Jump to content

Recommended Posts

I want to perform a php process initiated by AJAX according to the method described in http://www.w3schools.com/PHP/php_ajax_database.asp

 

with this line

xmlhttp.open("GET","getuser.php?q="+str,true);

the php process in getuser.php is initiated. But how I can restrict direct access to getuser.php?

 

If someone visit getuser.php?q=something; the process will be started for "something". I want to run the getuser.php process only and only when it is initiated from my main page.

There is no way to know for sure where the call was initiated from because an AJAX request is just the same as any other page request. If you add any sort of variable to check, it will always be breakable by just copying the AJAX HTTP request.

 

Have you considered securing it with a login system? So only give access if a user is authenticated.

Thanks for your attention. There are two issues:

 

1. Some features are available to all visitors and I cannot limit by login

 

2. My concern is about security issue. If it is for posting something on the website. Even logged users can abuse the system to post something by direct access to the php file.

If you're using jQuery or another framework, you can pretty safely rely on this method of detecting AJAX requests. If you're not using a framework, you can still include the header in your own script and use it. As mentioned though, you can't safely restrict access to pages if not from an AJAX request, because essentially there's no difference in the request, only that one was scripted.

 

Your code should have the neccesary security checks to prevent any kind of abuse; time-outs, user validation, etc. You're approaching security from the wrong angle.

Since I use jQuery for some function; the method seems to be practical.

 

However, I did not get your point about security. This is a simple script and I think there is less space for security holes. Could you please give me some tips to check security issues?

2. My concern is about security issue. If it is for posting something on the website. Even logged users can abuse the system to post something by direct access to the php file.

 

This is a simple script and I think there is less space for security holes. Could you please give me some tips to check security issues?

 

??

A bot that submits forms is by no means complex. There are lots of tutorials out there.

 

The method found here: http://davidwalsh.name/detect-ajax is by no means secure. You're relying on headers sent by the client that can be easily spoofed.

 

Allowing non-registered users to post will open you up to SPAM. Your best bet is probably to include a Captcha for non-registered users, and perhaps a Captcha every 10 or so posts for registered members.

Nice point! This is exactly what I meant. Captcha is a must, as human spam is also a serious problem. However, I think captcha hinders submitting the form; but when someone directly accesses the php file, no captcha is there to hinder him. Right?

The PHP file will require the Captcha ID and a correct response to be passed to it through the headers in either the query string ($_GET) or through post ($_POST). Accessing the file directly won't display a Captcha to respond to and make it theoretically impossible to break.

 

This is a great way to force the user to submit the post through your main page. Accessing the AJAX page with a bad/no id/response could lead to a 404, error message, etc.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.