1

My index page (index.php?profile=profilename_here) loads content into a div using jQuery's load() function in the normal fashion and all is working fine.

$().ready(function() {
    $('#details').load('pages/sidebar/details.php?profile=<?PHP echo $profile;?>').fadeIn(2000);
});

then in my pages/sidebar/details.php I have MySQL queries.

$result = mysql_query("SELECT * FROM public_profile WHERE username='$profile'") or die(mysql_error());

All the php stuff is secure and I am sanitising all varibales as I should be.... but if someone was to go to 'pages/sidebar/details.php?profile=' and change the profile name they will be bringing up other peoples details.

Is it possible to check if the page was loaded by .load() and if not, to stop the page from loading or scripts from executing?

BenMorel
  • 34,448
  • 50
  • 182
  • 322
Ian Ditchfield
  • 11
  • 2
  • Maybe you can use session so that your details.php would know if you're authenticated as the owner of the profile? – Damp Mar 08 '12 at 15:27
  • these are public pages and nobody has logged in to veiw these details – Ian Ditchfield Mar 08 '12 at 15:27
  • 2
    If the profiles are public and you don't have to be logged into see them, why does it matter if they pull up other profiles? – jprofitt Mar 08 '12 at 15:29
  • Your code is vulnerable to [SQL injection attacks](http://bobby-tables.com/). – Sjoerd Mar 08 '12 at 15:30
  • it doesn't matter. i'm asking if there's a way of checking if it was loaded by jquery in the 1st place. the reason i'm asking is because any php includes i do i always define a varible and then check if it has been defined in the included pages. it just makes sense to me. – Ian Ditchfield Mar 08 '12 at 15:33
  • maybe this can shed some light http://stackoverflow.com/questions/4231789/is-ther-something-like-isset-of-php-in-javascript-jquery – t q Mar 08 '12 at 15:38
  • 1
    @IanDitchfield It most certainly *does* matter if your concern is security. – jprofitt Mar 08 '12 at 16:39

1 Answers1

3

If you only want to run code when the page is requested with ajax use

if ($_SERVER['HTTP_X_REQUESTED_WITH'] === 'XMLHttpRequest') { 
    /* run this if requested by ajax */ 
}

unfortunately this doesn't make it much more secure since anybody can use dev-tools like firebug to change that URL in the code. If you want only want the current user to see their own profile you can store $profile in the $_SESSION that way they don't have direct access to the URL parameter.

Check out OWASP's SQL Injection Prevention Cheatsheet for some methods to sanitize data, although I don't think anything there is PHP specific.

JKirchartz
  • 17,612
  • 7
  • 60
  • 88
  • ok. thanks for your help. the code above was only added to explain my question. i'm pretty certain that i have the actual code sanitised and safe. – Ian Ditchfield Mar 08 '12 at 22:54
  • Just to be safe, I added a link to OWASP's SQL injection prevention cheatsheet, I'm sure it'll help somebody out... – JKirchartz Mar 09 '12 at 15:25