Suggestions for designing a app |
I have been assigned to building an emailer and dashboard for that will allow users to send text and emails to their customers that will gather social media reviews. The goal is to have a way for the users to respond to bad reviews before they are actually posted.
The dashboard is pretty straight forward and texting is probably beyond the scope of this forum. I would guess a standard get url like www.somedomain.com?customerid=x&stars=5 www.somedomain?customerid=x&stars=4 on each star link to intercept the customers intention Anybody done anything similar and can give me some pointers or ideas where I might improve on the apps design. Please also let me know if it is ok to ask this question since it is more general and regarding a certain project. I have specific questions that I figured I will probably become apparent as I dive in the code.
I don't know what kind of security you'd need here, but assuming that you're going to interact with a database you might look at encoding the links using base64_encode() or something similar. It would at least prevent most URL tampering and SQL injection. Like:
PHP Code: $link = "https://www.somedomain.com?v=".base64_encode("customerid=x&stars=5"); Or as a CI URL segment PHP Code: $link = "https://www.somedomain.com/click/".base64_encode("customerid=x&stars=5"); Then upon click check using base64_decode's strict mode like: PHP Code: if(base64_decode($request->getPostGet('v'), TRUE)) { } or PHP Code: if(base64_decode($uri->getSegment(2), TRUE)) { } If it returns FALSE, you know something is amiss and you shouldn't trust the values. You also could go a step further and include timestamps or tokens in the string to add even more security. Hope that gets you going in a good direction. Designer, developer and Diet Dr. Pepper addict. Messing up PHP since <?= $when['year';] ?>
Thanks jameslittle.
I just tried base64_encode and it looks similar to some other implementations from places like Costco. That is probably the way they implemented it. It will definitely be interacting with a database and built in security is always a good idea. Thank You. Another more specific question about the applications overall design. The customers will login to a dashboard at www.ourcompany.com/setupaemailer but the actual url the emailer will provide to send to their customers will be from www.clientdoman.com/link so would it make sense to build a RESTful api at www.ourcompany.com/ to process the it, that way we could just install a small script on each persons website that just relays the link back to our www.ourcompany.com REST API. I may not be seeing all the ways of solving this design issue. *edit* it just occurred to me a small javascript file could also serve the same purpose by masking our original domain and forwarding it. I could maybe even use Ajax to make the front end experience more responsive.
(09-05-2019, 08:00 AM)rad2 Wrote: Thanks jameslittle. That sounds like a good approach to me. If your JS masking doesn't work out, maybe PHP/Codeigniter redirects would work too (unless you really want to build an API)... the flow might go something like this:
I've also seen sites use iframes to do this. The landing page on the client site includes a non-visible iframe of a page from the dashboard site, and the src of that frame passes the necessary URL parameters to store in the dashboard database. But the user never leaves the client site in this approach. Designer, developer and Diet Dr. Pepper addict. Messing up PHP since <?= $when['year';] ?>
(09-05-2019, 08:00 AM)rad2 Wrote: Thanks jameslittle. Before you get deep into base64__encode you should read The Comprehensive Guide to URL Parameter Encryption in PHP.
(09-05-2019, 08:44 AM)dave friend Wrote:(09-05-2019, 08:00 AM)rad2 Wrote: Thanks jameslittle. Thanks for sharing this Dave. If you can do it that way, the random token tied to the user record is definitely a more secure method than to pass variable data as an encoded string. The base64_encode path is more about obfuscation than actual encryption.
Personally I'm using UUIDv4 to create unique customer ID's. It's not for security, but so that other customers can't guess how many documents, files, other customers there are in the system. You will still need to implement security measure to ensure that they only have access to their own data.
I'm storing it in BINARY as there are are a performance hit to JOIN table ID's as VARCHAR. PHP Code: <?php
(09-05-2019, 11:53 AM)jreklund Wrote: Personally I'm using UUIDv4 to create unique customer ID's. @jreclund, You might find this uuid library useful. In particular the ability to manipulate the uuid4 so that it will sort based on the time segment. Removes so of the down-side of using uuid4 as a PK. Article here. |
Welcome Guest, Not a member yet? Register Sign In |