Reputation: 1
Is appearance of PHP file names used in AJAX when viewing source insecure or not?
All the names of PHPfiles which we use for AJAX functions appear when 'view source' is clicked. Is this ok or insecure? If insecure, what are some ways to correct them?
Upvotes: 0
Views: 58
Answers (4)
Reputation: 26137
It's secure, but you can hide the file names with htaccess if you want.
Upvotes: 0
Reputation: 944009
If you let:
- people get data out of your application via HTTP or
- put data into the application via HTTP
then you need to take steps to ensure that only authorised people can do so, and that the data is sanitised appropriately on the server (e.g. escaped before being used in an SQL query).
This applies to:
- URIs that you expect people to submit forms to
- URIs that you expect JavaScript you pass to the browser to submit data to
- Any other URI on your system
A URI, is a URI, and anybody can submit any data to it. There is nothing special about the URIs you use for Ajax. You need to secure them in the same way that you secure the rest of the system.
Upvotes: 1
Reputation: 6573
It's fine - in fact they have to appear as JS is client-side.
The security risk comes when accessing the script themselves. So make sure that if you vist the script in question directly (putting the url into your address bar) that it is not vulnerable.
Upvotes: 1
Reputation: 449613
No, exposing the .php extension in an Ajax call (or in any other URL) is not a security problem in itself.
Upvotes: 1
Related Questions
- Is the using of dirname(__FILE__) a security risk?
- security risk of disclosing php files name
- Does making server file names ambiguous help security?
- Stop hackers when hosting php files
- Ajax Security Question: JQuery ajax() + PHP scandir() = Security Issue?
- Ajax, PHP and Security?
- Security of ajax serving php file
- Ajax calls and securing .js file information
- Jquery ajax exposes php file
- jQuery Calls PHP File Via Ajax Dangerous?