I have on my host a pages that i want to prevent access to theme except through XMLHttpRequest, so i have already tried this code on htaccess file but it doesn't work:
in this code the target page is: "localhost/page/table.php"
RewriteEngine On
RewriteCond %{HTTP:X-Requested-With} !=XMLHttpRequest
RewriteCond %{HTTP:X-REQUESTED-WITH} !^(XMLHttpRequest)$
in the rewriteRule i don't know what to write.
i have already trying to search in Prevent access to php files (folder) with .htaccess EXCEPT for XMLHttpRequest but that doesn't help enough.
EDIT
i have tried this code, the page table.php are not accessable but there is no XMLHttpRequest response:
javascript code :
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (xhttp.readyState == 4 && xhttp.status == 200) {
document.getElementById("contentp").innerHTML =
xhttp.responseText;
}
}
xhttp.open("GET", "table.php?doc=" + str1 + "&module=" + str2 , true);
xhttp.send();
htaccess code:
RewriteEngine On
RewriteCond %{HTTP:X-Requested-With} !=XMLHttpRequest
RewriteCond %{HTTP:X-REQUESTED-WITH} !^(XMLHttpRequest)$
RewriteRule table-view+.php$ - [L,F]
Related
I am trying to execute a PHP script on my server from a Chrome extension. Here is the ajax call:
data_array_ = JSON.stringify(data_array_);
//console.log("Connections array" + data_array_);
var file_address = "https://my.server/add_on_php_files/update_database.php";
var xhttp_request = new XMLHttpRequest();
xhttp_request.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
var response = this.responseText;
console.log(response);
};
};
xhttp_request.open("POST", file_address, true);
xhttp_request.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhttp_request.send("data_array=" + data_array_);
This is the PHP code:
<?php
session_start();
include_once 'database.php';
$data_array = $_REQUEST["data_array"];
$data_array_entry = json_decode($data_array, true);
$statement_to_call = "INSERT INTO contacts (name, phone) VALUES ";
$length = count($data_array_entry);
$index = 0;
foreach($data_array_entry as $single_data) {
$statement_to_call .= "('".$single_data['name']."','".$single_data['phone']."')";
if(++$index != $length){
$statement_to_call .= ", ";
} else {
$statement_to_call .= ";";
}
};
$sql = mysqli_query($connect, $statement_to_call);
echo $statement_to_call;
?>
Unfortunately, when I execute this call without the developer tools open, the script ends up executing a second time, putting additional data into my database (I looked at the server logs and saw that the script executed twice). If I execute the call with the developer tools open, the call only executes once and the network panel and database both show the expected results. Obviously, I cannot expect a user to keep the developer tools open all the time, so this is a problem that I need to solve. Stepping through the Javascript step by step also fails to show me the problem because it also executes with no problems. If the problem occurs when I use it normally but does not occur when I attempt to debug, how can I find the reason why the PHP is executed additional times?
I looked at php run once and insert twice in mysql database and saw that people recommended editing the .htaccess to prevent the second call to the PHP file, but when I tried to implement the solution, all of the files on the website became 404'd.
.htaccess code:
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php?path=$1 [QSA,L,NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(.+\.)?my\.server/ [NC]
RewriteRule .*\.(js|css)$ - [NC,F,L]
.htaccess code with attempted .htaccess solution:
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !favicon.ico
RewriteRule .* index.php [L]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php?path=$1 [QSA,L,NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(.+\.)?my\.server/ [NC]
RewriteRule .*\.(js|css)$ - [NC,F,L]
The process is triggered by clicking this button:
<button class="screen_button" id="add_data">Add data</button>
A click event listener was added to the button on startup, thus the button triggers a process that passes a message to the content script and receives a message back that leads to:
function get_array_data (contact_array_) {
//create data to insert
var data_array_ = [];
data_array_.push({name: name_1, phone: phone_1});//data retrieved from the content script and passed in through the contact_array_ parameter
data_array_.push({name: name_2, phone: phone_2});
//so on so forth
ajax_call(data_array_);//refer to top of post for the ajax code
}
The data is created and sent to the request correctly, and the console.log statement in the ajax callback outputs what I expect it to, and just once. Therefore, I am led to believe that something is causing the PHP file to execute again, independent of the ajax call. The extra PHP file execution doesn't come back and give another console.log.
After additional investigating, I found that the problem seems to start occurring after a specific item in the chrome.storage gets set. I set the variable in chrome storage so I can use it to determine whether to have my content script respond to double-clicking.
The code that toggles the setting (setting is uninitialized until this is called the first time):
function toggle_setting () {
chrome.storage.sync.get(["setting"], function(result){
var setting = result.setting;
if (setting == "on"){
chrome.storage.sync.set({"setting": "off"});
}else{
chrome.storage.sync.set({"setting": "on"});
}
});
}
The content script code:
document.addEventListener("dblclick", function() {
chrome.storage.sync.get(['setting'], function(result){
if (result.setting == "on") {
chrome.runtime.sendMessage({info: "click", data: contact_data_});
}
}
}
chrome.runtime.onMessage.addListener(
function(request, sender, sendResponse){
if(request.message === "get_contacts"){
chrome.runtime.sendMessage({info: "contacts", data: contact_data_});
}
//other conditions, etc.
}
);
And the code that listens for the sent messages in the extension environment:
chrome.runtime.onMessage.addListener(
function(message, sender, sendResponse){
if(message.info == "click"){
get_array_data(message.data);
}else if(message.info == "contacts"){
get_array_data(message.data);
}
}
);
I have a webpage that I would like to redirect to a specific link if the user is coming from http://
<script language="JavaScript">
var loc = window.location.href+'';
if (loc.indexOf('http://')==0){
window.location.href = loc.replace('http://','https://secure.example.com/app');
}
</script>
If the user comes from http://example.com/app or any http:// I would like to redirect it to that exact link.
When I run this JavaScript it is taking https://secure.example.com/app and adding domain.com/app like below
https://secure.example.com/appexample.com/app
Any help with this would be greatly appreciated.
I also tried the meta tag thing
<meta http-equiv="refresh" content="2;url=https://secure.example.com/app" />
But its just keeps refreshing and doesnt feel right with the hesitation page change.
<script language="JavaScript">
var loc = window.location.href+'';
if (loc.indexOf('http://www.')==0){
window.location.href = loc.replace('http://www.','https://secure.');
}
else if (loc.indexOf('http://')==0) {
window.location.href = loc.replace('http://','https://secure.');
}
</script>
It was doing what you describe because you were replacing http:// with https://secure.example.com/app so of course everything that was after http:// will still be there afterwards.
I would recommend simply replacing http:// with https://secure. when there's no www.
To additionally cover cases where there is a www, you can simply replace www. with nothing:
//var loc = window.location.href;
var loc = 'http://www.example.com/app';
console.log(loc);
loc = loc.replace('www.', '');
loc = loc.replace('http://', 'https://secure.');
console.log(loc);
Add this to your server configuration file instead of doing it in html
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
301 REDIRECT should be the better way to do it
for an javascript approach(es6). not the recommended way because browser redirect is not always reliable
return location.protocol != 'https:' ? location.protocol = "https:"
: {do nothing logic}
Description: I have a HTML page which onloading triggers Ajax call. In this Ajax call I'm passing in the ids(which is the same as image name which are placed on server) .Each id sent via ajax function to the php script which then fetches the image convert it to base64 and returns it back to ajax call. On success this Javascript function writes base64 string to(href="base64") the corresponding id it came from.
Problem: Now all of this is working fine on localhost with directives in .htaccess file but just when I placed it on my hosting server the HTML page is making the ajax call to PHP script but the PHP script is not returning the base64 string as on localhost but is returning the markups of Index.html. In my .htaccess file on server I have condition that "# Redirect all requests to index.html" (but that's only to avoid any unwanted requests from user).
Checks performed: 1) case sensitivity of names.
2)Have placed the files in correct directory locations.
3)Compared the requests(using Developers tool,Network tab) that's made on localhost with the one on hosting server and both are same with 'Status 200' (their content 'base64string' and 'markups of index.html' respectively).
HTML
JavaScript
<script type="text/javascript">
$('.example-image-link').each(function() {
var id = $(this).attr("id");
var data = id;
$.ajax({
type: "POST",
url: 'http://mysite.in/home/myname/public_html/image_extract.php',
async: true,
data: {post: data},
success: function(data) {
var x = "data:image/jpeg;base64,";
var y = data;
z = x + y;
document.getElementById(id).href= z;
return false;
}
});
});
</script>
image_extract.php
$q = $_POST['post'];
$main = explode("_", $q);
if($main[0] == "travel")
{
$dir = "images/travel_pics/".$q.".jpg";
$image = file_get_contents($dir);
$imdata = base64_encode($image);
if ($imdata !== false) {
echo $imdata;
}
else {
echo 'An error occurred.';
}
}
.HTACCESS
# Allows ModRewrite to work
Options FollowSymLinks
# Turn on rewrite engine
RewriteEngine On
RewriteBase /
# Redirect all requests to index
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.html
IndexIgnore *
RewriteCond %{HTTP_REFERER} !^http://mysite.in/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://mysite.in$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.mysite.in/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.mysite.in$ [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp)$ - [F,NC]
Why am I not receiving base64 string from php script on hosting server(Godd*dy)? Thanks in advance. :)
.htaccess looks fine, JS also - it seems like the php file image_extract does not exist.
You are using path http://mysite.in/home/myname/public_html/image_extract.php
try http://mysite.in/image_extract.php instead because /home/myname/public_html is your document root (i suppose).
So I am trying to create a search in my website and I need to encode some text so it is URL friendly. However, if I search anything with a "<" symbol I get HTTP error 403 (access forbidden) because the "<" is not being encoded.
This is the code I am using:
var search = $("#txtHomeSearch").val();
if(search != ""){
var urlSearch = encodeURIComponent(search);
window.location.href = "/search&s=" + urlSearch;
}
Example of a working url: http://website.com/search&s=helloword
Example of a broken url : http://website.com/search&s=<
Maybe the problem is with my .htaccess file which contains:
RewriteEngine on
RewriteRule ^([^.*]+)$ index.php?page=$1 [L]
ErrorDocument 404 /errorPages/404.php
There is a simple utility here: http://www.the-art-of-web.com/javascript/escape for verifying the operation of the various Javascript escaping functions. Accoring to the ECMA standard, and verified using that tool, the "<" should be escaped correctly by the encodeURIComponent() function.
Could it be a character other than "<" causing the problem? There are various remedies for the characters that encodeURIComponent misses. One is the url_encode function listed here and elsewhere: javascript window.location do I need to escape?
Try escaping your back reference using [B] flag.
RewriteEngine on
RewriteRule ^([^.*]+)$ index.php?page=$1 [B,L]
ErrorDocument 404 /errorPages/404.php
I'm trying to replace the subdomain name from "news.domain.com/path/.." to "mobile.domain.com/path/..", using JavaScript
Any idea how to achieve this?
I'm assuming that you want to change a string in the generic format xxxx.domain.com/... into mobile.domain.com/.... This regexp should do it in JavaScript:
var oldPath = "news.domain.com/path/";
var newPath = oldPath.replace(/^[^.]*/, 'mobile')
This should work in normal cases:
"http://news.domain.com/path/..".replace(/(:\/\/\w+\.)/, "://mobile.")
Use following to add an extra level of validation:
function replaceSubdomain(url, toSubdomain) {
const replace = "://" + toSubdomain + ".";
// Prepend http://
if (!/^\w*:\/\//.test(url)) {
url = "http://" + url;
}
// Check if we got a subdomain in url
if (url.match(/\.\w*\b/g).length > 1) {
return url.replace(/(:\/\/\w+\.)/, replace)
}
return url.replace(/:\/\/(\w*\.)/, `${replace}$1`)
}
console.log(replaceSubdomain("example.com", "mobile"));
console.log(replaceSubdomain("http://example.com:4000", "mobile"));
console.log(replaceSubdomain("www.example.com:4000", "mobile"));
console.log(replaceSubdomain("https://www.example.com", "mobile"));
console.log(replaceSubdomain("sub.example.com", "mobile"));
If you want to send user to new url via JS - use document.location = "mobile.domain.com/path/..".
In reference to FixMaker's comment on his answer:
window.location.href will give you a fully qualified URL (e.g. http://news.domain.com/path). You'll need to take into account the http:// prefix when running the above code
A suitable regular expression to handle the request scheme (http/https) is as follows:
function replaceSubdomain(url, subdomain){
return url.replace(/^(https?:\/\/)(www\.)?([^.])*/, `$1$2${subdomain}`);
}
let url1 = 'https://sub-bar.main.com';
let url2 = 'https://www.sub-bar.main.com';
console.log(replaceSubdomain(url1, 'foobar'));
console.log(replaceSubdomain(url2, 'foobar'));
You cannot replace a subdomain. You can redirect using javascript.
<script type="text/javascript">
<!--
window.location = "http://mobile.domain.com/path/to/file.html"
//-->
</script>
I tried using java script but no luck and for my case i use the below code in .httaccess file
RewriteCond %{HTTP_USER_AGENT} "iphone|ipod|android" [NC]
RewriteCond %{HTTP_HOST} !^mobile.domain.com
RewriteRule ^(.*)$ http://mobile.domain.com/ [L,R=302]
it will replace "news" sub domain to "mobile" sub domain. hope it will help any one.