0

Currently, I have:

$("#upvote").click(function(){
    var up = parseInt(document.getElementById('voteScore').innerHTML);
    up++;
    document.getElementById('voteScore').innerHTML = up;
    $.ajax("include/mysql_lib.php?op=upvote&v1=<?php echo $id; ?>");
});

There are two problems I have this with. First, I'm using GET to send variables, which makes me nervous. Secondly, the mysql_lib.php script is right there in my web root. I would much prefer having it in my hosting provider's protected directory instead of public.

Is this possible?

  • 1
    I think the page must be accessible over http, you could use a session identfier to secure the `mysql_lib.php` script. Check for an existing session in that file and exit if it doesn't exist. – Cyclonecode Dec 22 '11 at 16:37
  • @Krister but what difference would that make security-wise? – Pekka Dec 22 '11 at 16:39

2 Answers2

1

I would much prefer having it in my hosting provider's protected directory instead of public.

If you want to make requests to a web resource, it needs to be publicly visible somehow, no way around that.

You need to make sure that there's nothing one can do with mysql_lib.php that is destructive, like op=delete or something, and there's no way to arbitrarily access resources one is not supposed to see (like by changing the id parameter).

Also, to avoid gaming, you may want to impose some limits on how often a resource can be upvoted from a single client (that's a complex issue though; there is a lot of good reading on it here on Stack Overflow.)

First, I'm using GET to send variables, which makes me nervous.

Whether you use POST or GET doesn't make a difference security-wise, but using POST would be more fitting, as you are changing state on the server. You can use POST with jQuery's Ajax.

Community
  • 1
  • 1
Pekka
  • 442,112
  • 142
  • 972
  • 1,088
0

The best thing to do I think is create a "layer" controller between your call and mysql_lib to be able to make the controls that you want and call ONLY the methods that you need from mysql_lib

You can also check the headers to know if the call was made by an AJAX call or not (keep in mind that this is not completely sure and easily defaceable).

function json_requested() {
  return  isset($_SERVER['HTTP_X_REQUESTED_WITH']) &&
          $_SERVER['HTTP_X_REQUESTED_WITH']  == 'XMLHttpRequest' &&

          isset($_SERVER['HTTP_ACCEPT']) &&
          $_SERVER['HTTP_ACCEPT'] == 'application/json';
}

if($this->json_requested()) {
// Do things
}

The most secure method to make an AJAX call nowadays I think is by using crumbs follow this link to know how to use it.

This is a pretty simple way to stop spammers

Now whenever a user writes a message, this crumb is passed back to the server side. If user writes a message before 30 minutes, this crumb will be validated and user shout submitted. (30 minutes should take care of 99.99% of the cases). In response, server api sends back the new crumb which should be sent back with the next AJAX call.

VAShhh
  • 3,494
  • 2
  • 24
  • 37