jasonc Posted March 7, 2010 Share Posted March 7, 2010 I just noticed a problem with my site. I have a support chat page and just out of curiosity i tried the following.... for example.... www.site.com/mysecretajaxfile.php?supportroomnumber=10&1=0 this then shows the log of that support chat room !! how do i secure my chat from being seen by everyone that may want to look? i am using AJAX http://www.dynamicajax.com/pg/193-271_275_288_289.html all anyone needs to do is check their own page and then change the roomnumber and they get shown the XML log of that chat room!! has anyone else come across this using AJAX and how could this be made secure? Quote Link to comment Share on other sites More sharing options...
trq Posted March 7, 2010 Share Posted March 7, 2010 If you users are logged in you need to check against there login credentials to ensure that they can only access there own issues. If there not logged in, you will need to make it so. Quote Link to comment Share on other sites More sharing options...
jasonc Posted March 7, 2010 Author Share Posted March 7, 2010 the AJAX creates a XML server side file, which is viewable should you visit the file directly. my logins work and the main site can only be viewed by logged in members. but as the AJAX creates server side files these also can be viewed by everyone else. example.php <?php $link=mysql_connect("host", "user", "pass"); mysql_select_db("dbname"); $query="SELECT * FROM members WHERE time ..."; $result=mysql_query($query); while($row=mysql_fetch_assoc($result)) { echo $row["user"]; } ?> the javascript function ajax() { if(window.XMLHttpRequest) return new XMLHttpRequest; else if(window.ActiveXObject) return new ActiveXObject("Microsoft.XMLHTTP"); else return false; } function updateUsers() { var req=ajax(); req.open("GET", "example.php", true); req.onreadystatechange=function() { if(req.readyState==4) { alert(req.responseText); //alerts all the users that are online } } req.send(null); } var updateInterval=setInterval(updateUsers, 20000); if a visitor views the source code they would see the line.... req.open("GET", "example.php", true); all they need to do is view this page directly and they can see the list, which they should not be able to as this list was intented for admin members only. Quote Link to comment Share on other sites More sharing options...
trq Posted March 7, 2010 Share Posted March 7, 2010 Within example.php you need to do what I suggested in my initial reply. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.