abcv
If i click this it's showing complete address. Problem is the path is shared and anyone can hack this path. Is there any way to not to show this entire path and only show abc.jpg in browser.
You may use following approaches
Store the images in the database and use HttpHandler to retrieve and display them.
As additional precaution you may pass current DateTime as encrypted url parameter to verify whether it is a fresh request within a specific time period say 10 minutes. You may refer this article for reference to HttpModule implementation
display-images-from-database-in-gridview-in-aspnet-using-handler-ashx-file-in-csharp-vbnet
As another approach you may implement the concept of Temporary URLs as described here Generating Temporary Download URLs
No. The complete path has to be shown so that browsers can retrieve the file.
You could implement a custom HTTP Handler or asp.net page that takes the name of the file in the query string and returns the contents of the file, perhaps even using a unique id (number, guid, etc,...) to map to each file to stop people "guessing" what other valid filenames may be. So, you'd have:
http://ipaddress/RetrieveUploadFile.aspx?fileid=36281
instead of
http://ipaddress/uplodfiles/2/abc.jpg
No, you don't want to "hide URL"; the whole notion would not make any sense, because all HTTP requests go with some URL. What you want is called URL rewriting:
Please refer this and this links
Related
I would like to rewrite an URL purely using Yii2, without relying on a webserver (nginx/apache).
Example. I would like to "rewrite" a url such as [POST|PUT|GET] /v2/book/author into [POST|PUT|GET] /v2/document/author.
My first idea was to use UrlManager's $rules, but those are not really rewriting the URLs, they map URLs into routes, so as soon as the first one matches, the chain terminates.
URL rewriting needs to happen before UrlManager even begins processing the routes.
My second idea was to create a custom UrlNormalizer which simply substitutes the incoming URLs. This sounds better, but I don't know if it will work.
What is the right way to do this?
Urls are automatically created by Yii if you don't specify it.
By default <module>/<controller>/<action>/<param>
If you have a problem, where you would have to refactor the whole code for an url change, then yes, UrlManager it is. Url::to() uses your url config to adjust your <controller>/<action> identifier into an actual url. If you hardcoded the urls then you have to change the urls manually.
But you should be able to create to create a matching pattern to catch v2/book/author
I tried this in my code, and it worked:
So this should work as well
I'm currently creating pdf documents server side with wkhtmlpdf and nodejs. The client side sends the html to be rendered (which may include img tags with a source). When the user is previewing the html in the browser the images they uploaded to their account show fine because the user is authenticated via the browser and the node route can simply look up the image based on the user id (saved to session) and image id (passed in each image request).
The issue is when the images are attempting to be rendered in wkhtmltopdf webkit the renderer is not authenticated when it makes the request for images via node's exec of wkhtmltopdf in a separate process. A request to something like GET /user/images/<imageId> will fail due to the session not being set when the request is made inside the headless wkhtmltopdf renderer.
Is there a way to pass authentication via some wkhtmltopdf option or possibly a different way of authentication for images? The only restriction is not making images public.
I asked a similar question a while back that might help you:
Generate PDF Behind Authentication Wall
WKHTMLTOPDF has --cookie-jar which should get you what you need. Note that it didn't for me, and I wound up answering my own question with an alternate solution. In a nutshell, I wound up accessing the page via CURL - much more flexible - then writing a temporary that I converted to PDF, then deleted the temporary file.
A little round-a-bout, but it got the job done.
To implement authentication I allowed a cookie id flag ( with connect the key defaults to connect.sid ) as a query option in my image routes. The only "gotcha" is since images are requested from the server's perspective, you must ensure all your image paths are absolute domain paths rather than relative to your application ( unless those two are the same of course).
Steps for Expressjs:
Setup the id flag middleware which checks for say sid in the query via req.query (eg ?id=abc123 where abc123 is the req.cookies['connect.sid'], or req.signedCookies['connect.sid'] if your using a secret as you probably should )You may need to ensure the query middleware is setup first.
Ensure the req.headers contains this session id key and value prior to the cookie parser so the session is properly setup (eg if a cookie exists append a new one or if one does add it as the first req.headers.cookie = 'connect.sid=abc123;')
Ensure all image paths contain the full url (eg https://www.yourdomain.com/images/imageId?id=abc123)
Some extra tid bits: The image source replacement should probably happen at the server level to ensure the user does not copy/paste the image url with the session id and say email it to a friend which obviously leaves the door open for account hijacking.
How exactly does one do something like create a unique URL.
Like how facebook does it facebook.com/mynamehere
One way would be to create multiple folders each time we have a new user..but that doesn't seem to be the best approach
You can try a program like Elgg if you are trying to build a social media site. Otherwise, a person's profile can be custom in a couple of ways. Most of them mentioned. You, as mentioned, can use .htaccess for rewrites. You can use an automated custom url plugin (this may help: How to generate a custom URL from a html input?). Similarly, you can use the previously mentioned Elgg for social media, and but also as a last resort can use your folder method, but only if absolutely required.
I think the question is: how is it done technically, so we don't need to have physical file for every valid URL?
The answer is URL rewriting. In case of Apache server, you want to enable mod_rewrite and configure it to translate particular URL pattern (like myfbclone.com/mynamehere to myfbclone.com/index.php?username=mynamehere). This way you need to have one script file that handles all the URLs accordingly.
Different servers have different means of rewriting URLs, like Nginx or IIS, so the exact way of configuration depends on your server, but the concept is usually the same.
Is there a way to specify (in the cache manifest file) that all the resources included in the html page are to be cached?
I'm building a dynamic web app and want to give the user the ability to view the app while offline. Therefore I need all the images (for which the source is set from file names stored in the database according to the query string provided in the request) in the page cached. Basically what I need is something like * which can be used in the NETWORK and FALLBACK sections.
If there is no such way to specify this in the manifest file, what is the best approach to solve this? For example, making the manifest itself dynamic and including the resources based on a query string passed to that might work, but it involves getting the list of resources from the db again.
Any help is greatly appreciated!
You can't use a wildcard in the CACHE section.
The approach you described seems practicable. But why retrieving the resources from DB again? once you've fetched them all, give them to a listener which does the generation, or store them in a session attribute where you can fetch them to generate the manifest.
I have a db with a buch of urls. The values were entered by users, so it might be something like www.domain.com or http://www.domain.com or stackoverflow.com or https://something.com
I'm retrieving that data and creating links in a html page so people can click and be redirected to that url.
If i get the url from the page , i'll have either:
1.<a href="www.domain.com">
or
2.<a href="http://www.domain.com">
in the second case it works, but the first it doesn't.
Is there a way to make it always work?
thanks!
The www. bit is not special at all, people rely on an automatic correction feature of most browsers to prepend it if the host does not exist. To replicate this, you need to run a program that attempts to resolve each of the host names in your database, and retries with an extra www. if that fails.
The http:// bit is easy: if it is missing, add it.
There are two ways to handle this situation:
First, validate the user input. At the time a URL is submitted, validate it (preferably on the client side via Javascript) to ensure it has the required elements.
Second, in your code, you can use a regular expression or even simple pattern matching to ensure that the string starts with 'http://' or 'https://', and prepend it as needed.
The implementation details vary from language to language, but the concept is the same.