security - How to secure php scripts? -


if have ajax call php script, (using jquery) 

$.ajax(url: "../myscript.php");

and myscript looks this:

<?php     //code db  ?>

i want know how prevent user going example.com/myscript.php execute script.

some answers here give overview of concepts behind question, let me give more pragmatic approach (you should @ least read , understand others matter though!).

you need ask yourself: do app must enforce requests myscript.php should controlled?

if so need use sort of token: create token , send client (browser), browser must send token , check if matches before doing action:

<?php // somefile.php (this file serves page contains ajax call) session_start(); //... $_session['token'] = createnewtoken(); // creates unique tokens  //add token js variable , send in ajax call // you'll have similar this: <script>   var token = <?php echo $_session['token'] ?>;   $.ajax({     url: "myscript.php",     data: form_data, // include token here!     //...   })

and in script:

<?php // myscript.php session_start();  // can check if it's ajax call, if user logged , token:     if (!isset($_session['token')) {   header("http/1.0 403 forbidden");   die("direct access not allowed!"); }  // assuming ajax post though didn't tell if (!isset($_post['token'] || $_post['token'] != $_session['token']) {   header("http/1.0 400 bad request");   die("you didn't provide valid token!"); }  // db

otherwise need check if user logged rest of scripts:

<?php // myscript.php session_start(); // check if logged in user if (!isset($_session['loggedin']) || !$_session['loggedin']) {   header("http/1.0 403 forbidden");   die("you need logged in!"); }  // db

to sum up

using first method allows more controlled access force user send secret (the token, different in every request) normal user won't have (if other user gets token, have bigger problems session hijacking). notice method prevents user opening on multiple tabs / different browsers last token saved. in order avoid have this fantastic answer on so

on other hand, second approach allows (logged) users request directly myscript.php, maybe don't need prevent (if need, use first method). notice here won't have issue of multiple tabs / different browsers you'll check if user logged in.


Comments

Post a Comment

Popular posts from this blog

javascript - Jquery show_hide, what to add in order to make the page scroll to the bottom of the hidden field once button is clicked -

i have button on website when clicked, reveals map. button can seen when page first loads up, when clicked, section holding map slides open , goes out of screen since page loads @ top (normal). want page scroll down bottom of div select when button pushed, if map out of screen. if page scrolled down, , clicks show map button, don't want page jump bottom of map. i tried figure out myself, no luck. seasoned jquery coders able give me guidance? many thanks! map = mapdiv.gmap3("get"); infobox = new infobox({ pixeloffset: new google.maps.size(-220, -310), closeboxurl: '', enableeventpropagation: true }); mapdiv.delegate('.infobox .close','click',function () { infobox.close(); }); jquery(".slidingdiv").hide(); jquery(".show_hide").show(); jquery('.show_hide').click(function(){ lastcenter=map.getcenter(); jquery(".slidingdiv&quo
Read more

javascript - Highcharts multi-color line -

Image
i looking create highchart multi-colored line. if goes down under value, become red, , when comes on value, become green . here picture example: or maybe highcharts have other charts models differentiate high or low level color? you can achieve coloring using lineargradient coloring: color: { lineargradient: { x1: 0, x2: 0, y1: 0, y2: 1 }, stops: [ [0, 'red'], [0.25, 'yellow'], [0.50, 'green'], [0.75, 'yellow'], [1, 'red'] ] } here 0 in stops relates minimum value of series , 1 maximum value, , in between percentages between values. if find percentages according values prior creating chart use correct stops values make relate specific values in data (at least approximately). see this jsfiddle example .
Read more

javascript - Enter key does not work in search box -

tried search guys sorry. input in search box doesnt work (or search) when hit enter when user clicks search button. doing wrong? here code. thanks. <script type="text/javascript"> $(document).ready(function() { $("#submit").click(function() { var url = "http://asla.org/awardssearch.html"; url += "?s=" + $('#googlecse').val(); window.location = url; }); $('#googlecse').keydown(function(event) { if (event.keycode == '13') { $("#submit").click(); } else { //do nothing :) } }); }); </script> <form class="navbar-form navbar-right" role="search"> <div class="search"> <input id="googlecse" type="text" onblur="if(this.value=='')this.value=this.defaultvalue;" onfocus="if(this.value==this.defaultvalue)t
Read more