Geek Answers Handbook

How to protect php scripts?

If I have an AJAX call to a PHP script like this (using jQuery)

$.ajax(url: "../myscript.php");

and myscriptlooks like this:

<?php
    //code that does something to db
 ?>

I want to know how to prevent the user from simply switching to example.com/myscript.php to execute the script.

+4
source share
3 answers

Some answers here give you an overview of the concepts of your question, let me give you a more pragmatic approach (you should at least read and understand what others are saying about it!).

You just need to ask yourself . Should your application indicate that all requests for myscript.php should be monitored?

, - : (), , , :

<?php
// somefile.php (this file serves the page that contains your AJAX call)
session_start();
//...
$_SESSION['token'] = createNewToken(); // creates unique tokens

//add the token as a JS variable and send it back in your AJAX CALL
// some where you'll have something similar to this:
<script>
  var token = <?php echo $_SESSION['token'] ?>;
  $.ajax({
    url: "myscript.php",
    data: form_data, // include the token here!
    //...
  })

script:

<?php
// myscript.php
session_start();

// you can check if it an AJAX call, if the user is logged and then the token:    
if (!isset($_SESSION['token')) {
  header("HTTP/1.0 403 Forbidden");
  die("Direct access not allowed!");
}

// Assuming your AJAX is a POST though you didn't tell us
if (!isset($_POST['token'] || $_POST['token'] != $_SESSION['token']) {
  header("HTTP/1.0 400 Bad request");
  die("You didn't provide a valid token!");
}

// do something with your DB

, , , :

<?php
// myscript.php
session_start();
// Check if logged in user
if (!isset($_SESSION['loggedIn']) || !$_SESSION['loggedIn']) {
  header("HTTP/1.0 403 Forbidden");
  die("You need to be logged in!");
}

// Do something with your DB

, (, ), ( - , , ). , / , . , SO

, () myscript.php, , , ( , ). , / , , .

+2

Ajax -

XmlHTTP ( , POST GET- , ), Live HTTP Headers ( ) , .

, , - .

, HTTP- , , , .

, ( GET, POST, url - OMG , URL- -, cookies,...)

, : " - ?", ... . , . ( , html-, json, csv) (htmlentites HTML, json escapes json, sql escaper SQL- - libs--), , , , .

- , , , , - .

, :

  • , GET ( POST, PUT, DELETE HTTP- ), URL- , .
  • , cookie ( PHP ) HTTP-, . cookie , , ?. .
  • , , . HTTP ( .htpasswd), ajax, HTTP- SSL. Http auth .
  • ACL ( ), , , , ajax ( ). , 403 HTTP-.

, , , , , , ajax, , . . ( , - DOS DDOS). , , , ( , - ), , IP- IP ( IP-), , , ajax.

, , . :

  • ACL
  • - , .
+8

example.com/myscript.php script

AJAX , URL-. - script, AJAX, . PHP , JavaScript, , .

So, in what cases can there be separate safety principles? For example, you can deploy client-side JavaScript on some kind of tamper-resistant kiosk. This way you can keep the secret value in a kiosk that will be shared with the server. The kiosk sent a secret value with each request to check the server.

But if you do this for ease of use, to prevent the script from being accidentally called, then yes, maybe try linking it to Dick Pitt.

+1
source

More articles:


All Articles