Hi all,
I'm currently working on a simple page index.php for a facebook app, that allows user to insert information using an AJAX (because I don't want my whole site to be reloaded in order to show the update) call to another php site update.php that does talk to my database.
My code boils down to:
index.php
function updateUser(user, info) {
// set xmlhttp
xmlhttp.onreadystatechange=function() {
if (xmlhttp.readyState==4 && xmlhttp.status==200) {
// show update
}
}
xmlhttp.open("GET", "update.php?user="+ user + "&info=" + info, true);
xmlhttp.send();
}
update.php
$db = mysql_connect(MYSQL_HOST, MYSQL_USERNAME, MYSQL_PASSWORD);
mysql_select_db(MYSQL_DB_NAME, $db);
$user = $_GET['user'];
$info = $_GET['info'];
$sql= mysql_real_escape_string(INSERT INTO users (user, info) VALUES ('$user', '$info'))
mysql_query($sql,$db)
mysql_close($db);
The problem I face is that update.php is publicly accessible. I'm not talking about SQL injection.
It's more about the possibilty to input nonsense, as viewing at the source code one can find update.php easily.
What I would like is to have update.php only accessible through my AJAX call or hide update.php from others.
What are my possibilites?
Is my design using AJAX and a call to a .php file in order to update a database is crap? Is there a design pattern for my usecase?
Best regards,
wilee