Jump to content

How to secure database access?

wilee

By wilee
in PHP Coding Help

 Share

Recommended Posts

wilee Newbie

wilee

Posted
Posted

Hi all,

 

I'm currently working on a simple page index.php for a facebook app, that allows user to insert information using an AJAX (because I don't want my whole site to be reloaded in order to show the update) call to another php site update.php that does talk to my database.

My code boils down to:

 

index.php

function updateUser(user, info) {

// set xmlhttp

xmlhttp.onreadystatechange=function() {
	if (xmlhttp.readyState==4 && xmlhttp.status==200) {
		// show update
	}
}
xmlhttp.open("GET", "update.php?user="+ user + "&info=" + info, true);
xmlhttp.send();
}

 

update.php

$db = mysql_connect(MYSQL_HOST, MYSQL_USERNAME, MYSQL_PASSWORD);
mysql_select_db(MYSQL_DB_NAME, $db);

$user = $_GET['user'];
$info = $_GET['info'];
$sql= mysql_real_escape_string(INSERT INTO users (user, info) VALUES ('$user', '$info'))
mysql_query($sql,$db)
mysql_close($db);

 

The problem I face is that update.php is publicly accessible. I'm not talking about SQL injection.

It's more about the possibilty to input nonsense, as viewing at the source code one can find update.php easily.

What I would like is to have update.php only accessible through my AJAX call or hide update.php from others.

 

What are my possibilites?

Is my design using AJAX and a call to a .php file in order to update a database is crap? Is there a design pattern for my usecase?

 

Best regards,

wilee

Link to comment
Share on other sites
trq Prolific Member

trq

Posted
Posted

In order for any client (ajax included) to be able to access update.php it needs to be publicly accessible. I'm not sure what the issue is. Its not like someone can simply view your php code.

Link to comment
Share on other sites
phpchamps Newbie

phpchamps

Posted
Posted

You can stop the access of your update.php for this i would suggest you to fire a request on different web page. fire your ajax request on

valid_request.php in valid_request.php just define a constant 

define('valid_request',true);

 

and on the update.php check for the defined variable like 

if (!defined('valid_request')) exit('No direct script access allowed');

 

and below this just keep your code as it is...

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

phpchamps, the method you posted only works when the second file is included by the first file and the source code of the second file is essentially copy/pasted into the first file and exists in the scope of the first file (unless the include is inside of a function.)

 

When the second file is requested separately by the browser, as is the case with an AJAX request, that is a completely separate invocation of the web server and it has a completely separate scope from the first file.

Link to comment
Share on other sites
phpchamps Newbie

phpchamps

Posted
Posted

Yes, i completely agree with you but the concern  wilee is having that he doenst want to his second file to be executed.. So, in the ajax request only he will execute the first file and second file will be executed indireclty. So, from the browser nobody will be able to execute second file.

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

I suggest you re-read the thread. It is the browser that is making the request for update.php -

In order for any client (ajax included) to be able to access update.php it needs to be publicly accessible.

 

The A in AJAX stands for an Asynchronous HTTP request.

Link to comment
Share on other sites
wilee Newbie

wilee

Posted
  • Author
Posted

Wow, that was fast, I'm glad I found to this forum :)

 

Thank you all for the replies :)

 

@thorpe

What I mean that the javascript is exposed in the index.php. So one easily can see the GET request to update.php?name=..&info=..

With that users could simply call this url externally, which is what I want to prevent. Isn't there a way hide the javascript in the code and/or pass a secret with the call to update.php?

 

@greatstar00

That seems to be quite of a hack to me, but thanks for this suggestion.

 

@phpchamps, PFMaBiSmAd

I don't really see how that should work, could you elaborate?

I would send a request to valid_request.php, which sets me the flag. But then I would need to request update.php, somehow?

Additionally a user could also request valid_request.php?

 

Or can I change my whole structure/design of the implementation in order to solve that?

 

Best,

wilee

 

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

To insure that only a visitor that requested the index.php page can make a request to the update.php page, you would need to set a session variable on index.php and check the that the session variable exists in update.php.

Link to comment
Share on other sites
phpchamps Newbie

phpchamps

Posted
Posted

I would not recommend you to change the site structure as you have already developed the application. In this case i would go with the above mentioned suggestion by PFMaBiSmAd send a request to index.php (or any file) and set a session variable and check that variable in the update.php before processing...

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.