1

I have following PHP and Javascript code snippet in which I am making an jQuery AJAX call to get data from PHP and show it in the HTML.

PHP code

<?php

myfunction();

function myfunction()
{
 $myvar = $_POST['q']." how are you?";
 $myvar2 = $_POST['z'];
 echo $myvar."\n".$myvar2;
}
?>

HTML code

<div id="mydiv"></div>

Javascript code

var data =" hello world";
var data2=" hello all";
function run()
{
 $.ajax(
               {
                   url: 'myscript.php',
                   data: {'q': data,'z':data2},
                   type: 'post',
                   success: function(output) 
                   {
                          //alert(output);
                          document.getElementById("mydiv").innerHTML += output; //add output to div  
                   }
                }
            );
}

Above code is working fine.

I want to secure this AJAX call to prevent it from hackers because I am making an AJAX call which is visible to all. This code is vulnerable to hackers attack. My question is what and where should I impose extra checks to make my AJAX call secure?

One thing I know that I should use following code snippet in my PHP file 

if (!$_POST['q'] && !$_POST['z'])
{
  exit;
}|
else
{
  myfunction(); //call myfunction only if page is posted
}

What extra checks should I use in PHP and Javascript files?

  • 1
    Read http://stackoverflow.com/questions/1953954/ and http://stackoverflow.com/questions/3362207 – Tushar Gupta - curioustushar Nov 24 '13 at 03:31
  • what do you mean by "prevent it from hackers" ? If it's about making request to the script, no matter what you do, if the browser can make request to it then the hacker can do it too. – w00d Nov 24 '13 at 03:33
  • @w00d - I need your suggestion on how to improve this simple code snippet by imposing extra checks so that it make it secure and nobody can misuse data which PHP file accesses from database. –  Nov 24 '13 at 03:37
  • I guess if you wanted to go a few extra steps further you could run it via https and run some type of auth on the api. – Oliver Bayes-Shelton Mar 13 '14 at 15:11

2 Answers2

4

there are lots of tricks that hackers use so you just have to make it hard/time consuming enough that the reward is not worth the investment.

First you should never echo back something that came in a post. Hackers are known to perform all sorts of injections with a hole like that.

To avoid that simply unescape the value first.

For MySQL use:mysqli_real_escape_string.

When echoing back HTML (echo or print) use: htmlspecialchars.

For executing code with exec use escapeshellcmd and escapeshellarg.

Example:

<?php
    define('CHARSET', 'ISO-8859-1');
    define('REPLACE_FLAGS', ENT_COMPAT | ENT_XHTML);

    function html($string) {
        return htmlspecialchars($string, REPLACE_FLAGS, CHARSET);
    }
    $myvar = $_POST['q']." how are you?";
    $myvar2 = $_POST['z'];
    echo html($myvar."\n".$myvar2);

?>
Goran
  • 677
  • 3
  • 22
2

You are using POST that is good.

  1. More you can use "Session" for security.
  2. For code security you can put your functions and other important code in some different php files and include them in main file. To keep your code visible from directly.