0

Before closing this as duplicate, please know that I read many similar questions on SO and none of them answers my doubt.

I am trying to call my .php file using jQuery.get()

$.ajax({
 url: url,
data: data,
success: success,
dataType: dataType
});

I am using wordpress and the javascript code from where I am trying to call the php file is included in the page's header.

I put the php file in a my-includes folder in the root of server, so I can access it using url:/my-includes/xxx.php . (thanks go to OSDM for his answer)

But now it is publically accessible using domain-name/my-includes/xxx.php

My question is-

  1. Is this how websites work. Isn't this a security risk?

  2. can I make this file inaccessible to general public yet keep it working for my site?

Community
  • 1
  • 1
rents
  • 768
  • 1
  • 7
  • 22

2 Answers2

1

If you make the url like this: url: '/folderintheroot/file.php' it will start from the root of your website no matter what the url is. The key here is: '/' at the beginning.

Regarding security issues. If people can visit your website, that means they can see everything that is send from the server to their computer. So when that script is called with jquery.get() it is exactly the same. Basically whatever is public, is public. Else you have to start working with login and password, but that is a whole other story.

There is one thing you can do though, see here: Using .htaccess, prevent users from accessing resource directories, and yet allow the sourcecode access resources

Community
  • 1
  • 1
OSDM
  • 265
  • 1
  • 2
  • 10
  • I created a folder and put the php file in there. Does the file need to be publically accessible like this - domainname.com//xxx.php ? – rents Jul 11 '15 at 04:45
  • 1
    If you are accessing from the same domain name, you don't have to put the domainname, just: / – OSDM Jul 11 '15 at 04:50
  • From you comment I assume that it doesn't matter if this path "//xxx.php" is publically accessible (via anyone or not). 1 unrelated question though, does this also apply to a javascript file as well? Suppose I want to call a javascript file using . Does the path I need to give is the along the same lines as suggested by you? – rents Jul 11 '15 at 05:31
  • actually, I created a folder at the root but now everything I am putting in this folder .js, .html is accessible via domain.com//.js Any idea how to make it inaccessible to general public? – rents Jul 11 '15 at 06:16
  • Also found this -an ajax request is a normal http request so that means the php file should be publically accessible? That brings me back to my original question. Isn't this a security risk? – rents Jul 11 '15 at 06:20
0

Yes, this is generally how websites work. Any content that you want to serve to a client must be accessible to them - how else will it make its way to their computer?

Is it a security risk? Only if you don't want people to see that data, but if that's the case then you shouldn't be serving it up. For data that should only be sent to selected individuals rather than making it universally accessible you should use some form of authentication - only serve the data if the user has been authenticated.

There are countless ways of doing authentication, take a look at PHP best practices for user authentication and password security for some ideas.

Community
  • 1
  • 1
Eborbob
  • 1,905
  • 1
  • 15
  • 30
  • I think I got a way to restrict access to php files yet still call them from my websites using .htaacess file. I don't think it makes sense for people to see the actual code, it doesn't make any sense. – rents Jul 12 '15 at 05:59
  • Perhaps I've misunderstood what you're trying to do. The source code of PHP files shouldn't be accessible, the PHP files should be interpreted by your webserver and the resulting HTML served up. You shouldn't need to be using .htaccess files to control that though. – Eborbob Jul 13 '15 at 07:23