The setup is basically having Page A with anchor links as such
<a href="/index.php/iframe-wrapper?http://www.[desired link].com">
upon click, the URL is written as such in the users browser
http://www.[site].com/index.php/iframe-wrapper?http://www.[desired link].com
an iframe calls what comes after the querystring through javascript and displays it in the frame through
var query = window.location.search.slice(1);
basically being able to have URLs on Page A display in an iframe on Page B
im stumped on how to remove the querystring from the end result (maybe through htaccess?) (as it is modifiable on any user browser leading to all sorts of vulnerabilities)
if anyone would be able to help me out with htaccess or some other similar method, i will be deeply grateful
I'm not aware of any way that .htaccess could help decrease the chance of vulnerabilities. You're still accepting a query string and using that as the iframe source, which means anyone can still just submit any URL in the query string regardless.
A more secure way to handle it might be to create a database table containing all of the potential URLs. You could enter them manually, or if they change frequently you could have a secure form where authenticated users (or admins) can administer them.
Then in the query string of the link you can simply pass the id of the table row which contains the URL you want to use, and retrieve the appropriate URL for that ID server-side using PHP.
In this way, the iframe can only ever display one of the URLs that are stored in the database. Someone could still enter whatever they want in the query string, but it won't matter because if it's not the ID of a valid URL you can display an error message (or a default URL or whatever other fallback behavior you want).
Related
I have a site with loads of Javascript, where users input informations, which gets saved in Javascript objects on the site. I also have a working export/import from JSON - once the user fills out the form, he can "Export to JSON", and if he refreshes the page (and the form is cleared), he can "Import from JSON" and the forms get filled.
I want to also save the data into the URL, so the users can simply share the URL, and the forms will get pre-filled based on the URL content.
Closest example I was able to find is these old game calculators - http://classicdb.ch/?talent#Lsoedm0oZVx0f0xoZTMo
The information is encoded in the #Lsoedm0oZVx0f0xoZTMo and then processed and the form is filled.
How does one go about implementing this? Can I use the JSON import which I already have?
Thank you
If you're asking how to make the hash that could be part of the URL. This article might help you: https://developer.mozilla.org/en-US/docs/Web/API/WindowBase64/Base64_encoding_and_decoding
In case you want to modify or receive the hash from URL, René's answer answered that already. :)
Appending the hash to the url should not be the question but receiving and processing, right?
For these javascript provides
location.hash
That way you will get the "Lsoedm0oZVx0f0xoZTMo" and do whatever you have to.
I have a URL with a query string attached to it. After the page loads, I am removing the query param using
history.replaceState("","",location.href.substring(0,location.href.indexOf("?")))
But when user hit refresh button its displaying error screen from my application since expected query param was not there in URL. I can use post action there but I would like to avoid query params with page refresh working fine. Is there any solution for this ?
If you're using a query parameter and then removing it, then the user hit's refresh and there is an error saying it's expecting a query parameter, then your code (and logic) is lacking.
My suggestion, if you want to avoid query parameter after the page initially loaded, is to save the parameter in a cookie or even a session if there is code-behind. Then if the user refreshes without the query parameter, check if the cookie exists, if the cookie exists, show them the page normally, if not, instruct them that they did not visit the URL through the correct channels.
However, like I mentioned, I think your logic here is flawed, because if the user wants to share your URL to the outside world, and you removed the key piece of information that makes the page load successfully, then you will have a lot of confused people on your hands
edit
You might want to investigate SEO friendly URL's to pass your query in to, so instead of: yoururl.com/?firstname=joe you can do yoururl.com/firstname/joe
I run a link shortener, the users get paid for visitors which are using the short url. They see a landing page, and with a click at "skip" they are redirected. But some of my users try to cheat, instead of giving their visitors the short url like example.com/a/53425, they give them http://example.com/a/pugt.php?url=53425 with pugt.php are 2 sql queries performed:
the target url is retrieved from the database
the creator of the url gets +1 point per visitor.
That means that the visitors are redirected without seeing the ads at my landing page, and the user gets his points. Is there any way to hide this php file, or to perform this sql queries in a smarter way?
This is the source code of the "skip" button at my landing page:
$url is the id of the short url like 53425
<section class="example">
<br/>
<br/>
<center><script src="//go.padstm.com/?id=345791"></script></center>
</section>
The best way is to create a token for every url. Add a new database column named token or anything you like.
So your url should look like:
http://example.com/a/pugt.php?token=e49s73tr6198e76dg4&url=53425.
Your php script will update token every time a visitor views your ad and set the new token for next url. Without valid token no one will be able to bypass your add.
Yes Vaze the better way to deal with the hidden urls is to encrypt the url by using urlencode as it is right at your requirement. In this way the users can't understand the url and you will have what you need. And at the time of the backend php magic you need to urldecode your url in order to do the things same as you are currently doing.
I am building a webapp and have a few arrays that I would like to pass through the URL in order to make the results of my application easily sharable.
Is there an efficient way to do this? I know a lot of websites (like youtube) use some sort of encoding to make their URLs shorter, would that be an option here?
Thanks in advance!
What I suspect you're asking is you have some page where the user can alter information, etc, and you want a way to create a URL on the fly with that information so it can easily be accessed again. I've listed two approaches here:
Use the query string. On your page you can have a button saying "save" that produces a URL with info about what the user did. For example, if I have a webpage where all I do is put my name in and select a color, I can encode that as http://my-website.com/page?name=John_Doe&color=red. Then, if I visit that link, your page could access the query object in JavaScript and load a page with the name and color field already set.
An approach for the "YouTube-style" URLs would be to create a hash of the relevant information corresponding to the page. For example, if I were creating a service for users to store plaintext files. These files are to have the following attributes: title, date, name, and body. We can create a hash of the string hash_string = someHashFunction(title+date+name).
Of course, this is a very naive hashing scheme, but something like this may be what you are looking for. Following this, your URL would be something like http://my-website.com/hash_string. The key here is not only creating these URLs, but having a means to route requests on the server side to the page corresponding to the hash_string.
I have a site that request that they could send out different urls to clients to track what links are being used. I told them to use google analytics but they are requesting to stay away from it.
What they are asking is they want to send a url to there customers such as,
http://www.yoursite.com/?link=Nameoflink
They want to get that cookie and set it.
Then when the contact form is used they want to be able to submit that link name with the form submission to show what links are being used to go directly to there site.
I was told this is possible but i have no knowledge of that custom of javascript or cookie expertise... =/
You can get the value of the params passed in through the url with location.search. To get the value of the param, use the location.search and then find the specific url value, then set that in another hidden text field or something...
if (location.search){
var search = location.search.substr(1).split("&"),
url = search.split("=")[1];
document.getElementById('hiddenInput').value = url;
}
Note- the code above assumes that your search string only contains the URL value & that the URL is first. If not, it is likely this will fail. You can update the code to account for that by checking to make sure that search.split("=")[0]==="url" or expanding it to parse out all of the search params into an object that you can reference by key.
Yeah, google analytics would make this a lot easier, especially if you had a specific page that would serve as a drop-point, telling you how many people click this special link.
Without google analytics, you could get the GET variable values via a PHP or ASP page script and have them set that way, or you can use soley JavaScript to take care of cookie setting and retrieval.
For JavaScript, these links should point you in the right direction:
JavaScript cookies:
(I can only post one link, but check out W3C School's article on JavaScript cookie handling)
Extract GET values via JavaScript:
http://www.go4expert.com/forums/showthread.php?t=2163