Anyway to secure this JavaScript request to PHP - (Is impossible)?

Question

I need to access this php with JavaScript. I have this php with secure access by so many ways: only for my own ip, only for my domain, direct access not allowed, secured by htaccess an we know so many other ways to secure this.

And now i have this JavaScript, then you can access this JavaScript and get data from my database. And you can do it like a monster... you can put a bot to send #input1 and get all my data.

I tried to find a solution for more than 14 hours, and read many posts, sites but no luck. NO Way. OHHH MY GOD, is this possible?

Here a part of my code: JavaScript

$.getScript("http://www.domain.com/getdata.php?data="+$("#input1").val(), function(){
    if (resultData["field2"] != '') {
        $("#input2").val(unescape(resultData["field2"]));
        $("#input3").val(unescape(resultData["field3"]));
    }   
});

And PHP

header('content-type: application/json; charset: utf-8');

// here my get mysql connection and query.... where field1 = #input1

if ($row = mysql_fetch_assoc($res)) {
    echo "var resultData = {
        'field2'    : '" . $row['field2'] . "',
        'field3'    : '" . $row['field3'] . "',
    }";
}

I don't believe we have no solution for this! Lost my day by trying to protect this!

I need to protect this only for who is browsing my website, o maybe per domain, or per requests =/

No Way!

Answer 1

After a good night of sleep, my brain can think better! And i think in pass some md5 code on the url of javascript. And then i have found it:

Thanks to rmorero

YEEEEEEEEEAAAAAAAHHHHHHHHHHH!!!! Is it!

On the source file that call js:

$secret ="ABC1232";

$item = array(
  "time"=>time(),
  "token_id"=>"<page_url>"
);

$signed = base64_encode(hash_hmac("sha256",json_encode($item),$secret));
$item = base64_encode(json_encode($item));

$ajax_url = "myscript.php?signed=$signed&item=$item";

On my case im gonna use this:

getdata.php?signed=<? echo php $signed ?>&amp;item<?php echo $item ?>&amp;data="+$("#input1").val()

On the php file, that connect to your mysql or other thing:

$item = json_decode(base64_decode($_REQUEST["item"]));

$timeout = 3600;

if($item->time < (time()-$timeout)){
  die("Invalid token - timeout");
}

if($item->token_id !== "<page_url>"){
  die("Invalid token - page url");
}

$secret ="ABC1232";
$valid = ($_REQUEST["signed"] === base64_encode(hash_hmac("sha256",json_encode($item),$secret));

if(!$valid){
  die("Invalid token");
}

I just didn't tested, but im sure, it will work like a monster =)

The big solution is that... When you have a problem like this, get out of the computer and put your brain to think! And, this is the SOLUTION:

Pass something in the url of javascript, and we have a lot of ways to do it secure.

Now, im gonna try to do something to use POST instead of GET =)

Thank you guys for try to help.

Answer 2

We have no authentication for users. I just don't wants to have anyone doing a hard job to the database server!

Then use rate limiting, and maybe some time/size limits on your SQL queries. No need for "securing access to the page".

Answer 3

Set a session variable in your regular web pages, and have the getdata.php script check for the session variable before returning any data.