NYCPHP Meetup

NYPHP.org

[nycphp-talk] <a href> vs. <form> request

max goldberg max at idsociety.com
Thu Apr 17 12:10:43 EDT 2003 

This is a fairly vague problem, so I'll give my suggestion to what I 
think you are trying to do.

On each non-local website do something similar to this:

<script type="text/javascript" 
src="http://example.com/offsite/link_creator.js">
<a href="#" onClick="return linkCreate();">Click Me</a>

(where example.com is your server)

On your server you would have link_creator.js be a PHP script that 
creates dynamic Javascript. This allows you to grab information such as 
the referrer, and the remote IP address, and any other information you 
could need. You could even make the JavaScript source append a get 
variable for that site like link_creator.js?site=www.remotesite.com

The PHP would create a one time use hash, depending on if
all of your security requirements have been met which then is inserted
into the temporary table along with the remote IP, referrer etc.

The dynamic JavaScript would then include a function (linkCreate) which 
just changes the browser's location to the link you have created.

This would cause some heavy traffic load, especially if all of the 
remote sites get a lot of traffic. This would allow you to make 
one-time-use hashes that would be required for a successful page load on 
your server.  Once the unique hash has been found in the query string, 
you just expire it on the database.

Not sure if that would help, but it may be relevant.

-Max


Jerry Kapron wrote:

> I'm trying to figure out how I can restrict people to using an <a href> link
> to send a request to a script.
> To be more specific I don't want them to send requests by submitting a form.
> In case they do the script would respond with '401 Unauthorized' header or
> something to that effect.  For a while I thought I had a solution.. by
> looking for an additional GET var which would reflect the presence of a
> 'Submit' button, but then I realized that a form may be easily submitted
> with JavaScript's submit() method == no additional GET vars.
> I know it may seem like I worry too much, but in this project security is
> *extremely* important.
> I hope someone comes up with some clever idea..  my brain needs a reboot to
> maintenance mode for a few hours..
> 
> cheers,
> Jerry
> 
> --
> 42.7% of all statistics are made up on the spot.
> 
> -----Original Message-----
> From: Jim Musil <jmusil at villagevoice.com>
> To: NYPHP Talk <talk at nyphp.org>
> Date: Wednesday, April 16, 2003 5:48 PM
> Subject: [nycphp-talk] Utf and latin 1
> 
> 
> 
>>Hi,
>>
>>I have two different character encodings on my page. Is there anyway to
>>convert utf-8 characters into latin1 characters via php?
>>
>>
>>--
>>James Musil
>>Senior Developer
>>Village Voice Media
>>36 Cooper Square
>>New York, NY  10003
>>(212) 475-3300 ext 14003
>>JMusil at villagevoice.com
>>
>>
>>
>>
>>
>>
> 
> 
> 
> 
> --- Unsubscribe at http://nyphp.org/list/ ---
> 
>

More information about the talk mailing list