Databases
StackOverflow2013
Postsdbo
POJquery $.post and PHP - Prevent the ability to use script outside of main website
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POJquery $.post and PHP - Prevent the ability to use script outside of main website
    primarykey
    data
    text
    <p>I have a PHP script setup using Jquery $.post which would return a response or do an action within the targeted .php file within $.post.</p> <p>Eg. My page has a form where you type in your Name. Once you hit the submit form button, $.post is called and sends the entered Name field value into "mywebsite.xyz/folder/ajaxscript.php"</p> <p>If a user was to visit "mywebsite.xyz/folder/ajaxscript.php" directly and somehow POST the data to the script, the script would return a response / do an action, based on the submitted POST data.</p> <p>The problem is, I don't want others to be able to periodically "call" an action or request a response from my website without using the website directly. Theoretically, right now you could determine what Name values my website allows without even visiting it, or you could call an action without going through the website, by simply visiting "mywebsite.xyz/folder/ajaxscript.php"</p> <p>So, what measures can I take to prevent this from happening? So far my idea is to ensure that it is a $_POST and not a $_GET - so they cannot manually enter it into the browser, but they could still post data to the script...</p> <p>Another measure is to apply a session key that expires, and is only valid for X amount of visits until they revisit the website. ~ Or, just have a daily "code" that changes and they'd need to grab this code from the website each day to keep their direct access to the script working (eg. I pass the daily "code" into each post request. I then check that code matches in the ajax php script.)</p> <p>However, even with these meaures, they will STILL have access to the scripts so long as they know how to POST the data, and also get the new code each day. Also, having a daily code requirement will cause issues when visiting the site at midnight (12:00am) as the code will change and the script will break for someone who is on the website trying to call the script, with the invalid code being passed still.</p> <p>I have attempted using .htaccess however using: <strong>order allow,deny deny from all</strong></p> <p>Prevents legitimate access, and I'd have to add an exception so the website's IP is allowed to access it.. which is a hassle to update I think. Although, if it's the only legitimate solution I guess I'll have to.</p> <p><strong>If I need to be more clear please let me know.</strong></p>
    singulars
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PTQuestion
    1. This table or related slice is empty.
    1. USJoe
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    3. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POJquery $.post and PHP - Prevent the ability to use script outside of main website
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POJquery $.post and PHP - Prevent the ability to use script outside of main website
      1. USgabtub
      1. VTFavorite
    3. VO
      singulars
      1. POJquery $.post and PHP - Prevent the ability to use script outside of main website
      1. This table or related slice is empty.
      1. VTUpMod
    1. COTim Here... Reply to everyone: Thanks for your help. I have used a combination of things: a). I only accept the data sent as $_POST b). I send all $.post through a single .php file, which then "includes" the variable. eg: $.post("poster.php",{ajax_file: ajax_file}) c). I obfuscate the "ajax_file", and I don't include the full path either. So there is no way to know the entire path to the ajax file unless they are good at guessing. d). All direct ajax files exit();, if not loaded from poster.php (simple var exists test) - even if they get to the file directly, it won't work.
      singulars
      1. POJquery $.post and PHP - Prevent the ability to use script outside of main website
      1. USJoe
    2. COcontinued... Tim Here... Reply to everyone: e). I pass a session that changes on a periodic basis (weekly, biweekly,two-daily,monthly,etc.) - if the session doesn't match, they can't get in. f). They have to have visited the website at least once, as the session must exist to state they have visited the website. g). I check using "if ($_SERVER['HTTP_X_REQUESTED_WITH'] != 'XMLHttpRequest'){exit();}" - since jquery posts send this to the server apparently.
      singulars
      1. POJquery $.post and PHP - Prevent the ability to use script outside of main website
      1. USJoe
    3. COThe only way to bypass would be to send valid post vars to the loader, with the correct obfuscated ajax php file name. They also need to pass the correct periodic code, and have had visited the site (session must exist for them) and send the HTTP_X_REQUESTED_WITH as XMLHttpRequest somehow too... I wrote all this up to help anyone else wanting to fix a similar problem. I'm pretty sure it can still be bypassed though. There is always the double-cookie solution found elsewhere. Goodluck everyone else. Also, please do point out any security holes and methods to plug those you see in my method.
      singulars
      1. POJquery $.post and PHP - Prevent the ability to use script outside of main website
      1. USJoe
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload