Ajax how to increase the security levels

Forum Moderators: open

Message Too Old, No Replies

Ajax how to increase the security levels

cfmtravel

6:36 pm on Jan 13, 2014 (gmt 0)

Hi I have a script that call a php file that makes a SELECT query on a mysql DB. Pretty easy ! The big question is about the security issues that the following procedure can present.

jQuery.ajax({
  url: 'geocoder.php',
  dataType:'json',
  type: "POST",
  data: {
  nelat: northEastLat,
  nelong: northEastLong,
  swlat: southWestLat,
  swlong: southWestLong
  },
 }).done(function(brArray) {
  //bla bla
 }

In the geocoder.php I first check to prevent a direct access to the file

$isAjax = isset($_SERVER['HTTP_X_REQUESTED_WITH']) AND strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest';
   if(!$isAjax) {
    $user_error = 'Access denied - not an AJAX request...';
    trigger_error($user_error, E_USER_ERROR);
   }

and then in the query I use the variables with the function

function string_db ($value) 
 { 
  $value = (get_magic_quotes_gpc()) ? stripslashes($value) : $value; 
  return mysql_real_escape_string($value); 
 }

What else should I do to be relatively safe? Thanks a lot

Readie

5:36 pm on Jan 23, 2014 (gmt 0)

Nothing much can be done javascript side - this is more of a PHP question.

The golden rule of server side validation is to never ever ever ever trust user input. No matter what you do with your javascript, a user with a bit of know-how can circumvent it.

For general application, mysql_real_escape_string is fairly reliable (though I'm told not 100%) - however you should be aware that the mysql_ library of functions in PHP is deprecated and should be avoided.

Instead you should look to moving to the mysqli implementation, which introduces such things as paramaterised queries, which will typically make your code that much safer.

[php.net...]

You can also take a look at explicit typecasting in your SQL, and regular expression checking or typecasting in your PHP