views:

247

answers:

2

Hi,

I need to provide a code snippet to my clients that they can add to their website, similar to the google analytics code, e.g

<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try{
var pageTracker = _gat._getTracker("UA-xxxxxx-x");
pageTracker._trackPageview();
} catch(err) {}
</script>

but I need it to collect some values from the customers ecommerce site. They would add the code to their site and then we would receive the values and add them to our sql database. They will provide the values either client side or server side depending on the code we give to them.

Can anyone suggest a secure way to do this? The simpler the better as far as the client is concerned.

Thanks for any suggestions.

A: 

Javascript is client-side technology. Because browsers to not allow cross-site scripting, your client would have to host the script so that it has access to the rest of the page. It does of course not have access to the ecommerce application on the server, since it runs on the client. It could concievably make an Ajax request to the ecommerce server to get data, but that means you need to place code on the server that can handle such a request, and it would make sense to do this entirely server-side. I am not sure what kind of information you are trying to collect, but it seems that there is not too much you can collect on the client.

Anyways, your Javascript could then send a request to your own site when it renders in the user's browser, by inserting an invisible image for instance, and pass along information in the query string - which is not secure.

cdonner
Thanks for this. We are open to client-side or server-side code, we just want it as simple as possible for the client to add. The type of information we would be collecting might be transaction value, id etc.
78lro
I think you need to tell more about what you are trying to do. There is not really anything else that can be said without understanding the problem.
cdonner
Okay. When a transaction completes on my clients website I need to collect some data about the transaction. They will need to add the code to their site (which is why it needs to be as simple as possible). It will need to pass the value, transactionid and email address of the buyer. Does that help?
78lro
This is clearly a server-side component. Javascript will not be helpful. I can't give you advice for implementing this without knowledge of the commerce software that you need to support.
cdonner
A: 

You are going to need to do it server side. For security reasons, the browser is either not going to allow a post to another site while in an ssl session or provide a really lovely security warning to the user making them feel like they are being hacked.

I would create a webservice on your server and provide the client some sample code to call it from their server.

DancesWithBamboo
Thanks DancesWithBamboo. Would I be able to do this securely and prevent it from sending through duplicate values i.e. prevent a refresh sending the values again? If they were to send values more than once they could benefit financially in our process :)
78lro