Re: What is the best way to protect the PHP page that returns the AJAX data?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I would also like to know how people are dealing with this, how to you make sure people don't steal your data, sometimes it can be something simple like state names, but sometimes it can be your entire user/email database, who knows?
And OF COURSE he is not passing a query on the url, a dumb user like this wouldn't know how to enter a mailing list :P 

Thanks,
Rangel
----- Original Message ----- From: "Daevid Vincent" <daevid@xxxxxxxxxx> 
To: <php-general@xxxxxxxxxxxxx>
Sent: Friday, May 11, 2007 12:18 AM
Subject: What is the best way to protect the PHP page that returns the AJAX data? 



Like most sites, someone needs to join up to use mine.
I'm using a wee-bit-o-AJAX to pull some results from a database and display them dynamically.
For the AJAX to work, it has to hit a script that's accessible from the htdocs tree right? 
Effectively it's just a (JavaScript initiated) GET URL request correct?

For example, index.html calls http://example.com/gimmedata.php?query=foo
That in turn returns a JS formatted array which is eval() in JS and rendered on the page. 

(over simplified I know)
My question is, how do you protect gimmedata.php since it's sitting out there sans normal web headers and stuff? Can it include session_start() and do all that wonderful checking to make sure the user is logged in before just happily doling out 
my precious data?
What is the proper, secure, sanctioned and AJAX/PHP blessed way to do this?
I could set up a test environment and hack up something I'm sure -- and probably will if I get too impatient, but nobody seems to address this issue in any examples, they just do it as if information is *gasp* free. I'm a PHP guru, but I am also an AJAX novice. From what I gather, the return is really in XML transport format and all the magic of converting to/from XML is transparent to me. I 
worry that putting other headers or whatever may "corrupt" that?


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.467 / Virus Database: 269.6.4/790 - Release Date: 5/5/2007 10:34 




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux