Re: What is the best way to protect the PHP page that returns the AJAX data?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



That's a humongous, humongous security risk there.

What if someone goes http://example.com/gimmedata.php?query=DROP DATABASE hi?
Unless I misunderstood.

A better way would be in the script:

switch ($_GET['query']) {
case "fetch": $dbquery = 'SELECT stuff FROM stuff'; break;
case "eatsnacks": $dbquery = 'SELECT snacks FROM edibles'; break;
// ...
}

and fetch instead "http://example.com/gimmedata.php?query=eatsnacks";

On 5/10/07, Daevid Vincent <daevid@xxxxxxxxxx> wrote:
Like most sites, someone needs to join up to use mine.

I'm using a wee-bit-o-AJAX to pull some results from a database and display them dynamically.

For the AJAX to work, it has to hit a script that's accessible from the htdocs tree right?
Effectively it's just a (JavaScript initiated) GET URL request correct?

For example, index.html calls http://example.com/gimmedata.php?query=foo
That in turn returns a JS formatted array which is eval() in JS and rendered on the page.

(over simplified I know)

My question is, how do you protect gimmedata.php since it's sitting out there sans normal web headers and stuff?
Can it include session_start() and do all that wonderful checking to make sure the user is logged in before just happily doling out
my precious data?

What is the proper, secure, sanctioned and AJAX/PHP blessed way to do this?

I could set up a test environment and hack up something I'm sure -- and probably will if I get too impatient, but nobody seems to
address this issue in any examples, they just do it as if information is *gasp* free. I'm a PHP guru, but I am also an AJAX novice.
From what I gather, the return is really in XML transport format and all the magic of converting to/from XML is transparent to me. I
worry that putting other headers or whatever may "corrupt" that?


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux