I have searched the Internet, but I can't find the info I'm looking for. So I'm sorry if it's a simple question or asked a miljon times.
I'm developing a website with (probably) a lot of Ajax functions. Now I'm wondering how FaceBook is doing this, for example the 'Like' button. If I use a ajax call to a page addLike.php?post_id=1, then an visitor (with evil intentions) can use this url to manipulate my db by adding random values to the post_id.
How can I prevent this? Or what's the best way to do this?
First and foremost, calls to make mutation to data entries (something stored in the database, files, etc.) should never be accessible from a 'GET' HTTP request, e.g. deleting a post in a forum. That is to say, if you're adding like to a post, you should use $.post to perform an ajax request (supposing you're using jQuery).
And also, authentication and authorization should be done before responding to every request. Which means, if the user wanted to add like to a post, he/she should have been authenticated and also permitted to perform the specific action. Prevailing web frameworks will help you to achieve this automatically (with configurations).
And further more, you should also prevent XSS attack by data sanitization. You can google it for more details.
Related
I'm trying to find a way to have Square not forcefully redirect my web application on a Connect payment. Right now, I've registered my url in https://connect.squareup.com/apps as https://example.com/square_callback (or whatever), and I pass along my own metadata that tell my application where to redirect back to so our users don't have to drill all the way down to where they were when they first jumped in.
So two questions.
One, is there a way to have that URI be dynamic? They're taking payments from https://example.com/customer/1351743, and that's where I want them to return to, so is there a way to have a wildcard redirect uri, something like https://example.com/customer/*?
Second, is there a way to not have the page refresh at all? These particular pages take a while to load, our users are out in the field with spotty connections, so while I want the square response to go to the server, I'd rather have their page not refresh at all. Possibly by using # in the URI?
To answer your first question, you can not register a wildcard domain or specify the the url in the request. This is mostly a security measure to prevent someone from skimming your information by hijacking your javascript. You can specify multiple urls in the developer portal and dynamically pick between them with your request.
I'm not 100% sure I understand your second question, but I'm going to interpret it as you want to switch back from the point of sale application to your webpage without "refreshing" the page. This isn't possible, since the app switch isn't as much of a switch back, as it is opening a new url. If you didn't load a new page, it wouldn't be possible to use the GET parameters that Square sends you back in the response from the transaction.
Sorry, both No :(
I'm doing OAuth2 to integrate Square and my app which uses Parse as its backend.
My issue is that when Square calls the redirect uri, it directs the user to a subdomain I created in Parse with the authorization code appended to the subdomain uri. I need to extract this authorization code from the uri, but do not know how. Parse Cloud Code is needed to do this.
I believe I need to create a Webhook URL in Cloud Code and then extract the data appended to the URL, the base of which is the subdomain URL. Steps outlining the process, code examples and links to helpful documentation would be much appreciated.
Furthermore, once I figure this out, I need to have my web browser jump the user back to the app that brought up Square initially once this redirect URL is called. Not sure how to do this and haven't found things that make sense. Tips, recommendations and links would be appreciated!
Thanks!
I think the best way to go would be create an independent route on the server that handles all your communication with square. I mean something that doesn't have Parse.
You can now still communicate with Parse from this route and make queries but the best thing is to just create a separate route that id devoid of parse.
Because even if you can find a way to implement via triggers or hooks, Parse might not be able to give you a flexible implementation that can be extensible over time.
Basically, I want to use the Facebook Ads Manager Tool to estimate the number of users targeted by a particular set of targeting parameters. I know there is a published API available, but it is only usable if you are on their advertising application "whitelist." I am sure what I am asking is possible. Plus, it would be interesting to learn more about scraping.
Facebook's Ads Manager Tool is basically an AJAX UI for their ads API. In the process of creating a campaign, you can specify targeting parameters, and the page will dynamically report the number of users targeted as you modify the parameters. From what I've read on the web and here on stackOverflow, it is possible to use Firebug or a similar tool to pick apart what requests are being made by the page and to where, then mimicking these calls to get the information you want.
I'm having trouble interpreting the panels of Firebug. I think the URI I'm trying to send a request to is www.facebook.com/ajax/inventory_estimator.php, though I'm not sure how to form a call.
So, if I want to write a script or program that takes a list of words to use as keywords and returns the estimated number of users for each keyword, how could I do it?
Link to Facebook's Ads Manager Tool, Campaign Creation Page:
http://www.facebook.com/ads/create
yes using an extension like firebug to examine the HTTP requests is a good way to do this.
The Net tab is the one you want (last one).
Have you tried irobotsoft webscraper? It has a good ajax support.
Check their forum here: http://irobotsoft.org/bb/YaBB.pl
I am creating a web service which uses REST web services. The client side code is written in HTML/JavaScript. My dilemma is whether I
should use the REST resource directly using AJAX calls?
or
should I create Servlets/JSPs (where REST calls will be made and data will be sent to client(AJAX/JAVSCRIPT)).
I have seen many web apps which follow the 2nd procedure but seems to me that it's doing the same thing as 1st in an indirect way.
Is there any advantage of using 2nd procedure over first?
What is the standard way to use REST services by HTML/javaScript client?
Please let me know if I am even thinking in the right direction and if not please give your valuable insight.
You can use either approach but note that browsers will enforce the same-origin policy on scripts, so if the REST service lives on a different domain than the script you will need to use a servlet/script on the same domain as the script to proxy the call to the other domain. I suspect this is why you are seeing the second approach used.
A proxy/middle-man servlet may also be useful if not all of the response is needed; you could use the servlet to strip out information that is not needed by the JavaScript to reduce the amount of data sent to the browser.
Directly accessing the resource(s) via AJAX has the obvious benefit of less overhead and is IMHO the more elegant solution, however it is also important to note that not all browsers support PUT and DELETE requests natively.
To get around this, you'll likely want to support the common "_method" hack. This stackoverflow question mentions this approach.
I have found very little on this topic. I'm trying to work out a way to synchronize pages cross-web without having to constantly reload pages to get new information, since the rate at which this would be necessary would cause the page to be outrageously slow.
The flow I'm thinking is this:
User A alters info displayed on Page A.
Page A sends info to server.
Page B checks server for new info every 10ms or 100ms.
Page B loads Page A's new info.
I can see AJAX as being sufficiently fast to retrieve info from the server, but have found no way to send data to a server without having to refresh every 10ms, which, even using an iframe to avoid reloading the whole page, seems far too slow to me. Correct me if I'm wrong.
So my question is, is there any way of which I am unaware to do what I am attempting? I have seen methods involving a Java server applet, but that's a bit above my head at the moment. If that's the only way, I'll learn it, but I'd love to avoid that if possible.
There are two possible interpretations of what you wrote, the first which seems to be what you've actually said is that you want to know how to send data with an Ajax request, the second is that you want to know how to push unsolicited data from the server to the client.
Ajax can easily add data to a request it makes - just add query-string parameters, or make a POST request and use XHR's send method
Use comet - i.e. keep open a long-lived connection and send data only when there is something to send.
One of the possible way to implement what you want is to use Comet technology. For example - facebook uses it to interact with their servers.
If you are retrieving info fast using AJAX, then you are also sending info fast with AJAX...
GET requests are still telling the server something. For example, lookup RESTful web-services.
You could use updater of Prototype.