开发者

AJAX Security Help

问答 作者:

I have an AJAX Function that calls a PHP Script and displays the result on a page.

So, i have two pages, say:

form.php - This is where the Input is gathered and displayed process.php - This is the php that is called and result from this is displayed on form.php

Now, here is my AJAX Function:

function showList(str)
{
if (str=="")
{
document.getElementById("message").innerHTML="";
return;
}
if (window.XMLHttpRequest)
{// code for IE7+, Firefox, Chrome, Opera, Safari
xmlhttp=new XMLHttpRequest();
}
else
{// code for IE6, IE5
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
}
xmlhttp.onreadystatechange=function()
{
if (xmlhttp.readyState==4 && xmlhttp.status==200)
{
document.getElementById("message").inne开发者_JS百科rHTML=xmlhttp.responseText;
}
}
xmlhttp.open("GET","process.php?q="+str,true);
xmlhttp.send();
}

As you can clearly see that value gathered from the form is passed to process.php as follows:

process.php?q=1

With each query string, a list is pulled from the database. The same list can also be pulled in by typing the domain.com/process.php?q=1,2,3, or so forth...

My question is, how can i fix this loop hole so that requests coming from only my script have access to process.php and no one else?

Thanks in advance!

You could simply check the HTTP_REFERER variable ($_SERVER['HTTP_REFERER']), but that could be spoofed...

If you want it to be more secure, you could generate limited-use tokens. The Ajax call would also send the token, and it would be validated (and expired) on the server side.

You could also check for the HTTP_X_REQUESTED_WITH header in the $_SERVER variable:

if(isset($_SERVER['HTTP_X_REQUESTED_WITH'])) {
    $requestedwith = strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) ;
    if($requestedwith === "xmlhttprequest") {
        // Requested by Ajax
    }
}

Again, this could be spoofed too though.

You cant, really. Not 100% reliably. But, AJAX requests also send you the domain's cookie values, so if you have an application that requires a user to log on, you can check that the requester is part of a valid a session w/ your application, just like you would for any other page in the app.

When you render form.php render a hidden input with a random sequence as the value (easiest option is a guid). Store that string either in the users cookie (encrypted) or in server side session state. Whenever you render the form, render a new key.

Then send this value to process.php and in process.php compare the two values.

It's called an "Anti forgery token" - there's detail on the .net implementation here http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/, there's probably a similar mechanism for php.

Bit of a short answer, but cookies and SSL.

继续阅读:javascriptphpsecurity

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9