0

Hi I have a jquery function that uses an ajax call to send information to a php page. It sends this information using the get method. My concern for this is that what if a user goes directly to the php page and enters some get variables in the url. Whilst sensitive data is not being processed by the php script, I still want just the ajax call to be able to interact with the script and not a user (via entering the url in their browser). How can this be done?

js code

$.ajax({
    type: "GET",
    url: "/add.php",
    data: 'id=' + itemid,
    dataType: "json",
    success: function (data) {
        document.getElementById("name").innerHTML = data[0];
        document.getElementById("desc").innerHTML = data[1];
        document.getElementById("price").innerHTML = data[2];
    },
    error: function (xhr, ajaxOptions, thrownError) {
        alert(xhr.status);
        alert(thrownError);
    }
});

php code

$output = array();
$output[0] = $itemname . " " . $_GET['id'];
$output[1] = $itemdescription;
$output[2] = $itemprice;
echo json_encode($output);
exit();

Unfortunatley I cannot use the POST method, as this clashes with some code.

M9A
  • 3,168
  • 14
  • 51
  • 79
  • Whether using GET or POST, or AJAX or direct browser entry, you fundamentally cannot stop someone *making any request they like* to your server. All you can do is to detect what request they are making, and either ignore it, or handle it in a safe way. – IMSoP Mar 16 '14 at 01:44

2 Answers2

2

Most ajax frameworks (like jQuery) are sending the HTTP_X_REQUESTED_WITH header.
Here is already described how to retrieve it's value.

I think it's really not recommended to secure your script using header values because you can manipulate the request headers (e.g. curl). Which method you use, GET, POST, PUT or DELETE doesn't matter, your server side api must be secured. If you want to prevent repeated calls to that url, take a look at captcha services or add uids to urls that are only valid once.

Community
  • 1
  • 1
ffraenz
  • 642
  • 2
  • 9
  • 34
0

For POST or GET request, if you are doing insert in your database you HAVE TO - securize your form - securize posted data

Plus, you should consider prefering using array of key/values

    $output = array(
        'id' => $_GET['id'],
        'name' => $itemname,
        'description' => $itemdescription,
        'price' => $itemprice
    );
    echo json_encode($output);

js

    $.ajax({
        type: "GET",
        url: "/add.php",
        data: 'id=' + itemid,
        dataType: "json",
        success: function ( item ) {
            document.getElementById("name").innerHTML = item.name + " " + item.id;
            document.getElementById("desc").innerHTML = item.description;
            document.getElementById("price").innerHTML = item.price;
        },
        error: function (xhr, ajaxOptions, thrownError) {
            alert(xhr.status);
            alert(thrownError);
        }
    });

To securize your ajax query, you must escape html entities, sql injection. To securize the form, you could generate a token for your each form, and encode data before sending them to the server, the client won't be able to read what kind of data you're sending to the server.

On the server side, you could decode before your insert.

Dimitri
  • 304
  • 3
  • 16