Jump to content

Archived

This topic is now archived and is closed to further replies.

gevans

AJAX and PHP security using jQuery

Recommended Posts

Hey guys,

 

I've been browsing the web for some decent documentation of secure ajax calls using the jQuery library. When I say secure, I mean restricing access to the php script. I know I can set a session to do a little security, just trying to find a bit more.

 

If anyone has any hidden gems please drop the link in a reply, I'd be very greatfull!

 

Cheers!

Share this post


Link to post
Share on other sites

I don't understand what you mean with "secure AJAX calls".

 

Also, in your signature, you shouldn't have E_ALL & ~E_NOTICE, but E_ALL or even better E_ALL | E_STRICT. Notices should be fixed, not ignored.

Share this post


Link to post
Share on other sites

I wouldn't be able to sleep knowing a notice existed.

Share this post


Link to post
Share on other sites

If I'm honest, I never actually read my own signature, I copied someone else's to get the error_reporting in place, I use htaccess. (changed it though) :)

 

I'll try to explain what I mean by secure ajax using a little example.

 

http://www.w3schools.com/PHP/php_ajax_database.asp - simple ajax tutorial

 

http://www.w3schools.com/PHP/getuser.php - the url used in the get request

 

http://www.w3schools.com/PHP/getuser.php?q=1 - the url with a get variable. Returns an html table.

 

By secure I don't want people to have access directly to the url. I want javascript to be able to send a get request, but the user not be able to access the url.

 

Hope that makes a bit more senese.

Share this post


Link to post
Share on other sites

Short answer:  Not possible.

 

 

Longer answer:  If one can access something over the Internet, one can access the aforementioned something over the Internet.

 

 

Longer-er answer:  You could try various methods to keep users from going straight to the page, but when it comes down to it, they will all be useless.  AJAX is just essentially the client (as in IE or Firefox) making a request after all.

 

 

 

Why does it matter if the user goes straight to the URL?  Unless there's a situation I'm not thinking of, perhaps you could just redesign it so it doesn't matter how the user makes the request.

Share this post


Link to post
Share on other sites

It's just my head working over time. I think it's untidy being able to access a page like http://www.w3schools.com/PHP/getuser.php?q=1 which is obviously meant as an ajax response (be it not a very flexible one).

 

I've considered setting a random session on everypage with a regenerated key that's passed along with the ajax request, and compared in the script. But that's still very easy to get around.

Share this post


Link to post
Share on other sites

It's not a security issue being able to access the PHP backend callback for your AJAX request.

Share this post


Link to post
Share on other sites

One way around this, and it is not full proof, if to make sure you are sending the request as POST and to pass a specific variable with it.  So with the ajax call, you make sure that specific variable is include but if it is not (like a user trying to access that page directly), just kill the script, give a message, redirect, whatever you want.  Even if they find out the variable that needs to be passed (and looking at the javascript, they can), they still can't easily simulate a POST request from the browser (and with the number of firefox plug-ins, maybe there is).

 

Just an idea if you really want to try to prevent this.

Share this post


Link to post
Share on other sites

I don't see the point in trying to protect it. The script exposes information to your users. It's just giving it in a more raw and unformatted way (e.g. JSON or XML).

Share this post


Link to post
Share on other sites

One way around this, and it is not full proof, if to make sure you are sending the request as POST and to pass a specific variable with it.  So with the ajax call, you make sure that specific variable is include but if it is not (like a user trying to access that page directly), just kill the script, give a message, redirect, whatever you want.  Even if they find out the variable that needs to be passed (and looking at the javascript, they can), they still can't easily simulate a POST request from the browser (and with the number of firefox plug-ins, maybe there is).

 

Just an idea if you really want to try to prevent this.

 

Thanks for the idea, but it could be simulated easily bu making an html form.

 

 

I don't see the point in trying to protect it. The script exposes information to your users. It's just giving it in a more raw and unformatted way (e.g. JSON or XML).

 

I know, I just get slightly obsessive with 'clean' sites. I titles this thread 'AJAX and PHP security using jQuery' but it's not so much security as something to please me. But everyone is right, it isn't necessary.

Share this post


Link to post
Share on other sites

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.