Senior Coders
Auto Update?
It loads the content the first time but when i change the content then it doesnt load anymore. Im not sure why it doesnt.
Code:<html> <body> <p id="demo"></p> <script> setInterval(document.getElementById("demo").innerHTML='<?php echo file_get_contents("chat.txt") ?>',1000); </script> </body> </html>
global $Moderator;
Are you sure it doesn't load it on subsequent attempts?
(After all, you're reloading the same content, so it would not appear to change. If you're trying to read the file again, you would need to use an ajax request [or similar] to run the PHP script again.)
Senior Coders
I dont think I am. However, I may have to close to txt file. i think that may be the problem:
I know there are other things that can go wrong with this but im just checking something.Code:<?php $file_name = 'chat.txt'; if(isset($_POST['send'])){ if($_POST['message'] != NULL && $_POST['message'] != ''){ $current = '<div class="box"><div class="name">Something</div><div class="message">'.$_POST['message'].'</div></div>'; $current .= file_get_contents($file_name); file_put_contents($file_name, $current); } } ?> <html> <head> <link rel="stylesheet" href="main.css" /> </head> <body> <div id="chat_outer"> <div id="chat"> <iframe src="chat_info.php" frameborder="0" width="100%" height="100%"></iframe> </div> <div id="content"> <form action="chat.php" method="POST"> Message: <input type="text" name="message" autofocus="autofocus" autocomplete="off" /> <button type="submit" name="send" value="0">Send</button> </form> </div> </div> </body> </html>
It does change but lets say if i open two pages and do one of these the other doesnt change.
global $Moderator;
I know this isn't part of your original question, but this code is vulnerable to XSS attacks. Let me know if you would like me to explain.Originally Posted by Crazykld69
Right - that is as expected. Let me explain what I meant earlier:
This is a PHP script. When it runs, it gets the contents of your chat.txt file, as a string. The script's output will look something like this:PHP Code:<html>
<body>
<p id="demo"></p>
<script>
setInterval(document.getElementById("demo").innerHTML='<?php echo file_get_contents("chat.txt") ?>',1000);
</script>
</body>
</html>
Once it gets to the browser, the javascript will run, and add that string to yourHTML Code:<html> <body> <p id="demo"></p> <script> setInterval(document.getElementById("demo").innerHTML='<div class="box"><div class="name">Something</div><div class="message">Message #1</div></div> <div class="box"><div class="name">Something</div><div class="message">Message #2</div></div> <div class="box"><div class="name">Something</div><div class="message">Message #3</div></div> <div class="box"><div class="name">Something</div><div class="message">Message #4</div></div>',1000); </script> </body> </html>p#demo. However, there's no point in doing it again, since the contents of the paragraph will be replaced by the same string.
The "one page" (the page where you submit the new comment) is updated because it is reloaded after you submit the form.
- - - - -- - - - -- - - - -- - - - -- - - - -
If you used ajax instead, you could get the *current* version of the chat.txt file. For example:
consider, however, that if you have a significant number of users and a typical shared hosting setup, you could quickly shut your own site down with so frequent requests.Code:setInterval( function(){ var xmlhttp = window.XMLHttpRequest? new XMLHttpRequest(): new ActiveXObject( 'Microsoft.XMLHTTP' ); xmlhttp.onreadystatechange = function() { if (xmlhttp.readyState == 4 && xmlhttp.status == 200) { document.getElementById("demo").innerHTML = xmlhttp.responseText; } } xmlhttp.open("GET", "/path/to/chat.txt", true); xmlhttp.send(); } ,1000 );
Senior Coders
There wont be many people that actually know about the website xD So that wont be a problem. Also the length of the file would be a problem but ill prolly make it delete itself after a certain size.
For some weird reason i cant get your thing to actually load either. Ive tried that set up before and it work for some reason. It freezes then when i try inputting new data it doesnt want the do anything with the data. Unless i have to be on a server then that would explain it. Also, if you wanna explain XSS attacks to me that would be great but send it in a message since its not part of the OP.
Also i know one more thing i have to fix. If anyone tried to place html or another language in there i would have to remove it from the string. :3
Last edited by Deadweight; 09-28-2013 at 10:30 PM.
Global Moderator
Could I possibly request that the XSS attack information be posted here as its something that I think would be beneficial to other readers and it is in context of the thread.
If not, that's ok - could you copy me in too traq?
Focus on Function Web Design
Fast Edit (A flat file, PHP web page editor & CMS. Small, FREE, no database!) | Fast Edit BE (Snippet Manager) (Web content editor for multiple editable regions!) | Fast Apps
Senior Coders
Sure he can post it here if he would like.
global $Moderator;
No, ajax won't work without a webserver. Also, the webpage and the file you're trying to load must both be on the same domain.
The code I posted is slightly modified from another example - it should work, but I haven't tested it. I will test when I have a chance.
In where?
If you're talking about ajax, then yes, responses are treated as text by default. You need to explicitly "do something" with that text if you want it treated as HTML, Javascript, etc.. Libraries (like jQuery) can be helpful in that regard.
XSS (Cross-Site Scripting) is an attack where the attacker manages to put their own code onto your site, so it will be served to other users.
In your example, you are taking the message the user submitted (which you assume is simply text, but could contain HTML or even Javascript), writing it directly to a file on your server, and then showing it to anyone that later views the page. The fact that you're saving it to a file makes it especially dangerous: the attack will persist as long as that file is served.
Another risk (though less likely, but still possible depending on your server configuration) is if the attacker writes PHP code into their message. If the "chat" file is in a publicly accessible directory, and the server can be tricked into parsing it, the attacker can gain control of your entire site.
The solution is simple: never trust user input. Sanitize and validate everything that comes from the user.
There are two approaches:
1) Sanitize user input when you receive it. For example, usestrip_tagsto remove all HTML or PHP tags from the chat message.
2) Sanitize you output. Don't save HTML in the chat file - just the messages. Then, read the file and use something likehtmlentitiesto make sure the messages display as text, and insert the messages into a template before you serve them.
Just remember, everything that comes from the user should be treated as if it is either broken or malicious until proven otherwise. Even if you trust your users, never trust user input.
Deadweight (09-29-2013)
Senior Coders
Actually, about your XSS problem is something i was gonna fix when i was explaining about the html and php problems xD
Didnt know it was called XSS.
SO assuming Ajax is needed directly from a website i cant use xampp to host it like PHP?
-DW [Deadweight]
Resolving your thread: First Post: => EDIT => Lower right: => GO ADVANCED => Top Advance Editor drop down: => PREFIX:Resolved
global $Moderator;
xampp == apache server, yes.
BTW I tested my code example above; works fine.
Posting Permissions
Reply With Quote
Bookmarks