0

I've checked around stackoverflow and there are a few questions in this regard which doesn't seem to be addressed.

I have this code

<?php

function secret() {
    return "My secret is, I love apples";
}

function add($a, $b) {
    return $a + b;
}


$a = strlen($_GET["a"]); // We assume they always have "a" set

echo add($a, 10);

Question 1: Can a user, use ajax to call my secret function and know my secret? To my understanding you can use ajax to call any PHP function. So someone can find out my secret is they know what the function is called.

Question 2: How can a php function be coded so it is uncallable through ajax? Essentially I do not what a user to call php functions themselves at all. I want it to be done purely on the server side.

Ross
  • 95
  • 1
  • 10
  • 1
    AJAX is nothing more than a fancy HTTP request. Unless the code specifically provides for it, there's no invocation of arbitrary PHP functions. – mario Mar 29 '19 at 00:29
  • @mario and a HTTP request means it has to be a file? so if I had another file called `my_secret.php` that echo-ed my secret. Then they can know my secret is `i love apples`? In the code I provided in my question, it is not possible for the user to know my secret (unless they hack my server and gain access to my files)? – Ross Mar 29 '19 at 00:32
  • Requests can only target files (AKA resources), not functions. Whatever your script purposfully outputs, can be seen of course. The source code or its inner workings cannot. – mario Mar 29 '19 at 00:58
  • @Ross It does not have to be hacking, a server error may occur, and the server will send files instead of interpreting them. Therefore, all php files should be outside of public_html with the exception of the wrapper that launches them. Wrapper may also contain some access privilege management (ACL) for http requests. And if you are concerned about hacking and revealing code, use only compiled languages such as C. – Slawomir Dziuba Mar 29 '19 at 06:37

0 Answers0