Welcome to WebmasterWorld Guest from

Forum Moderators: open

Message Too Old, No Replies

Ajax how to increase the security levels

6:36 pm on Jan 13, 2014 (gmt 0)

New User

joined:Oct 30, 2013
posts: 37
votes: 0

Hi I have a script that call a php file that makes a SELECT query on a mysql DB. Pretty easy ! The big question is about the security issues that the following procedure can present.

url: 'geocoder.php',
type: "POST",
data: {
nelat: northEastLat,
nelong: northEastLong,
swlat: southWestLat,
swlong: southWestLong
}).done(function(brArray) {
//bla bla

In the geocoder.php I first check to prevent a direct access to the file

$isAjax = isset($_SERVER['HTTP_X_REQUESTED_WITH']) AND strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest';
if(!$isAjax) {
$user_error = 'Access denied - not an AJAX request...';
trigger_error($user_error, E_USER_ERROR);

and then in the query I use the variables with the function

function string_db ($value) 
$value = (get_magic_quotes_gpc()) ? stripslashes($value) : $value;
return mysql_real_escape_string($value);

What else should I do to be relatively safe? Thanks a lot
5:36 pm on Jan 23, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:Dec 13, 2009
votes: 0

Nothing much can be done javascript side - this is more of a PHP question.

The golden rule of server side validation is to never ever ever ever trust user input. No matter what you do with your javascript, a user with a bit of know-how can circumvent it.

For general application, mysql_real_escape_string is fairly reliable (though I'm told not 100%) - however you should be aware that the mysql_ library of functions in PHP is deprecated and should be avoided.

Instead you should look to moving to the mysqli implementation, which introduces such things as paramaterised queries, which will typically make your code that much safer.


You can also take a look at explicit typecasting in your SQL, and regular expression checking or typecasting in your PHP