homepage Welcome to WebmasterWorld Guest from 54.167.144.4
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / JavaScript and AJAX
Forum Library, Charter, Moderator: open

JavaScript and AJAX Forum

    
Ajax how to increase the security levels
cfmtravel




msg:4637133
 6:36 pm on Jan 13, 2014 (gmt 0)

Hi I have a script that call a php file that makes a SELECT query on a mysql DB. Pretty easy ! The big question is about the security issues that the following procedure can present.

jQuery.ajax({
url: 'geocoder.php',
dataType:'json',
type: "POST",
data: {
nelat: northEastLat,
nelong: northEastLong,
swlat: southWestLat,
swlong: southWestLong
},
}).done(function(brArray) {
//bla bla
}


In the geocoder.php I first check to prevent a direct access to the file

$isAjax = isset($_SERVER['HTTP_X_REQUESTED_WITH']) AND strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest';
if(!$isAjax) {
$user_error = 'Access denied - not an AJAX request...';
trigger_error($user_error, E_USER_ERROR);
}


and then in the query I use the variables with the function

function string_db ($value)
{
$value = (get_magic_quotes_gpc()) ? stripslashes($value) : $value;
return mysql_real_escape_string($value);
}


What else should I do to be relatively safe? Thanks a lot

 

Readie




msg:4639636
 5:36 pm on Jan 23, 2014 (gmt 0)

Nothing much can be done javascript side - this is more of a PHP question.

The golden rule of server side validation is to never ever ever ever trust user input. No matter what you do with your javascript, a user with a bit of know-how can circumvent it.

For general application, mysql_real_escape_string is fairly reliable (though I'm told not 100%) - however you should be aware that the mysql_ library of functions in PHP is deprecated and should be avoided.

Instead you should look to moving to the mysqli implementation, which introduces such things as paramaterised queries, which will typically make your code that much safer.

[php.net...]

You can also take a look at explicit typecasting in your SQL, and regular expression checking or typecasting in your PHP

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / JavaScript and AJAX
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved