Guess what will happen if you add an image like below in your html page:

<img src=”http://mail.google.com/mail/?logout&hl=en”  />

It does not appear in page, but your google account in another window or another tab will get logoff. Now an external website could logout you from your gmail or orkut.

IF you coded your website to delete a photo or object from the website, like this: www.domainname.com/photos/delete?id=221, you may think , since you are checking user authentication at server side, no one else can delete your file. But what if you are logged in one tab and in the second tab, you are loading another website (of hacker or attacker), he can place lots of hidden images with src = www.domainname.com/photos/delete?id=22 ( he can try with ids from 0 to 1000 or 10,000, and anyone of them may be your object)

Here the authentication is okay , because the cookies and session is already set in another tab, and it affects (update or delete) your content.

Those who think , I use POST method , so it is safe. Sorry, you are wrong. A javascript can also simulate a post method, and by using this, an external website can update your form (For example they can run a form submission for changing the email which you registered with and later they can reset password to hack your account)

It won’t happens if you use captcha. But for all forms it is very hard to use CAPTCHA everywhere. You can solve this attack using additional parameter (some string combination which is generated randomly) along with GET url or POST form submission.

For example, check the url to delete a mail in gmail.

http://mail.google.com/mail/?ui=2&ik=42e598c952&at=xn3j2ufyx273muje67ot1fsxsnbmnl&
view=up&act=tr&rt=j&search=inbox

There is some extra string alone with useful information as parameter. So an external application cannot predict the exact url to delete a particular mail, so img with src= url fails here.

Same thing is also needed in POST method. Add one hidden field for random string and check the string before updating into database from Server.

This problem is called CSRF – Cross Site Request Forgery

Thanks
Sajith

Tags: cookie, csrf, get, gmail, hack, hacker, post, safety, security, session, web application

If you are a social media website developer , sometimes you might search for grabbing contacts from a particular email account if the password is given. I also did the same.  In most of the cases it did not work properly. But recently i got a contact grabber from phpclasses.org which works perfectly on Gmail, Hotmail, Rediff, Yahoo, Orkut, MySpace, Indiatimes, Linkedin , AOL and lycos

screen shot

But the zip file i got is not well arranged, so it shows some errors . I arranged it in proper way and uploaded here:

Download:

http://sajithmr.com/downloads/grabber.zip

(Under GNU Public License)

Using this php code , you can export the email contacts as csv file.

Here is the actual source website : http://www.phpclasses.org/browse/package/3895.html

Tags: access, AOL, code, contact, download, email, fetch, get, gmail, grab, grabber, Hotmail, Indiatimes, Linkedin, lycos, MySpace, orkut, password, php, Rediff, yahoo

If you want to get the FLV file of any youtube video url using php code, here is the solution.

If you are a PHP Programmer and if you are working with any video website, and if you need to grab videos (FLV files) from youtube and to put it yourown site (not object embedding) , Download the Full Source Code given at the end of this article (ZIP)

I used this php code for the Youtube video download tool http://www.googleneedle.com

Here function getPatternFromUrl is nothing but, get the exact pattern of a particular video from any youtube video url format.

In the above case , it returns pzmP4UvZRa4

The function is below

function getPatternFromUrl($url)

 {

$url = $url.'&';

$pattern = '/v=(.+?)&+/';

preg_match($pattern, $url, $matches);

return ($matches[1]);

}

GetFlvFromYoutube is the main function here, which download the flv file from youtube pattern and saves to your local machine.
The function is below:

function GrabFlvFromYoutube( $pattern )
{

 require_once ("phptube.php");

 $tube = new PHPTube ();

 $flv_http_path = $tube->download($pattern) ;

 echo $flv_http_path;

 set_time_limit(0);

 $data = file_get_contents($flv_http_path);

 $new_flv_path = dirname(_FILE_).'/flvs/'.$pattern.'.flv' ;

 file_put_contents($new_flv_path, $data);

 return $new_flv_path ;

}

Download the fullsource code from this link given:

http://www.sajithmr.com/downloads/youtube-download-php.zip

Tags: download, flash, flv, get, grabber, pattern, php, url, video, youtube