PDA

View Full Version : Auto Update?



Deadweight
09-27-2013, 10:20 PM
It loads the content the first time but when i change the content then it doesnt load anymore. Im not sure why it doesnt.


<html>
<body>
<p id="demo"></p>

<script>
setInterval(document.getElementById("demo").innerHTML='<?php echo file_get_contents("chat.txt") ?>',1000);
</script>
</body>
</html>

traq
09-27-2013, 11:16 PM
Are you sure it doesn't load it on subsequent attempts?

(After all, you're reloading the same content, so it would not appear to change. If you're trying to read the file again, you would need to use an ajax request [or similar] to run the PHP script again.)

Deadweight
09-27-2013, 11:44 PM
I dont think I am. However, I may have to close to txt file. i think that may be the problem:


<?php

$file_name = 'chat.txt';

if(isset($_POST['send'])){
if($_POST['message'] != NULL && $_POST['message'] != ''){
$current = '<div class="box"><div class="name">Something</div><div class="message">'.$_POST['message'].'</div></div>';
$current .= file_get_contents($file_name);
file_put_contents($file_name, $current);
}
}



?>

<html>
<head>
<link rel="stylesheet" href="main.css" />



</head>
<body>

<div id="chat_outer">

<div id="chat">

<iframe src="chat_info.php" frameborder="0" width="100%" height="100%"></iframe>

</div>
<div id="content">
<form action="chat.php" method="POST">
Message: <input type="text" name="message" autofocus="autofocus" autocomplete="off" />
<button type="submit" name="send" value="0">Send</button>
</form>
</div>

</div>

</body>
</html>

I know there are other things that can go wrong with this but im just checking something.

It does change but lets say if i open two pages and do one of these the other doesnt change.

traq
09-28-2013, 01:33 AM
I dont think I am. However, I may have to close to txt file. i think that may be the problem:

<?php

$file_name = 'chat.txt';

if(isset($_POST['send'])){
if($_POST['message'] != NULL && $_POST['message'] != ''){
$current = '<div class="box"><div class="name">Something</div><div class="message">'.$_POST['message'].'</div></div>';
$current .= file_get_contents($file_name);
file_put_contents($file_name, $current);
}
}
I know this isn't part of your original question, but this code is vulnerable to XSS attacks. Let me know if you would like me to explain.


It does change but lets say if i open two pages and do one of these the other doesnt change.
Right - that is as expected. Let me explain what I meant earlier:


<html>
<body>
<p id="demo"></p>

<script>
setInterval(document.getElementById("demo").innerHTML='<?php echo file_get_contents("chat.txt") ?>',1000);
</script>
</body>
</html>
This is a PHP script. When it runs, it gets the contents of your chat.txt file, as a string. The script's output will look something like this:

<html>
<body>
<p id="demo"></p>

<script>
setInterval(document.getElementById("demo").innerHTML='<div class="box"><div class="name">Something</div><div class="message">Message #1</div></div>
<div class="box"><div class="name">Something</div><div class="message">Message #2</div></div>
<div class="box"><div class="name">Something</div><div class="message">Message #3</div></div>
<div class="box"><div class="name">Something</div><div class="message">Message #4</div></div>',1000);
</script>
</body>
</html>

Once it gets to the browser, the javascript will run, and add that string to your p#demo. However, there's no point in doing it again, since the contents of the paragraph will be replaced by the same string.

The "one page" (the page where you submit the new comment) is updated because it is reloaded after you submit the form.

- - - - -- - - - -- - - - -- - - - -- - - - -

If you used ajax instead, you could get the *current* version of the chat.txt file. For example:

setInterval(
function(){
var xmlhttp = window.XMLHttpRequest? new XMLHttpRequest(): new ActiveXObject( 'Microsoft.XMLHTTP' );
xmlhttp.onreadystatechange = function() {
if (xmlhttp.readyState == 4 && xmlhttp.status == 200) {
document.getElementById("demo").innerHTML = xmlhttp.responseText;
}
}
xmlhttp.open("GET", "/path/to/chat.txt", true);
xmlhttp.send();
}
,1000
);

consider, however, that if you have a significant number of users and a typical shared hosting setup, you could quickly shut your own site down with so frequent requests.

Deadweight
09-28-2013, 06:08 AM
There wont be many people that actually know about the website xD So that wont be a problem. Also the length of the file would be a problem but ill prolly make it delete itself after a certain size.
For some weird reason i cant get your thing to actually load either. Ive tried that set up before and it work for some reason. It freezes then when i try inputting new data it doesnt want the do anything with the data. Unless i have to be on a server then that would explain it. Also, if you wanna explain XSS attacks to me that would be great but send it in a message since its not part of the OP.

Also i know one more thing i have to fix. If anyone tried to place html or another language in there i would have to remove it from the string. :3

Beverleyh
09-28-2013, 07:38 AM
Could I possibly request that the XSS attack information be posted here as its something that I think would be beneficial to other readers and it is in context of the thread.

If not, that's ok - could you copy me in too traq?

Deadweight
09-28-2013, 10:23 PM
Sure he can post it here if he would like.

traq
09-29-2013, 02:55 AM
For some weird reason i cant get your thing to actually load either. Ive tried that set up before and it work for some reason. It freezes then when i try inputting new data it doesnt want the do anything with the data. Unless i have to be on a server then that would explain it.
No, ajax won't work without a webserver. Also, the webpage and the file you're trying to load must both be on the same domain.

The code I posted is slightly modified from another example - it should work, but I haven't tested it. I will test when I have a chance.


Also i know one more thing i have to fix. If anyone tried to place html or another language in there i would have to remove it from the string. :3
In where?

If you're talking about ajax, then yes, responses are treated as text by default. You need to explicitly "do something" with that text if you want it treated as HTML, Javascript, etc.. Libraries (like jQuery) can be helpful in that regard.


Also, if you wanna explain XSS attacks to me that would be great
XSS (Cross-Site Scripting (http://wikipedia.org/wiki/Cross-site_scripting)) is an attack where the attacker manages to put their own code onto your site, so it will be served to other users.

In your example, you are taking the message the user submitted (which you assume is simply text, but could contain HTML or even Javascript), writing it directly to a file on your server, and then showing it to anyone that later views the page. The fact that you're saving it to a file makes it especially dangerous: the attack will persist as long as that file is served.

Another risk (though less likely, but still possible depending on your server configuration) is if the attacker writes PHP code into their message. If the "chat" file is in a publicly accessible directory, and the server can be tricked into parsing it, the attacker can gain control of your entire site.

The solution is simple: never trust user input. Sanitize and validate everything that comes from the user.

There are two approaches:

1) Sanitize user input when you receive it. For example, use strip_tags (http://php.net/strip_tags) to remove all HTML or PHP tags from the chat message.

2) Sanitize you output. Don't save HTML in the chat file - just the messages. Then, read the file and use something like htmlentities (http://php.net/htmlentities) to make sure the messages display as text, and insert the messages into a template before you serve them.

Just remember, everything that comes from the user should be treated as if it is either broken or malicious until proven otherwise. Even if you trust your users, never trust user input.

Deadweight
09-29-2013, 05:33 AM
Actually, about your XSS problem is something i was gonna fix when i was explaining about the html and php problems xD
Didnt know it was called XSS.

SO assuming Ajax is needed directly from a website i cant use xampp to host it like PHP?

traq
09-29-2013, 06:54 AM
xampp == apache server, yes.

BTW I tested my code example above; works fine.