0

I have a PHP file on a subdomain, and within that file, I want to use Javascript and Ajax to send information to a PHP file on the parent domain (to update my database). However, I receive the error that the request has been blocked by CORS (which makes sense, I understand why). Is there a simple way to solve this?

I have tried putting document.domain = "example.com" in the javascript on the subdomain file, but obviously I can't put this in the file on the parent domain because it is a PHP file with no javascript. Just putting that line in the subdomain file has not worked.

file1: area1.example.com/settings.php

<?php
print '
<script type="text/javascript">
function UpdateTable(Info)
{
$.ajax({url: "https://example.com/ajax/update-table.php", type: "POST", data: {id: 1, info: Info}});
}
</script>';
?>


file2: example.com/ajax/update-table.php

<?php
$query = '
Update `Table`
SET `Table`.`field` = "'.$_POST['info'].'"
WHERE `Table`.`id` = '.$_POST['id'];
db_op($query);
?>

All I want is for the database to be updated, but I keep receiving the same CORS error. Can anyone help?

Leonardo Alves Machado
  • 2,747
  • 10
  • 38
  • 53
user1445622
  • 11
  • Possible duplicate of [Why does my JavaScript get a "No 'Access-Control-Allow-Origin' header is present on the requested resource" error when Postman does not?](https://stackoverflow.com/questions/20035101/why-does-my-javascript-get-a-no-access-control-allow-origin-header-is-present) – Danmoreng Apr 30 '19 at 11:48
  • 1
    _β€œIs there a simple way to solve this?”_ - yes: Allow CORS. (And if your next question would immediately be, how to do that, please go research it first.) – 04FS Apr 30 '19 at 11:49

3 Answers3

2

You can try set header at file in parent domain.

header("Access-Control-Allow-Origin: http://example.com");

Berdnikov Bodan
  • 41
  • 5
0

Solution

You can solve this as @Berdnikov mentioned with the CORS header Access-Control-Allow-Origin. You can either do this by using the PHP header function like Berdnikov suggested or you can use .htaccess,

<IfModule mod_headers.c>
    Header set Access-Control-Allow-Origin <value>
</IfModule>

Where <value> can be one of a specific path match i.e. http://example.com or you can wildcard for any host with *

Here's why,

When a browser makes a resource sharing request to a different domain, the browser first launches a Preflight request which uses the OPTIONS protocol to determine what the client request is permitted to do. This includes Access-Control-Allow-Methods too.

I am making the following advisories on the code you posted above,

  1. Note that from observing your code, its clear there is no active authentication on the request (WSSE, Api keys or any stateless authentication mechanism), unless you are using a shared COOKIE of sorts I feel obligated to at least let you know that this request is not protected,

  2. The SQL you have pasted is vulnerable to SQL injection, you are not escaping anything and inserting the input directly into the query, which is highly dangerous for your application integrity.

Good luck and happy coding

Prof
  • 2,898
  • 1
  • 21
  • 38
-1

I really hope I am giving you proper advice here, but have a look at the Content Security Policy header.....

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

I think you need to use something like this to whitelist the domain....

<meta http-equiv="Content-Security-Policy" content="default-src *; data: https://mysubdomain.mydomain.com/* 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *; script-src 'self' 'unsafe-inline' 'unsafe-eval'">

I stand to be corrected on this - I ran across this issue with a cordova app I was building a while ago and I think this was how I fixed it.

insecureabnormality
  • 51
  • 7