That's a humongous, humongous security risk there. What if someone goes http://example.com/gimmedata.php?query=DROP DATABASE hi? Unless I misunderstood. A better way would be in the script: switch ($_GET['query']) { case "fetch": $dbquery = 'SELECT stuff FROM stuff'; break; case "eatsnacks": $dbquery = 'SELECT snacks FROM edibles'; break; // ... } and fetch instead "http://example.com/gimmedata.php?query=eatsnacks"; On 5/10/07, Daevid Vincent <daevid@xxxxxxxxxx> wrote:
Like most sites, someone needs to join up to use mine. I'm using a wee-bit-o-AJAX to pull some results from a database and display them dynamically. For the AJAX to work, it has to hit a script that's accessible from the htdocs tree right? Effectively it's just a (JavaScript initiated) GET URL request correct? For example, index.html calls http://example.com/gimmedata.php?query=foo That in turn returns a JS formatted array which is eval() in JS and rendered on the page. (over simplified I know) My question is, how do you protect gimmedata.php since it's sitting out there sans normal web headers and stuff? Can it include session_start() and do all that wonderful checking to make sure the user is logged in before just happily doling out my precious data? What is the proper, secure, sanctioned and AJAX/PHP blessed way to do this? I could set up a test environment and hack up something I'm sure -- and probably will if I get too impatient, but nobody seems to address this issue in any examples, they just do it as if information is *gasp* free. I'm a PHP guru, but I am also an AJAX novice. From what I gather, the return is really in XML transport format and all the magic of converting to/from XML is transparent to me. I worry that putting other headers or whatever may "corrupt" that? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
