PHP AJAX call

[bestrong]

Hello,

 

I am looking to make a plugin for websites, where they will put a snippit of code in their website, which makes a call to my server, and will show data on their site.

 

I get access denied errors?

 

Are there permissions I need to set?

 

Thanks!!

[jonsjava]

could we see a sample?

[bestrong]

The php file is merely

 

<?php 

echo('Test');

?>

 

The Ajax Call is

<script type="text/javascript">

function getHTTPObject(){   

if (window.ActiveXObject)

	return new ActiveXObject("Microsoft.XMLHTTP");   

else if (window.XMLHttpRequest)   

	return new XMLHttpRequest(); 

else { 

	alert("Your browser does not support AJAX.");      
	return null;  

	}
}


var HttpRequestObject = false;

if(window.XMLHttpRequest) {

   HttpRequestObject = new XMLHttpRequest();
   
}
else if(window.ActiveXObject) {

   HttpRequestObject = new ActiveXObject("Microsoft.XMLHTTP");
   
}



function getProgress() {
  
  if(HttpRequestObject) {
  
      HttpRequestObject.open('GET', 'http://www.mysite.com/phpfile.php', true);
      HttpRequestObject.onreadystatechange = function() {
         if(HttpRequestObject.readyState == 4 && HttpRequestObject.status == 200) {
	    var progress = HttpRequestObject.responseText;
		alert(progress);
           }
      }
      HttpRequestObject.send(null);
}
}


</script>

 

 

It works fine if it is run on my server, but if I try to access it from another domain, it does not work.

[simshaun]

That is your browser's same origin policy coming into effect.

 

Edit: What you are doing is dangerous, letting users type in PHP code to run on your server.

[bestrong]

Hmm,

 

How would you suggest serving people content off my server without compromising security?

 

Thanks!

 

oh, and could you briefly explain how that is dangerous?

 

 

[simshaun]

It depends what you are wanting to do, but I know that you can send an AJAX request in the JSONP format using jQuery, which lets you load data from another domain using a callback.

 

The reason why what you are doing is dangerous is because I can create files, delete files, modify files, mess around with your database, and a whole host of other things that PHP offers on your server, especially with exec() and related functions.  This is why most people frown on eval.  It does have its uses, but in most cases if you have to use eval you are doing something wrong.

 

Edit: I realized I may be mis-understanding what you are trying to do, so all this could be moot.

[jonsjava]

It depends what you are wanting to do, but I know that you can send an AJAX request in the JSONP format using jQuery, which lets you load data from another domain using a callback.

 

The reason why what you are doing is dangerous is because I can create files, delete files, modify files, mess around with your database, and a whole host of other things that PHP offers on your server, especially with exec() and related functions.  This is why most people frown on eval.  It does have its uses, but in most cases if you have to use eval you are doing something wrong.

 

He's not having them run code, he's having them call a php script on his server from an ajax function on their site. Nothing dangerous with that. Well, no more so than usual.  He still needs to sanitize user input, as usual, but aside from that, I don't see any security vulnerability.

[simshaun]

Yes, I realized that about 30 seconds before you made the post.

[bestrong]

So, are there permissions I can set for this file that allow it to be accessed, or is the JSON route the one I need to take?

 

(what is JSON) ? 

 

 

[simshaun]

This is turning more into a JavaScript question.  I don't think you have to use JSON now that I look at it.  Check out the jQuery .ajax() docs.

 

There are not really any permissions you can set for any files, because the same origin policy is implemented at the browser-level.

[bestrong]

Thanks!

 

I appreciate the help!

 

Ben