1

In register.php file included javascript code for username (email, passw, etc.) validation.

For example, Javascript contains such code var url = "_password_confirmation_validator.php";

_password_confirmation_validator.php gets values from input form (register.php) and validates input.

Anyone who view source of register.php can see that on server exists file _password_confirmation_validator.php

When I navigate directly to _password_confirmation_validator.php I can see message like Password is empty.

If in _password_confirmation_validator.php I place header redirect (to redirect if someone directly navigate to the file, then ajax does not work).

Also ajax does not work if in _password_confirmation_validator.php I place condition like

if ($_POST['register'] ){

Form input field is like input onkeyup= (so onkeyup ajax starts to validate).

Questions are

1) How to write some condition for _password_confirmation_validator.php to show nothing if someone navigates directly?

2) Is there any security problems if someone can see file names in view source? If yes, what would be solution?

Andris
  • 1,434
  • 1
  • 19
  • 34
  • An AJAX resource is a public (or private) as the rest of your site. There's no point in preventing access to the AJAX validator if the user can simply use the regular page to obtain the same data. – Álvaro González Feb 28 '13 at 12:31

2 Answers2

1

Detect Ajax Headers : 

if(empty($_SERVER['HTTP_X_REQUESTED_WITH'])) {
  die("");
}

but notice that an expert hacker would simply add such headers to the request.

an alternative is to place a random code in your page and send it with the request and every time , reset the code and then generate a new one.

UPDATE

The most appropriate way to do it is by adding an extra random (time-based) parameter added to the page. or simply by using captcha/re-captcha

Shehabic
  • 6,787
  • 9
  • 52
  • 93
  • @JanDvorak AFAIK any XML HTTP Request have this header. – Shehabic Feb 28 '13 at 12:30
  • http://stackoverflow.com/questions/2579254/php-does-serverhttp-x-requested-with-exist-or-not – John Dvorak Feb 28 '13 at 12:31
  • 1
    also, `s/an expert hacker/any random hacker with the right tools/` – John Dvorak Feb 28 '13 at 12:32
  • in ajax placed if (strlen($_SESSION['username_hash']) < 40) { exit(); } And it works if open url in fresh (new) browser. For example if I work in FF and open Chrome, then ok. But if open other FF tab, then session is passed. But main question would be where there are security problems? Ajax only echo warnings. – Andris Feb 28 '13 at 13:08
1

There is no way to alter the page if someone navigates directly, because the server can't make a distiction between a normal request and a AJAX request. A hacker could easily manipulate the headers of a request.

Regarding your second question, a good rule is to never send information via AJAX that may not be published. If you do, consider the use of a password system and the use of HTTPS.

Arjan
  • 66
  • 3
  • Ajax is only for users immediately show is something is not correct (not to click on register to show is something incorrect). Latter I one more time validate everything with php server side and mysqli in database – Andris Feb 28 '13 at 12:50