Re: Protecting PHP scripts called via AJAX from evil

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



At 9:41 AM -0400 8/6/10, Marc Guay wrote:
Hi folks,

I'm looking for a straightforward way to protect PHP files which are
called via AJAX from being called from outside my application.
Currently, someone could forseeably open the console and watch the
javascript post variables to a public file (actions/delete_thing.php)
and then use this knowledge to trash the place.  I found this thread
at stackoverflow which seems to cover the issue I'm looking at, but
it's pretty intense and I figure there's an easier way but I'm not
sure how.

http://stackoverflow.com/questions/2486327/jquery-post-and-php-prevent-the-ability-to-use-script-outside-of-main-website

It seems unlikely that this is the method everyone uses, but maybe
not.  Advice is nice.
Marc


Marc:

The logic should go like this.

Your initial PHP script [1] first generates a form that employs an AJAX script to trigger the slave PHP script [2], right?

If so, then have script [1] generate a unique token and place it in a SESSION, such as:

$_SESSION['token'] = $token.

Then have the PHP generated HTML form include a hidden input statement, such as:

<input type="hidden" name="token" value="<?php echo($token);?>" >

Note, the "hidden" isn't providing any security -- it simply means that the value isn't printed to the browser window.

Then have the slave PHP script [2] check the value in the $_SESSION['token'] with the value provided by the form. If the two match, then everything has been done via your server.

Cheers,

tedd

--
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux