1

I'm making a chat app, and I'm using a .htaccess file to prevent external sources from reading messages. However, this also blocks the JavaScript from sending messages. My JavaScript is: 

$("#sendMsg").onclick(function(){
$.post('post.php',
{ msg : $("#msgBox").val(), user : getCookie('username')}, 
function(result) {alert(result);});
});

My PHP for post.php is: 

<?php
$message = $_POST['msg'];
$user = $_POST['user'];
$servername = "localhost:3306";
$username = "user";
$password = "pass";
$dbname = "dbname";
$conn = mysqli_connect($servername, $username, $password, $dbname);
$sql = "INSERT INTO tablename (username, message) VALUES ('" . $user . "', '" . $message . "'); SELECT * FROM tablename";
$result = mysqli_query($conn, $sql);
$numofmessages = 0
while($row = mysqli_fetch_assoc($result)) {
  $numofmessages++;
echo $numofmessages;
?>

EDIT: The .htaccess file has:

order deny, allow
<FilesMatch "post.php">
deny from all
</FilesMatch>

If there is no .htaccess file, anyone can send a POST request to the post.php file to add messages, but if there is a .htaccess file, the JavaScript can't send the POST requests either. Does anyone have a good solution for this?

Neelu S
  • 47
  • 1
  • 11
  • 2
    Well, we cannot help without you posting the rules in your `.htaccess` style file... – arkascha May 15 '16 at 13:21
  • 1
    How are you authenticating users? Why aren't you? – Nathan K May 15 '16 at 13:24
  • 3
    Unrelated, but your code is susceptible to sql injection. See [here](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) how to protect yourself against it. – Sumurai8 May 15 '16 at 13:25
  • @NathanK I'm using Google Sign-In, and then storing their name as a cookie. – Neelu S May 15 '16 at 13:30

1 Answers1

2

Your problem is that all your authentication seems to happen on the client-side. You cannot do this, because the client can modify anything. In your case, anyone can spoof the username cookie, or simply craft the requests themselves. Since the client has full control over what kind of request they send, you cannot allow only access through the script.

If you want only a specific client to be able to use a username, you will need to have the client log in into your application. Probably the easiest way to do this is by using a PHP session. The client now logs in, your application sets the username in a session variable and automatically sends the session identifier back to the client. This session identifier is used during every subsequent request, with which you can retrieve the username.

session_start();
if(empty($_SESSION['username'])) {
  header("Location: login.php");
}

Besides that, look into how you can protect yourself against sql injection.

Community
  • 1
  • 1
Sumurai8
  • 20,333
  • 11
  • 66
  • 100
  • Thank you for this. I'm using sessions instead of cookies now. However, I'm still not sure how to send the messages securely using JS. – Neelu S May 18 '16 at 18:26
  • What you accomplished with a session is that the variable `username` is stored on the server, and only for that specific session. The user can no longer specify an arbitrary username. By using a post-request as opposed to a get-request, you protect yourself against malicious sites using a redirect to post something as someone else. You cannot however prevent people from making a request to that url outside the script, because every part of a http-request can be spoofed, except for the "remote ip" (ip that makes the request). – Sumurai8 May 19 '16 at 08:13