Member Avatar for Aeonix

Recently I got interested into dynamic execution of scripts. That is, user clicks the button and the JavaScript part (or any other library attached to it) will send a request to a file with $_GET[] or $_POST[] data. Then PHP (preference) would execute the function or anything that it has been asked to execute and user gets a response, for example "It succeeded". So I went working onto it, and within 30 minutes I managed to get Ajax execute my commands, here are the files:

index.php

<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.3/jquery.min.js"></script>
<input type="text" placeholder="The square root of" name="thecalc" id="inputing" />

<script>
    $("#inputing").focusout(function() {
        formContent = document.getElementById("inputing").value;
        $.ajax({
            url: "script.php",
            type: "POST",
            data: "multi=" + formContent,
            success: function(msg){
                alert(msg);
            }
        })
    })
</script>

script.php

<?php

if (isset($_POST["multi"])) {
    $toRoot = $_POST["multi"];
    echo pow($toRoot, 2);
}
?>

Script works perfectly fine, of course, if you input a number, you get root of it alerted towards you, if you input a character, it would probably respond in NaN, but nevermind, it works, and things like "integers only" rule can easily be implemented.

Soon though, I realized that if JavaScript is executing on client-side and so is Ajax, someone can just look up the source-files, and execute scripts manually. This wouldn't be a problem, because, why would someone on my theoretical website, take all this effort to execute their own commands like "edit-profile.php" instead of just pressing button and getting there in no time. I'm more afraid of someone who is not supposed to be a computer, like malware, mad extension or virus, that would find out they're on this website, they would find the vulnerability and then execute, let's say "delete-account.php", which is not really nice.

There has been people telling that "I" should create a Flash file which would, encrypt this data, they would know where it is going to, but they wouldn't know what the content of data was, but I'm not a Flash programmer and it's not really my style.

I'd really like to implement such function on my theoretical website, but I'd also like to keep it secure. I noticed DaniWeb uses this for upvoting/downvoting and editing the post. Is it possible that you could shine some light on it?

Edited by Aeonix
  • 2 Contributors
  • 4 Replies
  • 1K Views
  • 6 Hours Discussion Span
  • Latest Post Latest Post by Aeonix
Member Avatar for diafol

Ajax should not have any greater or lesser security than somebody typing the url into their address bar. JS cannot access anything above public, so shouldn't be too much of a problem?

If you're concerned about something like:

method: 'post', url: '/delete-file.php', ...

you should let server-side sessions ensure that this critical action can only be completed by a logged in user who has sufficient rights.

Anybody can spoof a form, so you can help prevent CSRF by using a token.

Were you after something else?

Member Avatar for Aeonix

you should let server-side sessions ensure that this critical action can only be completed by a logged in user who has sufficient rights.

How would I do that? I mean, I can't create a passphrase and give it AJAX and then say, "give me username, and your session ID", because it's then hijackable.

Ajax should not have any greater or lesser security than somebody typing the url into their address bar.

So, actually I don't need to worry about anything after all? I can just use Ajax, and it will have same results as regular PHP file inclusion? I don't need to worry about extra measurements of protection for Ajax, between Ajax and PHP or in PHP?

Are you sure, that if I parse input correctly, there are no visible leaks or ways to bypass it? (besides the regular "hacky-do-daddy")

Edited by Aeonix
Member Avatar for diafol

I think you're missing the point I'm making, so I'll give an example. The security of your app will be down to PHP, not JS.

Anything that can be accessed through direct URL or Form or any method that can pass info to your server is a potential threat. You validate all input accordingly. You only allow certain actions under certain conditions. You cannot trust any input data, regardless of the method used to transport said data.

For example, say you allowed a user to retrieve a list of his own online bookings for a certain date period, you would probably have something like this:

session_start();

if(!isset($_SESSION['user_id'])) exit; //do something other than this

$user_id = $_SESSION['user_id'];
$dateFrom = $_GET['date_from'];
$dateTo = $_GET['date_to'];
$isAjax = isset($_GET['is_ajax]) ? true : false;

//add some validation here for dates before proceed...
// below probably call a require/include file for DB connection

$db = new PDO(...);

$sql = "SELECT label, evtdate FROM bookings WHERE user_id = ? AND evtdate BETWEEN ? AND ?"
$stmt = $db->prepare($sql);
$stmt->execute(array($user_id, $dateFrom, $dateTo));
$data = $stmt->fetchAll(PDO::FETCH_ASSOC);

if($isAjax) echo json_encode($data);

That's just an example off the top of my head. So for normal forms, you can access the $data array or you could do some sort of header redirect. For ajax, you just grab the data from the .done() or success function.

Note that security is left to server-side, as it should be.

Edited by diafol
Member Avatar for Aeonix

I think you're missing the point I'm making, so I'll give an example. The security of your app will be down to PHP, not JS.

Well, the second sentence is kind of answering the questions :)

Edited by Aeonix
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.