0

Guys I have an ISSUE..

I've Created 2 PHP files..

CreateAdmin.php ----------> Has a Form to Fill

Save.php ----------------> Called through jquery Ajax to insert in database.

the codes are working fine. but the problem is i can directly access Save.php file.. when i access each of access an empty row is created in database admin table.

how to prevent it.

actually I've got an idea. when ajax called a session variable should create. the top of the Save.php there should be code if there is not a session variable page should redirect..

is it possible.. if it's okay will it affect the accessing speed.

Nusair Ahamed
  • 13
  • 1
  • 6
  • Save.php should check the data before adding it. no get\post variables no adding to db, no empty row –  Sep 27 '17 at 20:53
  • At least check `$_SERVER['HTTP_X_REQUESTED_WITH']` is xmlhttprequest, set and use CSRF token into say a `X-TOKEN` header, and change your code to POST and check `$_SERVER['REQUEST_METHOD']=='POST'` – Lawrence Cherone Sep 27 '17 at 20:54

1 Answers1

0

I would implement some fundamental concepts here. I try to describe them here as simple as possible:

1) In your GET request (calling your CreateAdmin.php) start a session (if not already done) and create a random string that you store to your session:

$_SESSION["token"] = sha256(uniqid(mt_rand(), true));

2) Add the token to your form as a hidden field

<input type="hidden" name="token" value="<?php echo $_SESSION["token"]; ?>">

3) Now do a http POST request with jQuery Ajax call (should not be a GET request). Important include your hidden token from the form. You could also include a special value in your JS that indicate that this is coming form a Ajax call, but this dose not make your Save.php more secure (see below).

4) In you Save.php check first if the call is a POST request, if not do not continue. Than check if the hidden token is included and matching the value in the session (you have to start it), if not do not continue.

if (!isset($_POST['token']) || $_POST['token'] != $_SESSION['token']) die('invalid');

5) If both checks pass you can continue to do your DB stuff but first I would do some additional checks about your data quality that means if the rest of the input is valid e.g.: Field is not empty if required or the field values has a minimum or maximum length or check if only allow characters included, etc.

6) In all cases I would delete the token from your session. Generate a new one for the next request if required.

You maybe also want to limit the time how long a token is valid, or check if the user from this session has the right to do this action.

There will be no speed issue with this. There are more things that could be considered but this should be the minimum.

For example you ask that this request should be only possible by Ajax. To be honest I would not take to much effort to check this. You could try to check if the "HTTP_X_REQUESTED_WITH" with "XmlHttpRequest" was included, but this dose not give you much more security. You can simulate a Ajax/POST request very easy in any modern Bowser with the Developer Tools. But with the described method it is not enough just putting the path to your Save.php file in the Browser.

Webdesigner
  • 1,954
  • 1
  • 9
  • 16