4

I have a question about Safety. I have a Javascript variable:

var toSearch = "something"

I want to send this variable to another php page. I'm using sessions: <?php session_start(); ?>

From what I've read I need to use a AJAX GET/POST procedure to pass this javascript client side variable to PHP server side.

I know it's possible to do this with:

window.location.href = "myphpfile.php?name=" + javascriptVariable;

then $_GET['name'] the variable. I've read that this isn't safe? Is it?

Eric Leschinski
  • 146,994
  • 96
  • 417
  • 335
Sae Us
  • 277
  • 1
  • 6
  • 21
  • So, you want to send the variable 'toSearch' to PHP, then direct them to the page that PHP responds with? – Prash Nov 25 '12 at 01:13
  • Before considering safety, consider whether security is necessary enough in your context to do the extra work. – Alex W Nov 25 '12 at 01:14
  • Using AJAX or using a JS redirect would have the same security concerns since both are being done client-side. – kittycat Nov 25 '12 at 01:16
  • If you know how to properly manage an AJAX request, security issues are minimal. Try sending random tokens to your PHP page which are stored in the session. If the sent token doesn't match the session token, die('error'); – Kevin Florida Nov 25 '12 at 01:25
  • Thanks - I think i'm going to go with the 'passing search in URL' then read up about the points Kolink has made below. Otherwise if i had a variable that I needed to chnage get to a php variable could someone offer a clear example? – Sae Us Nov 25 '12 at 01:28

3 Answers3

2

It's only unsafe depending on what you do with it. Anyone can type whatever they like in the address bar, and you have no control over that. For instance, I could go to

http://example.com/myphpfile.php?name=fuzzball

Now, that's not a danger in itself, but if I were to put some MySQL code and you were placing this directly in a MySQL database with no sanitisation, then it's dangerous. If I put in HTML which you then display to other users, then it's dangerous.

All you have to do is remember that while GET and POST aren't dangerous, they cannot be trusted to be what you expect them to be, therefore you should make sure that they are on the server side, where it can be trusted.

Niet the Dark Absol
  • 320,036
  • 81
  • 464
  • 592
  • Thanks - so when you say "MySQL database with no sanitisation" what core points are there? – Sae Us Nov 25 '12 at 01:17
  • 1
    Sae Us: do a google search, php: htmlspecialchars and php: mysql_real_escape_string. they will do pretty much everything you need. Another good php method is trim() – Kevin Florida Nov 25 '12 at 01:38
  • htmlspecialchars and php: mysql_real_escape_string aren't 100% safe, nor would I consider them "good enough", because of the danger in sending non utf-8 characters (another sql injection attack vector). I recommend converting to utf-8, then applying mysql_real_escape_string before inserting the variable into a query. Even better, use PDO. http://php.net/manual/en/book.pdo.php This post has more good info: http://stackoverflow.com/questions/5139127/php-sql-injection-utf8-poc – Jeremy C Nov 25 '12 at 01:51
1

Well the better solution would be to go with an ajax request if you dont want to force page reload. regarding security its the same hence every user can manipulate querystrings with ease... we have an address bar for this :)

window.XMLHttpRequest = window.XMLHttpRequest || window.ActiveXObject('MSXML2.XMLHTTP') || window.ActiveXObject('Microsoft.XMLHTTP');

var ajax = new XMLHttpRequest();

ajax.open('get', 'page.php?name=' + javascriptVariable, true);

if ( ajax.readyState == 4 && ajax.status == 200 )
{
    // ajax.responseText is the result from php server
    // ajax.responseXML is the result from php server
}

ajax.send(null);
ivoputzer
  • 6,427
  • 1
  • 25
  • 43
-1

If you are not good with JavaScript or Ajax requests, I suggest the jquery .ajax method. jQuery is really well-documented and great for beginners.

Also, your variable is not set properly. Should be:

var toSearch = "something";

So visit: http://api.jquery.com/jQuery.ajax/ to get started.

A sample of how to do this.

JS:

function myFunction() {

    var toSearch = "something";

    $.ajax({
       url: 'mysite/action_page.php?toSearch=' + toSearch,
       success: function(data) {
          alert('Here is some data from the $_GET request: ' + data);
       }
    });

}

PHP:

<?php
   /**
     * I strongly suggest a security measure here
     * ie: if($_GET['token'] != $_SESSION['token']) die('access not permitted');
    */


   //init
   $search_string = '';

   //set
   $search_string = htmlspecialchars(trim($_GET['toString']), ENT_QUOTES);
   //TAKE A LOOK AT PHP.net IF YOU DON'T KNOW WHAT THE TWO METHODS ABOVE DO.  
   // will help prevent xss

   echo $search_string;

   //all done!
 ?>
Kevin Florida
  • 6,659
  • 3
  • 23
  • 20