R – How to collect data securely from client web sites


I need to provide a code snippet to my clients that they can add to their website, similar to the google analytics code, e.g

<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
<script type="text/javascript">
var pageTracker = _gat._getTracker("UA-xxxxxx-x");
} catch(err) {}

but I need it to collect some values from the customers ecommerce site. They would add the code to their site and then we would receive the values and add them to our sql database. They will provide the values either client side or server side depending on the code we give to them.

Can anyone suggest a secure way to do this? The simpler the better as far as the client is concerned.

Thanks for any suggestions.

Best Solution

Javascript is client-side technology. Because browsers to not allow cross-site scripting, your client would have to host the script so that it has access to the rest of the page. It does of course not have access to the ecommerce application on the server, since it runs on the client. It could concievably make an Ajax request to the ecommerce server to get data, but that means you need to place code on the server that can handle such a request, and it would make sense to do this entirely server-side. I am not sure what kind of information you are trying to collect, but it seems that there is not too much you can collect on the client.

Anyways, your Javascript could then send a request to your own site when it renders in the user's browser, by inserting an invisible image for instance, and pass along information in the query string - which is not secure.