Jump to content

AJAX and PHP security using jQuery

gevans

By gevans
in Miscellaneous

 Share

Recommended Posts

gevans Regular Member

gevans

Posted
Posted

Hey guys,

 

I've been browsing the web for some decent documentation of secure ajax calls using the jQuery library. When I say secure, I mean restricing access to the php script. I know I can set a session to do a little security, just trying to find a bit more.

 

If anyone has any hidden gems please drop the link in a reply, I'd be very greatfull!

 

Cheers!

Link to comment
https://forums.phpfreaks.com/topic/159123-ajax-and-php-security-using-jquery/
Share on other sites
gevans Regular Member

gevans

Posted
  • Author
Posted

If I'm honest, I never actually read my own signature, I copied someone else's to get the error_reporting in place, I use htaccess. (changed it though) :)

 

I'll try to explain what I mean by secure ajax using a little example.

 

http://www.w3schools.com/PHP/php_ajax_database.asp - simple ajax tutorial

 

http://www.w3schools.com/PHP/getuser.php - the url used in the get request

 

http://www.w3schools.com/PHP/getuser.php?q=1 - the url with a get variable. Returns an html table.

 

By secure I don't want people to have access directly to the url. I want javascript to be able to send a get request, but the user not be able to access the url.

 

Hope that makes a bit more senese.

corbin Regular Member

corbin

Posted
Posted

Short answer:  Not possible.

 

 

Longer answer:  If one can access something over the Internet, one can access the aforementioned something over the Internet.

 

 

Longer-er answer:  You could try various methods to keep users from going straight to the page, but when it comes down to it, they will all be useless.  AJAX is just essentially the client (as in IE or Firefox) making a request after all.

 

 

 

Why does it matter if the user goes straight to the URL?  Unless there's a situation I'm not thinking of, perhaps you could just redesign it so it doesn't matter how the user makes the request.

gevans Regular Member

gevans

Posted
  • Author
Posted

It's just my head working over time. I think it's untidy being able to access a page like http://www.w3schools.com/PHP/getuser.php?q=1 which is obviously meant as an ajax response (be it not a very flexible one).

 

I've considered setting a random session on everypage with a regenerated key that's passed along with the ajax request, and compared in the script. But that's still very easy to get around.

Liquid Fire Advanced Member

Liquid Fire

Posted
Posted

One way around this, and it is not full proof, if to make sure you are sending the request as POST and to pass a specific variable with it.  So with the ajax call, you make sure that specific variable is include but if it is not (like a user trying to access that page directly), just kill the script, give a message, redirect, whatever you want.  Even if they find out the variable that needs to be passed (and looking at the javascript, they can), they still can't easily simulate a POST request from the browser (and with the number of firefox plug-ins, maybe there is).

 

Just an idea if you really want to try to prevent this.

gevans Regular Member

gevans

Posted
  • Author
Posted

One way around this, and it is not full proof, if to make sure you are sending the request as POST and to pass a specific variable with it.  So with the ajax call, you make sure that specific variable is include but if it is not (like a user trying to access that page directly), just kill the script, give a message, redirect, whatever you want.  Even if they find out the variable that needs to be passed (and looking at the javascript, they can), they still can't easily simulate a POST request from the browser (and with the number of firefox plug-ins, maybe there is).

 

Just an idea if you really want to try to prevent this.

 

Thanks for the idea, but it could be simulated easily bu making an html form.

 

 

I don't see the point in trying to protect it. The script exposes information to your users. It's just giving it in a more raw and unformatted way (e.g. JSON or XML).

 

I know, I just get slightly obsessive with 'clean' sites. I titles this thread 'AJAX and PHP security using jQuery' but it's not so much security as something to please me. But everyone is right, it isn't necessary.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.