Jump to content

AJAX and PHP security using jQuery


gevans

Recommended Posts

Hey guys,

 

I've been browsing the web for some decent documentation of secure ajax calls using the jQuery library. When I say secure, I mean restricing access to the php script. I know I can set a session to do a little security, just trying to find a bit more.

 

If anyone has any hidden gems please drop the link in a reply, I'd be very greatfull!

 

Cheers!

Link to comment
Share on other sites

If I'm honest, I never actually read my own signature, I copied someone else's to get the error_reporting in place, I use htaccess. (changed it though) :)

 

I'll try to explain what I mean by secure ajax using a little example.

 

http://www.w3schools.com/PHP/php_ajax_database.asp - simple ajax tutorial

 

http://www.w3schools.com/PHP/getuser.php - the url used in the get request

 

http://www.w3schools.com/PHP/getuser.php?q=1 - the url with a get variable. Returns an html table.

 

By secure I don't want people to have access directly to the url. I want javascript to be able to send a get request, but the user not be able to access the url.

 

Hope that makes a bit more senese.

Link to comment
Share on other sites

Short answer:  Not possible.

 

 

Longer answer:  If one can access something over the Internet, one can access the aforementioned something over the Internet.

 

 

Longer-er answer:  You could try various methods to keep users from going straight to the page, but when it comes down to it, they will all be useless.  AJAX is just essentially the client (as in IE or Firefox) making a request after all.

 

 

 

Why does it matter if the user goes straight to the URL?  Unless there's a situation I'm not thinking of, perhaps you could just redesign it so it doesn't matter how the user makes the request.

Link to comment
Share on other sites

It's just my head working over time. I think it's untidy being able to access a page like http://www.w3schools.com/PHP/getuser.php?q=1 which is obviously meant as an ajax response (be it not a very flexible one).

 

I've considered setting a random session on everypage with a regenerated key that's passed along with the ajax request, and compared in the script. But that's still very easy to get around.

Link to comment
Share on other sites

One way around this, and it is not full proof, if to make sure you are sending the request as POST and to pass a specific variable with it.  So with the ajax call, you make sure that specific variable is include but if it is not (like a user trying to access that page directly), just kill the script, give a message, redirect, whatever you want.  Even if they find out the variable that needs to be passed (and looking at the javascript, they can), they still can't easily simulate a POST request from the browser (and with the number of firefox plug-ins, maybe there is).

 

Just an idea if you really want to try to prevent this.

Link to comment
Share on other sites

One way around this, and it is not full proof, if to make sure you are sending the request as POST and to pass a specific variable with it.  So with the ajax call, you make sure that specific variable is include but if it is not (like a user trying to access that page directly), just kill the script, give a message, redirect, whatever you want.  Even if they find out the variable that needs to be passed (and looking at the javascript, they can), they still can't easily simulate a POST request from the browser (and with the number of firefox plug-ins, maybe there is).

 

Just an idea if you really want to try to prevent this.

 

Thanks for the idea, but it could be simulated easily bu making an html form.

 

 

I don't see the point in trying to protect it. The script exposes information to your users. It's just giving it in a more raw and unformatted way (e.g. JSON or XML).

 

I know, I just get slightly obsessive with 'clean' sites. I titles this thread 'AJAX and PHP security using jQuery' but it's not so much security as something to please me. But everyone is right, it isn't necessary.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.