I am running a website based on php on a server run by a large host. My goal is very simple. Include link on my site to google search where I dynamically give the search term.
Starting with the url that appears in the address bar, I've narrowed the syntax down to
http://www.google.com/search?q=test
This works when I type it into the address bar. However, when I launch from the server, it redirects to:
www.google.com/webhp...lots of characters
There are references on the web to webhp being related to a virus but I'm pretty sure my host does not have any viruses on its servers.
Does anyone know proper way to launch simple google search from a link? Is a straight link forbidden? I am Willing to use JS to push link to client if necessary (which I use for google maps at Google's recommendation due to usage limits) but want to keep things as simple as possible. This link is just to save people a few clicks.
Thanks for any suggestions.
Simply use the urlencode Method
<?php
echo '<a href="http://www.google.com/search?q=', urlencode($userinput), '">';
?>
If you wish to do it with Javascript the answer is here: Encode URL in JavaScript?
Try to track down the "Url Rewriting", I think its a virus you need to remove: http://www.ehow.com/how_8728291_rid-webhp.html
WebHP is a computer virus that automatically sets your homepage to a
fake Google site, known as Google.com/WebHP. This virus will also
randomly open windows or tabs to load this website, as well as
generate pop-ups and fake errors. Also installed with this virus is a
rootkit which can disable your PC's firewall and other methods of
security. If left untreated, the WebHP virus allows hackers to
remotely access your computer and steal personal information, such as
credit card numbers and email passwords.
Related
New to Web site dev, though have done a lot of coding of other sorts in the past, just set up a personal blog for my own amusement on bluehost using wordpress and have it installed locally for dev.
I have a training log on another site which anyone can open read-only to view training stats with a URL of the form below, this works fine in a browser:
https://www.othersite.com/logs/1234xyz/authenticate?password=thisismypassword
What I have tried to do unsuccessfully is have this open in a frame on one of my web pages (used iframe/object in html). It seems impossible to do this as the authentication string is not passed across, and the screen displayed prompts for manual input of the password. Can I open this automatically in some way?
If I understood well, your solution is insecure regardless it works or not. In this way your clients can see the password of your (or another) site.
I suggest to query the external content using custom php code and display (print) it on your page.
There are several ways to get content of an external page:
https://www.php.net/manual/en/function.stream-context-create.php
https://www.php.net/manual/en/function.curl-init.php
If you need a tutorial for WP plugins check this out:
https://www.wpbeginner.com/wp-tutorials/how-to-create-a-wordpress-plugin/
I was wondering if it's possible to capture a screenshot and/or record my computer screen(s) via a website?
If it is possible, what languages would I need to learn/code? I already have intermediate knowledge of HTML, CSS, JavaScript, jQuery, and PHP.
In other words: I want to have the ability to capture/record my screen (not the website) via using a website (not an application).
Thanks!
This is not possible. Web sites are very deliberately given only restricted access to your computer for security reasons. Imagine the havoc that could result if a malicious web site were able to see and capture what was on your screen--banking information, your confidential e-mails, etc. Even if the user had to give permission for this level of access, it would still be way too easy to trick a user into giving that permission.
The closest I could find/think of was http://www.screencast-o-matic.com/screen_recorder, but even then you have to download a launch plugin. I agree with #DLH. This is for your protection.
My favorite screen recorder is ScreenPresso - it is always running in background, and repurposed the PrtScn button as its launch key.
I am working on a website related to physically/psychologically abused person.
There is an emergency exit button available all time so the user can click on it before the "aggressive" person enter the room where the computer is located.
When the user click on the emergency button, the user is automatically redirected to Google with a query like "cooking apple pie" (this is an example).
Also, we would like to hide our website from the browser history in case the aggressive person check the history of the abused person. I think this cannot be done technically.
At least, can we generate fake browsing history to justify to the aggressive person the time that the user was on our website?
I tried multiple things to simulate a "browsing" like using an iframe or an ajax query to another website but none populate the browser history.
Is this can be done?
Thank you for your input!
I think you may be focusing too much on the browser and computer that you do not control and not enough on the content and the server that you do control. How about taking a different approach? Why not generate the pages for the user on the fly? The links are only good once. If you click on the home button (your escape key) and the aggressive person looks in the history the attempt to access them a second time could be made to display the weather or lottery results or something innocuous, Focus on what you have control over.
Useful Technical Details
Removing/Preventing Back Button Click History
You can allow the user to browse throughout a webpage without building up a history trail on the back button by having them click exclusively on javascript: links. This would still not remove any of the visited websites from their full browser history, so it's not a full solution.
Here's an example HTML JavaScript link:
CLICK HERE TO ESCAPE!
If this is acceptable, you could build an inoffensive homepage from which the user could access the site that would use JavaScript to send them to the real website. Every link on that new website would have to be a javascript link. Disadvantages of this would be that they would no longer be able to use the back button to navigate and that JavaScript is 100% required for the site to function.
Sanitized History
Make sure you have inoffensive titles and icons for any pages in the site so if the user does not delete their browser history they will not grab the attention of the third party.
Preventing Access to Protected Content
One option you have is to disguise your website as something else by having the user log in before they are allowed to access any of the content. You could save their session/login data in such a way that it is cleared if they hit an escape button it is erased or reset. As part of the login page, you could give users an alternate password to type in that would redirect them to fake content if their abuser becomes suspicious enough to demand they log in.
The session/login information should never save between browser sessions and always have a short expiration period, to further reduce the chances of the abuser gaining access to the website.
Disguising the Site
Considerations
If you choose to disguise the site either on the homepage or behind a "fake" login, be very careful to choose something that makes sense and would not arouse suspicion or interest. You don't want the fake page to be some sort of game or anything that might pique the third party's interest.
You also don't want it to look so boring or mundane that the original user would be hard-pressed to explain their possibly frequent visits. It shouldn't be anything so specific that the third party would think twice about the original user visiting it though. For example, it might be suspicious if someone who does not enjoy the great outdoors were to be visiting a page on mountain biking.
It also can't do something like just redirect them to Google without explaining the fact that they had to log in to access it.
General Advice
Private Browsing
Multiple sources have suggested either educating your target audience in how to use IE's InPrivate Browsing mode, Firefox's Private Browsing mode, or Chrome's Incognito mode.
There unfortunately does not appear to be a way to prevent the browser from keeping the current page in its browsing history through JavaScript. It's possible there might be some sort of plug-in or third-party control which would enable this, but it's probably just easier to get your users to use a private browsing mode.
Clearing History
Clearing a user's web history would not be possible since browsers restrict websites from accessing or altering data on the user's computer directly. Since the user's browser history is part of this data it would be a security issue if any website could clear the history.
You should provide instructions to your users for pruning or clearing their browser history, whether on the website itself before they enter, or through whatever resource you showed them how to access your website.
Generating a Fake History
If you need to generate a fake list of visited websites, you can always create new tabs/windows for the users (or possibly iframes) at timed intervals with JavaScript, but the user would have to disable their popup blocker for this to take effect.
Further Reading
Here is a helpful article on creating a useful Quick Disguised Exit From A Website. This forum thread that I found it on also had some useful information, but it's likely you've already seen it.
At least, can we generate fake browsing history to justify to the aggressive person the time that the user was on our website?
Have you cosidered turning it around?
What if technically all your pages and its content are about something else. So it is the content you want to hide that's loaded in a special way, making it easier for you to avoid having it in the browser history.
So then it becomes about knowing when to load/show the special content.
Above said, it's very important what #Frédéric Hamidi said:
Just keep in mind that if the "aggressive" person has control over that computer or the network, nothing can really prevent him/her from installing loggers on the machine or analyzing network traffic.
IE's InPrivate Browsing mode, Firefox's Private Browsing mode, and Chrome's Incognito mode
I would recommend this to prevent the abuser from finding the secret site in the browsing history.
Also, opening a social networking site and letting the browsing history collect that would be an excellent and believable excuse for the time spent on the computer.
I'm working on a DNN website, I have a user account with Admin privileges but don't have access to the Host Account. I do have FTP access and have been browsing around the file-structure and have seen some files referring to search.
The search is not working on the website so I was hoping I could replace the back-end code which runs the search, via FTP.
What files would need to be replaced to make sure they are not corrupted/buggy.
I realize doing this may not solve the problem, so any other advice as to trouble-shooting or possible solutions are appreciated.
EDIT(For those asking how in what way search does not work):
Here is an image of what happens when I search 'sheep' (the website is all about sheep). Was told by the company that original website that the search runs on our pages 'Keywords'. I've made sure pages contain keywords but they still do not show up in search.
The solution I ended up using for this problem because I could find no other solution without having the Super-User account access. Was to implement Google's Custom Search Engine, with the multi-page option.
http://www.google.com/cse/
In my case the original search engine was working via GET command with a value of q. This is the same as Google's CSE multi-page option. So I was able to simply remove the old search results html from a module and replace it with the html snippet provided by Google.
Question: Is it possible to construct a web page that has a script to turn off XML data-binding in MSIE? The ideal approach would be to code an HTML page and instruct all people in the office to visit the page with a button that says "turn off data-binding".
Rationale: The desktop sysadmin is not available at this time and the goal is to create a brain-dead simple way to let people turn this feature off without having to walk them through a bunch of MSIE configuration menus.
I'm assuming you're talking about Microsoft Security Advisory (961051).
If you could disable XML data-binding using client-side script, then someone could enable it with client-side script and expose the vulnerability again. So that isn't possible.
However, if everyone is running the same version of Windows and the same bitness flavor, then just send them to a page where they can copy and paste this into Start > Run:
Regsvr32.exe /u "Program Files\Common Files\System\Ole DB\oledb32.dll"
Note that this will protect against current attacks but to comprehensively protect against the vulnerability they recommend applying another workaround. More on that here.
And encouraging your employees to go to a website in an E-mail and run something they've been told to run is probably a bad idea as it opens them up to various phishing attacks since most people won't be able to distinguish between an E-mail from their own company IT department and an E-mail sent by a malicious person.
More about the available workarounds here.
In the end, the best practice would be to push out one of the workarounds as described in the above KB article.