0

I need to access this php with JavaScript. I have this php with secure access by so many ways: only for my own ip, only for my domain, direct access not allowed, secured by htaccess an we know so many other ways to secure this.

And now i have this JavaScript, then you can access this JavaScript and get data from my database. And you can do it like a monster... you can put a bot to send #input1 and get all my data.

I tried to find a solution for more than 14 hours, and read many posts, sites but no luck. NO Way. OHHH MY GOD, is this possible?

Here a part of my code: JavaScript

$.getScript("http://www.domain.com/getdata.php?data="+$("#input1").val(), function(){
    if (resultData["field2"] != '') {
        $("#input2").val(unescape(resultData["field2"]));
        $("#input3").val(unescape(resultData["field3"]));
    }   
});

And PHP

header('content-type: application/json; charset: utf-8');

// here my get mysql connection and query.... where field1 = #input1

if ($row = mysql_fetch_assoc($res)) {
    echo "var resultData = {
        'field2'    : '" . $row['field2'] . "',
        'field3'    : '" . $row['field3'] . "',
    }";
}

I don't believe we have no solution for this! Lost my day by trying to protect this!

I need to protect this only for who is browsing my website, o maybe per domain, or per requests =/

No Way!

Improve this question
14
  • Are the site users authenticated? Commented Jul 19, 2013 at 3:36
  • 3
    This has nothing to do with JavaScript. Everybody could send any requests to your server, he doesn't even need a browser for that. Commented Jul 19, 2013 at 3:36
  • 3
    As far as security is concerned, encoding is no better than plain text. Commented Jul 19, 2013 at 3:37
  • 1
    Requiring basic HTTP Auth for both your website and that PHP script (via htaccess or else) should solve your issue, shouldn't it? Commented Jul 19, 2013 at 3:37
  • 2
    As an aside, why are you using $.getScript() as a data retrieval mechanism? And having done that, why is your PHP setting content-type:application/json when in fact it does not return json? Commented Jul 19, 2013 at 3:43

3 Answers 3

Reset to default
1

Set a session variable in your regular web pages, and have the getdata.php script check for the session variable before returning any data.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

and ssl and and secure cookies.
Well... ssl will work for nothing on this case! You are mistaken or misread the post! But the session... i'm going to try that now!
1

We have no authentication for users. I just don't wants to have anyone doing a hard job to the database server!

Then use rate limiting, and maybe some time/size limits on your SQL queries. No need for "securing access to the page".

Improve this answer

Comments

0

After a good night of sleep, my brain can think better! And i think in pass some md5 code on the url of javascript. And then i have found it:

Thanks to rmorero

YEEEEEEEEEAAAAAAAHHHHHHHHHHH!!!! Is it!

On the source file that call js:

$secret ="ABC1232";

$item = array(
  "time"=>time(),
  "token_id"=>"<page_url>"
);

$signed = base64_encode(hash_hmac("sha256",json_encode($item),$secret));
$item = base64_encode(json_encode($item));

$ajax_url = "myscript.php?signed=$signed&item=$item";

On my case im gonna use this:

getdata.php?signed=<? echo php $signed ?>&amp;item<?php echo $item ?>&amp;data="+$("#input1").val()

On the php file, that connect to your mysql or other thing:

$item = json_decode(base64_decode($_REQUEST["item"]));

$timeout = 3600;

if($item->time < (time()-$timeout)){
  die("Invalid token - timeout");
}

if($item->token_id !== "<page_url>"){
  die("Invalid token - page url");
}

$secret ="ABC1232";
$valid = ($_REQUEST["signed"] === base64_encode(hash_hmac("sha256",json_encode($item),$secret));

if(!$valid){
  die("Invalid token");
}

I just didn't tested, but im sure, it will work like a monster =)

The big solution is that... When you have a problem like this, get out of the computer and put your brain to think! And, this is the SOLUTION:

Pass something in the url of javascript, and we have a lot of ways to do it secure.

Now, im gonna try to do something to use POST instead of GET =)

Thank you guys for try to help.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.