Re: [PHP] What is the best way to protect the PHP page that returns the AJAX data? [solved]
On Fri, May 11, 2007 9:59 pm, [EMAIL PROTECTED] wrote: Set ajaxObject.setRequestHeader(User-Agent,SecretName); in Javascript and check for it in PHP. Not fool-proof, but the average person wouldn't be able to get in. Unless the user View Source and read your AJAX code... This is not going to stop any serious attempt, but as one more defense-in-depth mechanism, it wouldn't hurt. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] What is the best way to protect the PHP page that returns the AJAX data? [solved]
Richard Lynch wrote: On Fri, May 11, 2007 9:59 pm, [EMAIL PROTECTED] wrote: Set ajaxObject.setRequestHeader(User-Agent,SecretName); in Javascript and check for it in PHP. Not fool-proof, but the average person wouldn't be able to get in. Unless the user View Source and read your AJAX code... This is not going to stop any serious attempt, but as one more defense-in-depth mechanism, it wouldn't hurt. Unless the user is using a browser or going through a proxy that strips or replaces the User-Agent header. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] What is the best way to protect the PHP page that returns the AJAX data? [solved]
On Fri, 2007-05-11 at 22:12 -0700, [EMAIL PROTECTED] wrote: I don't see you giving a solution. The solution is the same as for any session in which you want to protect data. It hardly needs covering yet again. Read the archives. Cheers, Rob. On 5/11/07, Robert Cummings [EMAIL PROTECTED] wrote: On Fri, 2007-05-11 at 19:59 -0700, [EMAIL PROTECTED] wrote: Set ajaxObject.setRequestHeader(User-Agent,SecretName); in Javascript and check for it in PHP. Not fool-proof, but the average person wouldn't be able to get in. Bleh, do it right. Don't settle for half-assed solutions that rely on someone being an average person. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] What is the best way to protect the PHP page that returns the AJAX data? [solved]
On Friday 11 May 2007 12:45, Robert Cummings wrote: On Thu, 2007-05-10 at 21:23 -0700, Daevid Vincent wrote: Thanks for the suggestion and concern. Fear not, I'm a PHP Guru as mentioned. A Guru would have spent 60 seconds testing to see if the session_start() scenario worked BEFORE posting to the list :B A guru would've KNOWN it :) -- Crayon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] What is the best way to protect the PHP page that returns the AJAX data? [solved]
Robert Cummings wrote:
A Guru would have spent 60 seconds testing to see if the session_start()
scenario worked BEFORE posting to the list :B
/me was thinking the same
--
Regards,
Clive.
Real Time Travel Connections
{No electrons were harmed in the creation, transmission or reading of
this email. However, many were excited and some may well have enjoyed
the experience.}
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] What is the best way to protect the PHP page that returns the AJAX data? [solved]
Set ajaxObject.setRequestHeader(User-Agent,SecretName); in
Javascript and check for it in PHP. Not fool-proof, but the average
person wouldn't be able to get in.
On 5/11/07, clive [EMAIL PROTECTED] wrote:
Robert Cummings wrote:
A Guru would have spent 60 seconds testing to see if the session_start()
scenario worked BEFORE posting to the list :B
/me was thinking the same
--
Regards,
Clive.
Real Time Travel Connections
{No electrons were harmed in the creation, transmission or reading of
this email. However, many were excited and some may well have enjoyed
the experience.}
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] What is the best way to protect the PHP page that returns the AJAX data? [solved]
On Fri, 2007-05-11 at 19:59 -0700, [EMAIL PROTECTED] wrote: Set ajaxObject.setRequestHeader(User-Agent,SecretName); in Javascript and check for it in PHP. Not fool-proof, but the average person wouldn't be able to get in. Bleh, do it right. Don't settle for half-assed solutions that rely on someone being an average person. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] What is the best way to protect the PHP page that returns the AJAX data? [solved]
I don't see you giving a solution. On 5/11/07, Robert Cummings [EMAIL PROTECTED] wrote: On Fri, 2007-05-11 at 19:59 -0700, [EMAIL PROTECTED] wrote: Set ajaxObject.setRequestHeader(User-Agent,SecretName); in Javascript and check for it in PHP. Not fool-proof, but the average person wouldn't be able to get in. Bleh, do it right. Don't settle for half-assed solutions that rely on someone being an average person. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] What is the best way to protect the PHP page that returns the AJAX data? [solved]
Thanks for the suggestion and concern. Fear not, I'm a PHP Guru as mentioned. I
never said that I execute the code directly like
that. Perhaps my query keyname was a bit misleading. Would
http://example.com/gimmedata.php?id=3foo=barmap=on have been more
clear? I also am not so silly as to run unchecked variables into my SQL
queries, nor do I not check for mismatched ' ; and other
injection attempts in my database wrapper. ;-)
Anyways none of that is the point. I wanted to know how to prevent a random
person from hitting that same gimmedata.php using their
own parameters (valid or not)
Since I wrote this initial email, I've done some testing, and much to my glee,
it seems they work just like any other page, so
therefore putting a simple session_start() and testing if the user is logged
in, etc is quite effective.
d
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 10, 2007 8:28 PM
To: Daevid Vincent
Cc: php-general@lists.php.net
Subject: Re: [PHP] What is the best way to protect the PHP
page that returns the AJAX data?
That's a humongous, humongous security risk there.
What if someone goes
http://example.com/gimmedata.php?query=DROP DATABASE hi?
Unless I misunderstood.
A better way would be in the script:
switch ($_GET['query']) {
case fetch: $dbquery = 'SELECT stuff FROM stuff'; break;
case eatsnacks: $dbquery = 'SELECT snacks FROM edibles'; break;
// ...
}
and fetch instead http://example.com/gimmedata.php?query=eatsnacks;
On 5/10/07, Daevid Vincent [EMAIL PROTECTED] wrote:
Like most sites, someone needs to join up to use mine.
I'm using a wee-bit-o-AJAX to pull some results from a
database and display them dynamically.
For the AJAX to work, it has to hit a script that's
accessible from the htdocs tree right?
Effectively it's just a (JavaScript initiated) GET URL
request correct?
For example, index.html calls
http://example.com/gimmedata.php?query=foo
That in turn returns a JS formatted array which is eval()
in JS and rendered on the page.
(over simplified I know)
My question is, how do you protect gimmedata.php since it's
sitting out there sans normal web headers and stuff?
Can it include session_start() and do all that wonderful
checking to make sure the user is logged in before just
happily doling out
my precious data?
What is the proper, secure, sanctioned and AJAX/PHP blessed
way to do this?
I could set up a test environment and hack up something I'm
sure -- and probably will if I get too impatient, but nobody seems to
address this issue in any examples, they just do it as if
information is *gasp* free. I'm a PHP guru, but I am also an
AJAX novice.
From what I gather, the return is really in XML transport
format and all the magic of converting to/from XML is
transparent to me. I
worry that putting other headers or whatever may corrupt that?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] What is the best way to protect the PHP page that returns the AJAX data? [solved]
On Thu, 2007-05-10 at 21:23 -0700, Daevid Vincent wrote: Thanks for the suggestion and concern. Fear not, I'm a PHP Guru as mentioned. A Guru would have spent 60 seconds testing to see if the session_start() scenario worked BEFORE posting to the list :B Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
