I have following PHP and Javascript code snippet in which I am making an jQuery AJAX call to get data from PHP and show it in the HTML.
PHP code
<?php
myfunction();
function myfunction()
{
$myvar = $_POST['q']." how are you?";
$myvar2 = $_POST['z'];
echo $myvar."\n".$myvar2;
}
?>
HTML code
<div id="mydiv"></div>
Javascript code
var data =" hello world";
var data2=" hello all";
function run()
{
$.ajax(
{
url: 'myscript.php',
data: {'q': data,'z':data2},
type: 'post',
success: function(output)
{
//alert(output);
document.getElementById("mydiv").innerHTML += output; //add output to div
}
}
);
}
Above code is working fine.
I want to secure this AJAX call to prevent it from hackers because I am making an AJAX call which is visible to all. This code is vulnerable to hackers attack. My question is what and where should I impose extra checks to make my AJAX call secure?
One thing I know that I should use following code snippet in my PHP file
if (!$_POST['q'] && !$_POST['z'])
{
exit;
}|
else
{
myfunction(); //call myfunction only if page is posted
}
What extra checks should I use in PHP and Javascript files?
I have following PHP and Javascript code snippet in which I am making an jQuery AJAX call to get data from PHP and show it in the HTML.
PHP code
<?php
myfunction();
function myfunction()
{
$myvar = $_POST['q']." how are you?";
$myvar2 = $_POST['z'];
echo $myvar."\n".$myvar2;
}
?>
HTML code
<div id="mydiv"></div>
Javascript code
var data =" hello world";
var data2=" hello all";
function run()
{
$.ajax(
{
url: 'myscript.php',
data: {'q': data,'z':data2},
type: 'post',
success: function(output)
{
//alert(output);
document.getElementById("mydiv").innerHTML += output; //add output to div
}
}
);
}
Above code is working fine.
I want to secure this AJAX call to prevent it from hackers because I am making an AJAX call which is visible to all. This code is vulnerable to hackers attack. My question is what and where should I impose extra checks to make my AJAX call secure?
One thing I know that I should use following code snippet in my PHP file
if (!$_POST['q'] && !$_POST['z'])
{
exit;
}|
else
{
myfunction(); //call myfunction only if page is posted
}
What extra checks should I use in PHP and Javascript files?
Share Improve this question asked Nov 24, 2013 at 3:26 user1556433user1556433 4- 1 Read stackoverflow./questions/1953954 and stackoverflow./questions/3362207 – Tushar Gupta - curioustushar Commented Nov 24, 2013 at 3:31
- what do you mean by "prevent it from hackers" ? If it's about making request to the script, no matter what you do, if the browser can make request to it then the hacker can do it too. – w00d Commented Nov 24, 2013 at 3:33
- @w00d - I need your suggestion on how to improve this simple code snippet by imposing extra checks so that it make it secure and nobody can misuse data which PHP file accesses from database. – user1556433 Commented Nov 24, 2013 at 3:37
- I guess if you wanted to go a few extra steps further you could run it via https and run some type of auth on the api. – Oliver Bayes-Shelton Commented Mar 13, 2014 at 15:11
2 Answers
Reset to default 4there are lots of tricks that hackers use so you just have to make it hard/time consuming enough that the reward is not worth the investment.
First you should never echo back something that came in a post. Hackers are known to perform all sorts of injections with a hole like that.
To avoid that simply unescape the value first.
For MySQL use:mysqli_real_escape_string.
When echoing back HTML (echo or print) use: htmlspecialchars.
For executing code with exec use escapeshellcmd and escapeshellarg.
Example:
<?php
define('CHARSET', 'ISO-8859-1');
define('REPLACE_FLAGS', ENT_COMPAT | ENT_XHTML);
function html($string) {
return htmlspecialchars($string, REPLACE_FLAGS, CHARSET);
}
$myvar = $_POST['q']." how are you?";
$myvar2 = $_POST['z'];
echo html($myvar."\n".$myvar2);
?>
You are using POST that is good.
- More you can use "Session" for security.
- For code security you can put your functions and other important code in some different php files and include them in main file. To keep your code visible from directly.