0

In the past when I have written HTML with jQuery, in order to access specific PHP pages I have simply always done this:

user.php?Action=1&User=Adrian.....

And this would return plain text JSON, which jQuery converts into a javascript object. I have a few questions regarding this method, though.

  1. Is this safe? JSON is being passed back in plain text. Should it be used over HTTPS?
  2. How is the best way to prevent direct access to PHP? Simply checking for an active session?
  3. Is this whole approach ok?

Cheers, Adrian

Improve this question
2
  • 1
    Verify an active session in PHP or a login if necessary. If any of your data is sensitive, your should only serve it via SSL. Consider also using a token that gets sent with the AJAX request to prevent cross site request forgeries. The XSRF token value is compared against the PHP session. Commented Aug 28, 2012 at 23:49
  • Why would you want to prevent direct access to PHP? (First off, that's impossible - if Ajax can access it, the user can access it.) If it's because of security, you have a hole. Also, why do you want it over HTTPS? Is there sensitive data inside? Commented Aug 28, 2012 at 23:49

3 Answers 3

Reset to default
1

For number 2, it depends what you're doing.

If you are doing anything with the 'user.php' file to make any changes to the DB, you would want to use POST rather than GET (this hides the parameters from the URL bar, and is safe if your page is getting crawled/scraped).

To use POST, in your user.php file replace instances of $_GET with $_POST.

In your jQuery Ajax call, make sure parameter "type" is set to "POST"

type: "POST",

GET requests should only ever be for doing anything that gets and displays data from your data model (DB, whatever). POST requests are for making any updates, additions (stricter would be PUT), or deletions (DELETE).

If you want only that specific user to access the user.php script, then you would want check the user's session and make sure it matches with the user trying to access the particular user parameter.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

1) It depends on what you're transferring. If you're transferring credit card data via HTTPS, definitely. If you're transferring less sensitive data, maybe not.

2 and 3) Make sure you check your input for SQL injection, just as you would with any $_GET variable. You should really treat it how you would normally treat $_GET data

Improve this answer

Comments

0

Whenever I've allowed JSON/crud access, I've always secured the PHP page serving it (user.php) behind session-based access-control rules (role-based or group-based permissions). I then white-list which tables/fields that user/group/role is allowed to access. The level of sophistication depends on the nature of the data that is being served.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.