Reputation: 443
securely passing sensitive data from PHP to javascript
My scenario looks like this, I'm showing database paginated grid on the screen. I want add a button to download CSV spreadsheet . so I coded something like this:
$(function(){
var file_complete = false;
var final_sql = $('.initiate_download').val();
var orderby = $('#search_submit').data('orderby');
var $posturl = $url + "index.php/Spawner/launch_spawner";
$('#downloadModal').modal('hide');
$('.initiate_download').on("click", function(e) {
e.preventDefault();
$('#pleaseWait').html($html);
setTimeout(function() {
$.ajax({ // initiate download
url: $posturl,
type: "POST",
data: {
final_sql: final_sql,
orderby: orderby,
report: $report
},
success: function(data) {
var download_id = data;
// console.log(download_id);
check_download_status(download_id);
}
})
}, 2000);
})
}); <div class="row top-buffer">
<button id="search_submit" class="btn btn-primary initiate_download" type="submit" value="<?php echo $sql; ?>" data-orderby="<?php echo $orderby;?>" name="final_sql_lic" >Download List</button>
<span id="pleaseWait"> </span>
</div>it works fine, but the problem is that you can view SQL with view page option, is there a way around it ?
Upvotes: 1
Views: 259
Answers (1)
Reputation: 315
What most people do is they don't embed the SQL on page, but instead expose URLs that handle the SQL stuff behind the scenes.
In your example, you might create a page like this:
http://website.com/api/csv?select=col1,col2,col3&orderBy=someColumn&where=someCondition
Then your php will take those parameters and generate the sql based off of those and run the query. Make sure you securely handle the input to avoid SQL injection (See http://bobby-tables.com/php.html).
The problem with your current scenario is that someone viewing your source will plainly see that you're passing SQL directly to your server, meaning they can generate their own SQL like: DROP TABLE table1, table2; or worse.
Upvotes: 2
Related Questions
- How to send data between ajax and php in secure way?
- Get or Pass Sensitive Data via AJAX in PHP
- Security of adding php information into javascript
- what is safe way to send php data to js?
- How to securely pass data from php forms to html
- Send data sensitive data to javascript
- Pass data read from a database to a javascript function privately
- Securely pass information to PHP via AJAX?
- Passing variables from php to javascript (Safely)
- pass secure data to jquery from php