could someone please assist me, Im a newbie and haven't done this before.
I have an iPhone app which has a "cart" object. Once the user has made his selections, I want to send that info in an XML file to the server. I read that the iPhone libraries let you convert data into XML easily. But from what I understand the data has to be stored in an array or a dictionary. Is this true? For example, my "Cart" is an object that uses a array to store data internally but the "cart" itself has variables which are not stored in an array or dictionary.
Q) How can I convert the entire "cart" into something that can be transported as XML to my server?
Also, I am asking the customers to create a profile for each order but this will be done by Launching UIWebview directly on the web through an https connection. So no credit card info will be on the device.
Q) Whats the best way to link the profile on the web and the order which is on the device?
Could someone who has come across this issue please give me tips or links?
Thanks
Sending your data securely could be done with ssl.
Converting your cart to XML could be done with an XML Framework/lib, still you'll have to write the code for that. For example touchXML:
TouchXML is a lightweight replacement
for Cocoa's NSXML* cluster of classes.
It is based on the commonly available
Open Source libxml2 library.
Here is a nice tutorial.
Source has moved a bit, can be found here
To your second question: This is tricky and may get hacky. However if you don't want to switch to an API based way to login/create the account I'll have these ideas.
Check the "result" of webView with the UIWebViewDelegate protocol with the webViewDidFinishLoad: method. A "result" may be: successful creation of an account or successful login.
So you can access the body of the page with the NSURLRequest property of the webview. Or use something like this, using javascript:
NSString *html = [webView stringByEvaluatingJavaScriptFromString: #"document.body.innerHTML"];
You will have to do parsing though to look for something, for example a token which you can connect with the order for final checkout.
You also could have generated a unique order string on the device in the first place and sent it over initially for login/creation of profile to increase security a bit and pass it back for a check.
Part one: create a dictionary that represents the cart. For each variable, add a key with its variable name as the key, and the cart object's value for that variable as the object for that key.
Part two: that's a very open-ended question :-). That depends on how you identify the user at both ends; though of course that will depend on your security requirements. One option is to require your user logs in via the web site when they first launch the device, then store their user ID on the app on a particular device (preferably in a confidential fashion). Don't use that for any reason other than to track which user you think is at the device: authenticate again before each purchase, or other sensitive actions like viewing or changing account details. By the way depending on the way your ordering system works, you may prefer (or be required by Apple) to implement in-app purchase. That would actually take a lot of the complexity away from the problem, at the cost of Apple's 30% processing fee.
If you have specific questions about the security concerns of such a system, you would do well asking at security.stackexchange.com (I'm one of the pro tem moderators over there).
If you send an encrypted string to a URL like in the code below, then handle it in an ASPX page (.NET example) or you can use other languages on the server side. Then, for security, simply ignore anything that doesn't decrypt (basic encryption-decryption not shown)
NSMutableURLRequest *request = [[NSMutableURLRequest alloc] initWithURL:[NSURL
URLWithString:#"http://myzuresite.azurewebsites.net/test3.aspx?bigstring=dgrbthymgk"]];
[request setHTTPMethod:#"POST"];
[NSURLConnection connectionWithRequest:request delegate:self];}
Then, in the http://myazuresite.azurewebsites.net/test3.aspx page:
<%# Page Language="C#"%>
<html>
<head>
<title>Query Strings in ASP.NET: Page 2</title>
<script language="C#" runat="server">
</script>
</head>
<body>
<%
// retrieves query string values
string bigstring = Page.Request.QueryString["bigstring"];
System.Data.SqlClient.SqlConnection sqlConnection1 =
new System.Data.SqlClient.SqlConnection("Data Source=myazuresite.database.windows.net;Initial Catalog=db_name;Integrated Security=False;Persist Security info=False;User ID=your_id;Password=your_Password”);
System.Data.SqlClient.SqlCommand cmd = new System.Data.SqlClient.SqlCommand();
cmd.CommandType = System.Data.CommandType.Text;
cmd.CommandText = "INSERT Scores (col1) VALUES (' "+name+" ')";
cmd.Connection = sqlConnection1;
sqlConnection1.Open();
cmd.ExecuteNonQuery();
sqlConnection1.Close();
%>
</body>
</html>
I handle the decryption in an insert trigger in SQL Server, ignore bad URL's, and this is VERY secure. I use encryption that includes time in some way.
Related
Hi i know this is probably not the place to ask this but i m stumped at the moment as i cant seem to find any reference or docs relating to working with Roblox. I mean sure they have an auth route etc but nothing detailed. I want to login user using username and give them roblox based on different actions they take on the site like completing surveys etc. Can anyone please give me links to some resources that would come in handy for the particular purpose. Thank you.
Roblox does not support any OAuth systems, but you still can use HttpService:GetAsync() function to get strings/data from web site(if the page in website display that text), the way to keep data that you recieved from url(web page) safe is to store script with HttpService:GetAsync() function in server side(example: RobloxScriptService). You need to allow http requests in your GameSettings -> Security in roblox studio. Script example:
local HttpService = game:GetService("HttpService")
local stringg = HttpService:GetAsync("https://pastebin.com/raw/k7S6Ln9R")
print(string)
--Should outpud data written ot the web page, you can use any web page to store data even your own
The only two things that left is to make your web server rewrite the page, or just use some databases at your web site by placing their url into loadstring() function.
Now you just need to parse the string given by url to use it's data.
The pastebin url that i wrote into loadstring() just an example, you can write whatever you wan, but again you need to parse the data that you got from url, or just convert the string into type of text like on the page, and then just check is they written at url/webpage. Example:
local writtenpass = game.Players["anyplayer"].PlayerGui.TestGui.Frame.PasswordTextBox.text
local writtenlogin = game.Players["anyplayer"].PlayerGui.TestGui.Frame.LoginTextBox.text
local HttpService = game:GetService("HttpService")
local response = HttpService:GetAsync("https://pastebin.com/raw/k7S6Ln9R")
local istrue = string.find(response, "{ login = ".. writtenlogin .." pass = ".. writtenpass .." }")
print(istrue)
if istrue == 1 then
print("exist!")
--whatewer actions if login and pass exist
end
You can wiew the page here https://pastebin.com/raw/k7S6Ln9R
Well that a lot of damage!
If it helps mark me
Experience cloud vistor id is used. App, web are using same adobe launch library. When I login into app url change and mid changes and then if I navigate from app to web responsive page mid is changed and I am not seeing any cross-domain pathing report from app to web ?
anything do I need to do with s.cookiedomainperiod or anything to make this work?
The Experience Cloud Visitor ID is not automatically carried over from the native mobile app to a (mobile) web page. The long story short is native apps don't really store data locally in the same way as web browsers, so there's no automatic ability to use the same local storage mechanism/source between the two.
In order to do this, you must add some code to the mobile app to append the mid value to the target URL, e.g. :
Android
String urlString = "http://www.example.com/index.php";
String urlStringWithVisitorData = Visitor.appendToURL(urlString);
Intent browserIntent = new Intent(Intent.ACTION_VIEW, Uri.parse(urlStringWithVisitorData));
startActivity(browserIntent);
iOS
NSURL *url = [NSURL URLWithString:#”http://www.example.com/index.php"];
NSURL *urlWithVisitorData = [ADBMobile visitorAppendToURL:url];
[[UIApplication sharedApplication] openURL:urlWithVisitorData];
If implemented properly, you should now see a adobe_mc= parameter appended to the target URL. Then on page view of the target page, if you have the Adobe Analytics javascript and Experience Cloud Visitor ID libraries implemented, they will automatically look for and use that value instead of generate a new value (should not require any config / coding on this end).
Update:
#Ramaiyavraghvendra you made a comment:
Hi #Crayon, mny thanks for your profound answer. I am sorry that i
missed to inform that this app is not native one but this is a SPA
app. so the implementation of entire app is also done through launch.
Could you pl help in this case then.
I'm not entirely sure I understand your issue. If you are NOT moving from a native mobile app to web page, and your mobile app is really a web based SPA that outputs Launch as regular javascript code throughout the entire app, then you shouldn't have to do anything; the Experience Cloud ID service should carry over the id from page to page.
So it sounds to me like perhaps your Experience Cloud Visitor ID and/or Adobe Analytics collection server settings are not configured correctly. the cookie domain period variables may be an issue, if logging in involves moving from say www.mysite.com to www.mysite.co.uk or similar, but shouldn't be a problem if the TLD has the same # of periods.
Or, the trackingServer and trackingServerSecure variables may not be configured properly. In practice, I usually do not set trackingServerSecure at all. These variables get kind of confusing and IMO buggy in different scenarios vs. what you are using, so I tend to use the "secure" value in the trackingServer field and leave the trackingServerSecure blank, and then Experience Cloud Visitor ID and Adobe Analytics will just use the secure version 100% of the time.
Or..it could be a number of other config variables not properly set. It's hard to say if any of this is off, without access to the app and Launch container.
Also you may want to check the response headers for your logged in pages. It may be that they are configured to reject certain existing non-https cookies or something else that effectively causes the existing cookies to be unreadable and make the Experience Cloud ID service generate a new ID and cookies.
Or.. maybe your app kind of is a native mobile app but using an http wrapper to pull in web pages, so it is basically a web browser but it is effectively like moving from one web browser to another (e.g. starting on www.site.com/pageA on Chrome, and then copy/pasting that URL over to Internet Explorer to view). So effectively, different cookie jar.
Launch (or DTM) + Experience Cloud ID (Javascript methods)
In cases such as the last 2 paragraphs, you have to decorate your target links the same as my original answer, but using the Launch + Experience Cloud ID Service javascript syntax:
_satellite.getVisitorId().appendVisitorIDsTo('[your url here]');
You write some code to get the target URL of the link. Then run it through this code to return the url with the parameters added to them, and then you update your link with the new URL.
Super generic example that just updates all links on the page. In practice, you should only do this for relevant link(s) the visitor is redirected to.
var urls = document.querySelectorAll('a');
for (var i = 0, l = urls.length; i < l; i++) {
if (urls[i].href) {
urls[i].href = _satellite.getVisitorId().appendVisitorIDsTo(urls[i].href);
}
}
Before i start thinking about this programatically, does anyone know if it is possible to actually extract the correct url from an email link that is basically a tracking module?
Our work email system auto blocks tracking based urls from email, so i am thinking of writing something to extract the correct url so people can copy and paste the tracking link into a program and it will provide the correct url.
Is this even possible with the way that email tracking works?
Here is an example of a url in an email that i recently received:
http://t.dripemail2.com/c/eyJhY2NvdW50X2lkIjoiNTE0MTQ4NSIsImRlbGl2ZXJ5X2lkIjoiOTI0NzI2MTU0IiwidXJsIjoiaHR0cHM6Ly93d3cuYXhzaWVkLmNvbS9nY3NlLWNvbXB1dGVyLXNjaWVuY2Uvb2NyLW5lYS1ndWlkZS8_X19zPXphb2txcDVpaWN4NGkxZndtYmNnIn0
Our system blocks these. It eventually resolves to:
https://www.axsied.com/gcse-computer-science/ocr-nea-guide/?__s=zaokqp5iicx4i1fwmbcg
(got our network admin to check it for me)
I want a system that gets the right url from the ugly mess that is blocked so we can actually view links from emails.
Thanks in advance for any help.
The data in tracking URLs are typically a unique ID pointing to some entry in a database, or are encrypted with a private key, so there's no way to obtain any meaningful information from them. (see answers to this related question: Generate unique link for each website visitor)
More naive approaches will simply encode the data, in which case you may be able to extract useful information from them. Funnily enough, your example URL is a base 64 encoded JSON object containing the link itself:
{
"account_id": "5141485",
"delivery_id": "924726154",
"url": "https://www.axsied.com/gcse-computer-science/ocr-nea-guide/?__s=zaokqp5iicx4i1fwmbcg"
}
In this case you could actually resolve the URL on your own, but this type of approach is uncommon for that very reason.
In golang, is there a way to pipe a variable to part of a web form?
For example, sending "123 Random St." to the Street address part of https://www.dominos.com/en/pages/order/#/locations/search/ and so on? I found pizza_party*, but the GUI used is no longer available, I have also found pizzadash**, but this uses a credit card where I want to use cash. I even found a list of golang ones, but the links that they use doesn't work anymore.***
Therefore, my goal is so: order a pizza in golang through the dominos website API!
NOTE: Please suggest a package or function with example!
NOTE: I do not want to make a web scraper/data getter.
NOTE: Your answer must work on at least one box of my linked website.
NOTE: I want to fill out links similar to the provided link from the linux command line.
*https://github.com/coryarcangel/Pizza-Party-0.1.b
**https://github.com/bhberson/pizzadash
***https://golanglibs.com/top?q=pizza
This is how you post any form values onto an online form. Provided you know the POST endpoint of the service.
func main():
resp, err := http.PostForm(targetPostUrlHere,
url.Values{"Service_Type": {"Delivery"},
"Address_Type_Select": {"House"},
"Street": {"123 E 24th St"},
"Address_Line_2": {"4D"},
"City": {"New York"},
"Region": {"NY"},
"Postal_Code": {"10027"}})
}
**Note: The field keys and values are guesstimates. You must inspect the actual key names expected in the form.
In your case, https://www.dominos.com/en/pages/order/ is an endpoint for the form page. Once the form is filled and submitted, the information is submitted using POST method akin to the code afore-mentioned to a dedicated CREATE endpoint (C in the CRUD), which normally can be found in the <form> html tag.
<form action="posttargetendpoint" method="POST">...</form>
Once the POST operation is successful, usually a web service would redirect you to another page. In your case, it is https://www.dominos.com/en/pages/order/#/section/Food/category/AllEntrees/
However, any good web service wouldn't expose the POST endpoint in the clear since it is the vulnerable point of attack. You're welcome to find out by inspect he Domino's page source and adjust the field values in the Go code accordingly.
Now to make a command line prompt to wrap around the PostForm code, I suggest you look into https://github.com/codegangsta/cli which is a very nice package for creating quick command line app.
I assume you mean pipe information originating from your backend to another site on behalf of a user?
The standard way of passing information between domains is via HTTP params, usually via a GET request, but this capability would need to be supported by established protocols the remote site. You can also use an iframe to embed the page of another site onto your page, however, you wouldn't be able to remotely interact, call JS code, or even query the page at all. Cross-domain security safeguards justifiably prohibit such capability, and generally speaking, interacting on behalf of the user via their browser is also restricted for security reasons.
However, if you're looking to emulate user behavior such as with a bot or web scraper from your own host or browser then that's a different story. There are tons of frameworks provide rich capability for interacting with a page. I'd recommend checking out Selenium, which acts as a virtual browser. There are also tons of libraries in Python for processing data from HTML and structured data. You might want to check out Beatiful Soup and Scrapy.
Hope this helps.
I am currently building a Rails backend for an iphone app. The iphone accesses special controllers which returns JSON that the iphone app parses and displays appropriately. The Rails app does have an admin panel and is used to insert new data for the iphone app. That authentication is controlled by Devise. Outside of that, there is no need to have complex authentication since the iphone app does not require any user information to function.
Here is where I'm stuck. I've added a controller where the user can submit feedback from the app. That feedback will be stored in the Rail's database. In order to do this, I have turned off protect_from_forgery by using skip_before_filter :verify_authenticity_token, :only => [ :create ] for that controller method. But by doing this, I understand that this creates a security problem. I also understand that I must create custom protection (such as a token) as per this answer, and this answer. My web searching has only found how to do this using Devise or through Oauth, but as I mentioned, there is no user authentication for the iphone. All I want to do is gap this one security hole, unless I'm missing something. I'm having trouble finding any articles regarding this particular situation.
By default, Rails apps with :protect_from_forgery on include an authenticity token in the <meta> information about a page, like so:
<meta content="arBBP614zvMxug9+5ozHakrXhAaTNmQ9aBJ/Ehp3nl8=" name="csrf-token">
What you need to do is download a plain old html copy of your form, with :protect_from_forgery on, so this tag is generated. Then, once you have that HTML in a NSString* you can find the token like so:
NSArray* firstArray = [htmlString componentsSeparatedByString:#"\" name=\"csrf-token\">"];
NSArray* secondArray = [[firstArray objectAtIndex:0] componentsSeparatedByString:#"<meta content=\""];
NSString* authToken = [secondArray objectAtIndex:1];
Then you just need to send authToken as the X-CSRF-Token header field. These usually don't change very often, so you can probably keep a copy around for a while.
I ended up coming up with a token of my choosing. I setup the controller to check for the token using a before_filter. Then locking it all down with SSL.
before_filter :has_token?, only: :create
skip_before_filter :authenticate_user!, :verify_authenticity_token, only: :create
Here is the method I'm using to check for the token:
def has_token?
if request.request_parameters[:token] == "SECRET"
true
else
head :unauthorized
end
end
Then the token is hard coded into the iPhone app and passed with the parameters that it sends to the Rails backend. I know this means that I have to release new versions of the iPhone app if that token has to change, but this way I have more control over what is going on.