redirected to the 'user private page' using 'window.location="user.php"'.
Now, the question is, is it safe and proper way to authenticate like this? Are there any security problems to use jQuery/JavaScript to redirect page?
Now, the question is, is it safe and proper way to authenticate like this?
Only if inside your user.php you check again if the user has successfully authenticated already. (This is usually where sessions come into play.)
Otherwise, of course everyone who knows the URL of user.php can access it directly.
Are there any security problems to use jquery/js to redirect page?
The only difference between window.location="user.php" (which is wrong, btw. – correct would be window.location.href="user.php") and, say, a normal link to that page, foo, is that the first one happens automatically, and the second one would require the user to click the link first.
So, it is as “secure” as if you had used a simple link. What that actually means here in this case, depends what I said above.
Depends on how secure and compliant you want you application to be. According to RFCs its not recommended to login like that, but keep the form on server side and integrate the login form on frontend (via iframe), then just redirect with redirect url and token, scopes etc to a local html which then eg. sends a window postmessage to your frontend application.
https://www.rfc-editor.org/rfc/rfc6749#page-19
If you just want to be quick and dirty you can go for window.location.href or document.location.href.
Or a bit more secure, send the user to the server and let this be redirected back, but can end up in redirection hell, as its not easy to get back to the state where the user was (including settings and stuff).
Anyways, you will always have to check for the current users's session state whatever you do afterwards with serverside (Sessions).
Since you are working with PHP already i don't recommend using JS to redirect the user. You can use PHP for that:
if($user == $db['user'] && $password == $db['password']){
$_SESSION['logged_in'] = true;
header('location:user.php');
}else{
echo 'username of password is wrong';
}
Then on your user.php file:
if(isset($_SESSION['logged_in'] && $_SESSION['logged_in'] == true){
echo 'welcome to the user page';
}else{
header('location:index.php');//Go back to login page
}
If people go directly to the user.php page, they will be redirected to the index.php page.
In my website, there is a login button. When a user clicks on that a popup pops up which asks for username and password from a user. Now i want that popup to work like following:
1- if user gives wrong username and password then popup disappears and an alert comes to tell user that wrong username or password is entered. try again.
2- if username and password is right then popup should be disappeard and main page should be redirected to user home page.
How can i do that using javascript.
Thanks in advance.
You're looking for some Ajax stuff. I think your login data is in a database (if not, then it doesn't make any sense, because everyone could simply read the login data)
I recommend you to search for some Ajax tutorials. Ajax is a technique to load content dynamically via javascript. Which means: after sending username + password to a server, it will response with success or failure, which you can use on your current page to display the error or success message.
Jquery is an easy-to-use javascript framework, which also supports Ajax calls.
You want whole code? Or just conception?
I have been using PHP and JavaScript for building my dad's website. He wants to incorporate a login system into his website, and I have the design for the system using PHP. My problem is how do I show buttons if the person is logged in?
For Example - You have Home, Products, About Us, and Contact. I want to have buttons for Dealer, Distributor, and maybe other information if the user is logged in. So I will have Home, Products, About Us, Contacts, Dealer (if dealer login), Distributor (if distributor login), and so forth.
Would JavaScript be a good way to do this or would PHP, or maybe even both? Using JavaScript to show and hide buttons, and PHP to check to see which buttons to show.
Regarding security, you cannot trust what comes from the client:
The visitor can see all your code (HTML and Javascript, not PHP) and try stuff
The visitor may not even use a browser; it's trivially easy to send a request with a script
This means hiding the buttons is good User Interface design (because you can't use them if you are not logged in). But it's not a security feature. The security feature is checking, on the server, that the visitor is logged in before each action that requires it.
If you don't intend to show the buttons, it's not useful to send the HTML and images to the browser and then hide them with Javascript. I would check with PHP.
In your menu file or w/e you put:
<? require 'auth.php' ?>
<ul>
<li>Home</li>
<li>Products</li>
<? if( loggedin() ): ?><li>Secret area</li><? endif; ?>
</ul>
Then in pages that require auth just do this:
<?php
require 'auth.php';
require_login();
?>
Where auth.php may contain:
<?php
function loggedin(){
return isset( $_SESSION['loggedin'] );
}
function require_login(){
if( !loggedin() ){
header( 'Location: /login.php?referrer='.$_SERVER['REQUEST_URI'] );
exit;
}
}
?>
If you use javascript to hide the buttons, you open a security hole in the application. A malicious user could either disable javascript or apply some of their own to get around your security.
I suggest using PHP to chose to either render the buttons or not. I do this in .NET quite often.
You should be able to check the user's access on the server-side whenever they try to use a restricted button as well.
What we have done at my work is have a library the provides functions such as checking if the user is logged in. For example:
<?php
require_once 'Auth.php';
// output some html
if (isLoggedIn()) {
echo 'html for logged in user';
}
// rest of html
For pages that only authenicated users should see, the controller checks if they are logged in and if not it redirects them to the login page.
<?php
public function viewCustomer($customerId) {
if (!isLoggedIn())
redirectToLoginPage();
}
Everything that Christian Lescuyer wrote is correct. Notice, however, that he said "I would" and not "you should". The choice is not that easy.
First of all, security is not an issue in the choice. You should have security check on server when you execute an action. Which code decides to show/hide the button that leads to the action is irrelevant.
That leaves us with only one drawback of doing show/hide logic in Javascript - the HTML sent to user is bigger than necessary. This may not be a big deal.
Having show/hide logic in PHP does have a minus, though. The PHP code required is usually a tag soup. Akira's code provides a good example of how it is usually done.
Corresponding Javascript code would probably look something like this:
if (logged())
{
elementSecretArea.style.display = "list-item";
}
(assuming that elements that could be hidden have display:none by default).
This style also allows nice "Ajax" scenario: user sees a page w/o secret area, inputs password, sees the secret area all without refreshing the page.
So, if you already have a script that runs when your document load for other reasons, I would seriously consider having show/hide logic there.
Basically where you have your menu in html, say as a list <ul> <li>Home</li> </ul> you add php after </li> of the last item:
<?php
if($session-logged_in) {
?>
<li>My Account</li>
<?php
}
?>