Thanks for the suggestion and concern. Fear not, I'm a PHP Guru as mentioned. I never said that I execute the code directly like that. Perhaps my "query" keyname was a bit misleading. Would http://example.com/gimmedata.php?id=3&foo=bar&map=on have been more clear? I also am not so silly as to run unchecked variables into my SQL queries, nor do I not check for mismatched ' ; and other injection attempts in my database wrapper. ;-) Anyways none of that is the point. I wanted to know how to prevent a random person from hitting that same gimmedata.php using their own parameters (valid or not) Since I wrote this initial email, I've done some testing, and much to my glee, it seems they work just like any other page, so therefore putting a simple session_start() and testing if the user is logged in, etc is quite effective. d > -----Original Message----- > From: heavyccasey@xxxxxxxxx [mailto:heavyccasey@xxxxxxxxx] > Sent: Thursday, May 10, 2007 8:28 PM > To: Daevid Vincent > Cc: php-general@xxxxxxxxxxxxx > Subject: Re: What is the best way to protect the PHP > page that returns the AJAX data? > > That's a humongous, humongous security risk there. > > What if someone goes > http://example.com/gimmedata.php?query=DROP DATABASE hi? > Unless I misunderstood. > > A better way would be in the script: > > switch ($_GET['query']) { > case "fetch": $dbquery = 'SELECT stuff FROM stuff'; break; > case "eatsnacks": $dbquery = 'SELECT snacks FROM edibles'; break; > // ... > } > > and fetch instead "http://example.com/gimmedata.php?query=eatsnacks"; > > On 5/10/07, Daevid Vincent <daevid@xxxxxxxxxx> wrote: > > Like most sites, someone needs to join up to use mine. > > > > I'm using a wee-bit-o-AJAX to pull some results from a > database and display them dynamically. > > > > For the AJAX to work, it has to hit a script that's > accessible from the htdocs tree right? > > Effectively it's just a (JavaScript initiated) GET URL > request correct? > > > > For example, index.html calls > http://example.com/gimmedata.php?query=foo > > That in turn returns a JS formatted array which is eval() > in JS and rendered on the page. > > > > (over simplified I know) > > > > My question is, how do you protect gimmedata.php since it's > sitting out there sans normal web headers and stuff? > > Can it include session_start() and do all that wonderful > checking to make sure the user is logged in before just > happily doling out > > my precious data? > > > > What is the proper, secure, sanctioned and AJAX/PHP blessed > way to do this? > > > > I could set up a test environment and hack up something I'm > sure -- and probably will if I get too impatient, but nobody seems to > > address this issue in any examples, they just do it as if > information is *gasp* free. I'm a PHP guru, but I am also an > AJAX novice. > > From what I gather, the return is really in XML transport > format and all the magic of converting to/from XML is > transparent to me. I > > worry that putting other headers or whatever may "corrupt" that? > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
