Codeigniter Ajax Risk with Get

Question

What are the security implications of using GET method in Ajax and what methods I should adopt to counter threats in the following example?

In a very simple implement, I've a Ajax-codeigniter code like following... There are no form submissions and database connections.. I just want to get output of a php function (targetfucntion in the code) to webpage (at targetDiv Div in HTML) Anybody can see that webpage, no login needed...

I have read GET is bit insecure as opposed to POST. I tried to use POST method, but it had some issues. So couldn't go with that. So I'm using GET method. Should I take any precautions like input sanitation etc.. Please help me with this! Thank you!

Controller

class Thecontroller extends CI_Controller
{
    function __construct()
    {
            parent::__construct();
            $this->load->helper('url');
    }

   function idea_generator() {
       $this->load->view('myviewfile');
   }

   function targetfunction() {
echo somefunction();
   }
}

?>

View File - "myviewfile"

<html>
<head>
<title>Title</title>
<script language="javascript">
var XMLHttpRequestObject = false;

if(window.XMLHttpRequest) {
 XMLHttpRequestObject = new XMLHttpRequest();
} else if (window.ActiveXObject) {
 XMLHttpRequestObject = new ActiveXObject("Microsoft.XMLHTTP");
}

function getData(dataSource,divID)
{
 if(XMLHttpRequestObject) {
   var obj = document.getElementById(divID);
   XMLHttpRequestObject.open("GET",dataSource);

   XMLHttpRequestObject.onreadystatechange = function()
   {
   if(XMLHttpRequestObject.readyState == 4 && XMLHttpRequestObject.status == 200)
   {
       obj.innerHTML = XMLHttpRequestObject.responseText;
   }
   }

   XMLHttpRequestObject.send(null);

  }


}

</script>
</head>
<body>
<h1>My Cool App</h1>
<input type="button" value ="Submit!!" onclick="getData('targetfunction','targetDiv')">
<div id="targetDiv">
<p>The fetched message will appear here </p>
</div>
</body>

</html>

Use jQuery. POST and GET have no significant security differences. If security is an issue, incorporate validation and sanitization into your AJAX calls. — random_user_name, Mar 25 '14 at 00:36
Can't we do with GET, with countermeasures? And what risks are there, if we use GET? — user3454645, Mar 25 '14 at 00:38
@cale_b, As there are no user input,what validation/sanitization should I do,, I just want output of a php function to html page.. — user3454645, Mar 25 '14 at 00:40
Has nothing to do with user input. What if someone malicious tries to post / get to your ajax url with malicious parameters? — random_user_name, Mar 25 '14 at 00:43
@cale_b Can I protect against ajax url manipulation like this? - function targetfunction($dummy) { if ($dummy=='') { echo somefunction(); } } — user3454645, Mar 25 '14 at 02:25

score 1 · Accepted Answer · edited May 23 '17 at 12:20

1

If there is no form submission and CodeIgniter does not accept any input via $this->input->get() or $_GET (parameters after the URL, i.e. ?var1=value&var2=value2) in the targetfunction() method, then there are no security holes that I can think of.

Also, CodeIgniter sanitizes some strange characters in GET requests by default also.

edited May 23 '17 at 12:20

Community

1
1

answered Mar 25 '14 at 00:39

Lee Salminen

900
8
18

Thank you So much! targetfunction() just spits out some values, it doesn't need any input. As you said, It doesn't process any form or any other values with $this->input->get() or $_GET. So can I go ahead use all the code {both controller and view} as it is, without any fear of security threats? – user3454645 Mar 25 '14 at 00:46
Can I protect against ajax url manipulation like this? - function targetfunction($dummy) { if ($dummy=='') { echo somefunction(); } } – user3454645 Mar 25 '14 at 02:25
Yes sir. As long as you dont mind that url being publicly accesible by anyone. – Lee Salminen Mar 25 '14 at 02:27

Codeigniter Ajax Risk with Get

1 Answers1