[fpcorso]

Greetings Everyone:

I am a php programmer, who is trying to use more ajax. I have the principles of AJAX down; however, now I have come across some problems. My major one is how do programmers deal with security. Lets say so simplicity sakes, I am building a page that has a textarea that dynamically saves to the database. My problem is, if I were to do something on large scale, say a customer lookup for sales report.

Now, a normal AJAX request would be something like:

xmlhttp.open("GET","salesinfo.php?customer="+x,true);

Where x would be the customer's name or user id, etc. So, now anyone can would be able to go that page, and go through any customer's they know and get the report as well. How do I build AJAX, yet not have any one able to get other's info?

[Dormilich]

send some kind of verification code along in the query (hm, maybe it automaticly sends the cookies, so you can check in $_COOKIE). similar to the "permanently logged in" feature.

but to be honest, an AJAX request is not different from a browser request, so the same mechanics apply.

This post has been edited by Dormilich: 23 February 2011 - 11:05 AM

[forest51690]

Hi Frank,

No, as it is, there is nothing in your system that would prevent someone from retrieving the info of any customer. And to my knowledge, there is no easy way to prevent it.

But I have an idea. As it is, to retrieve the info, you only supply the customer id number. But what if you also had to supply another number, a verification number (sort of like a password), like this:

xmlhttp.open("GET","salesinfo.php?customer="+x+"&verification="+vcode,true);

where vcode is the verification code. The server checks the verification code and refuses the request if it is incorrect.

Now how does the AJAX script get the verification code in the first case? It would be provided by the server—embedded in the page— when the page loads. And the code would also be stored in a database on the server as well.

As you can see, this solution requires a lot of back-end coding, but it could work.

[fpcorso]

Thank you for your responses.

Dormilich, on 23 February 2011 - 11:04 AM, said:

but to be honest, an AJAX request is not different from a browser request, so the same mechanics apply.

However, if I were not to use AJAX, I would use POST statements that most people would not be able to easily replicate.

forest51690, on 23 February 2011 - 11:09 AM, said:

Hi Frank,

No, as it is, there is nothing in your system that would prevent someone from retrieving the info of any customer. And to my knowledge, there is no easy way to prevent it.

But I have an idea. As it is, to retrieve the info, you only supply the customer id number. But what if you also had to supply another number, a verification number (sort of like a password), like this:

xmlhttp.open("GET","salesinfo.php?customer="+x+"&verification="+vcode,true);

where vcode is the verification code. The server checks the verification code and refuses the request if it is incorrect.

Now how does the AJAX script get the verification code in the first case? It would be provided by the server—embedded in the page— when the page loads. And the code would also be stored in a database on the server as well.

As you can see, this solution requires a lot of back-end coding, but it could work.

Hmmm...This theory does sound like it would work. Basically, the user then would only be able to see their own verification if they went snooping.

Now, what do major companies, such as Google, do? For instance, say in Google Docs or Calender, do they do a similar process for their AJAX saving?

[Dormilich]

fpcorso, on 23 February 2011 - 07:28 PM, said:

However, if I were not to use AJAX, I would use POST statements that most people would not be able

you can do POST with AJAX as well and faking a POST is equally simple: write up your own form and give it the submit URL you want to post to. you can also play with FireBug, where you can edit pretty much everything in the document tree on-the-fly.

[codeprada]

each session should have a custom key randomly generated by the server. use AJAX to fetch that key. eg.

xmlhttp.open('GET', 'key.php', true);
xmlhttp.send();

recieve key...

...
var key = xmlhttp.responseText;
document.getElementById("key").value = key; //store key in hidden field named key

upon sending the next request to the server for information from the database, the user's id or username, whichever u choose, should be used to make another unique key via a hash function. N.B you're still sending the id or username as plaintext but if the server's hashed key and the client's hashed key doesn't match then deny the request.

and as Dormilich said use post when sending sensitive information

This post has been edited by codeprada: 23 February 2011 - 11:39 AM

[fpcorso]

I was not aware that AJAX can do POST, as I am quite new to AJAX. However, when I stated "most people would not be able to easily replicate." I was referring to the fact that it is not as easy as changing the ?customer=x to ?customer=y to look at another customer. Again, thank you for your response.

This post has been edited by fpcorso: 23 February 2011 - 11:38 AM

[Dormilich]

be aware that there are minor differences between a POST and a GET request (different request headers and parameter insertion points), although that is mentioned in every tutorial.

EDIT: in principle, AJAX is capable of all HTTP requests (as long as the server doesn’t deny them), like HEAD, TRACE, OPTION, PUT. just imagine the XMLHttpRequest object as a small User Agent written in Javascript.

This post has been edited by Dormilich: 23 February 2011 - 11:45 AM