CODEWITHSUNDEEP
phpjavascriptajaxsecurity
Jasdeep Singh
Jasdeep Singh

Reputation: 3326

AJAX Security Help

I have an AJAX Function that calls a PHP Script and displays the result on a page.

So, i have two pages, say:

form.php - This is where the Input is gathered and displayed process.php - This is the php that is called and result from this is displayed on form.php

Now, here is my AJAX Function:

function showList(str)
{
if (str=="")
{
document.getElementById("message").innerHTML="";
return;
}
if (window.XMLHttpRequest)
{// code for IE7+, Firefox, Chrome, Opera, Safari
xmlhttp=new XMLHttpRequest();
}
else
{// code for IE6, IE5
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
}
xmlhttp.onreadystatechange=function()
{
if (xmlhttp.readyState==4 && xmlhttp.status==200)
{
document.getElementById("message").innerHTML=xmlhttp.responseText;
}
}
xmlhttp.open("GET","process.php?q="+str,true);
xmlhttp.send();
}

As you can clearly see that value gathered from the form is passed to process.php as follows:

process.php?q=1

With each query string, a list is pulled from the database. The same list can also be pulled in by typing the domain.com/process.php?q=1,2,3, or so forth...

My question is, how can i fix this loop hole so that requests coming from only my script have access to process.php and no one else?

Thanks in advance!

Upvotes: 1

Views: 641

Answers (5)

John Hunt
John Hunt

Reputation: 4072

Bit of a short answer, but cookies and SSL.

Upvotes: 0

Craig Edmunds
Craig Edmunds

Reputation: 56

When you render form.php render a hidden input with a random sequence as the value (easiest option is a guid). Store that string either in the users cookie (encrypted) or in server side session state. Whenever you render the form, render a new key.

Then send this value to process.php and in process.php compare the two values.

It's called an "Anti forgery token" - there's detail on the .net implementation here http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/, there's probably a similar mechanism for php.

Upvotes: 1

Gus
Gus

Reputation: 7349

You could also check for the HTTP_X_REQUESTED_WITH header in the $_SERVER variable:

if(isset($_SERVER['HTTP_X_REQUESTED_WITH'])) {
    $requestedwith = strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) ;
    if($requestedwith === "xmlhttprequest") {
        // Requested by Ajax
    }
}

Again, this could be spoofed too though.

Upvotes: 1

Fosco
Fosco

Reputation: 38506

You could simply check the HTTP_REFERER variable ($_SERVER['HTTP_REFERER']), but that could be spoofed...

If you want it to be more secure, you could generate limited-use tokens. The Ajax call would also send the token, and it would be validated (and expired) on the server side.

Upvotes: 2

GrandmasterB
GrandmasterB

Reputation: 3445

You cant, really. Not 100% reliably. But, AJAX requests also send you the domain's cookie values, so if you have an application that requires a user to log on, you can check that the requester is part of a valid a session w/ your application, just like you would for any other page in the app.

Upvotes: 1

Related Questions