I'm working on a small Restful API, which will show users current weather conditions in their location in the header of the page. There will be a GET query sent to the server via Ajax to a link similar to this:
https://test.com/weather/{required location}
Test.com represents my link which further queries either the database or external APIs. It responds with JSON and they will see the weather for their location. The problem that I have is if that link is accessed directly, it just prints the output, so potentially it could get farmed.
The question I have is how can I implement some sort of logic where if the the page is accessed via ajax from test.com, the output is JSON as needed. Any other ways to access that link will display a blank or custom page with JSON hidden?
Also, as I am new to API and Ajax work, are there any other security means I need to be aware of?
I'm using jQuery, php and mysql.
Thanks
I just found a partial solution myself, using Dontfeedthecode's idea of utilising $_Server varialbes. The one that is suitable is $_SERVER['HTTP_X_REQUESTED_WITH'].
if (isset($_SERVER['HTTP_X_REQUESTED_WITH'])) {
echo 'JSON RESPONSE HERE';
} else {
echo 'ALTERNATIVE PAGE HERE';
}
Found out that when Ajax query is sent with 'X-Requested-With: XMLHttpRequest' header according to this. So if we look for the header, we can find out how to treat it. However, from my understanding this will not prevent potential farming.
I will further investigate Dontfeedthecode's response to see if I can get it to work against farming.
You can check $_SERVER['HTTP_HOST'] against allowed domain names.
Taken from: PHP $_SERVER['HTTP_HOST'] vs. $_SERVER['SERVER_NAME'], am I understanding the man pages correctly?
$allowed_hosts = array('foo.example.com', 'bar.example.com');
if (!isset($_SERVER['HTTP_HOST']) || !in_array($_SERVER['HTTP_HOST'], $allowed_hosts)) {
header($_SERVER['SERVER_PROTOCOL'].' 400 Bad Request');
exit;
}
This may be a duplicate of:
Prevent Direct Access To File Called By ajax Function
Related
when use GET Method for receive JSON data , we can acsses the result directly from web browser , for example i send a mydata value from ajax to a main.php file and it process and get answer show a result some thing like below :
<?php
if (isset($_GET["mydata"])) {
if ($_GET["mydata"]=="hello"){
echo "hello world";
}
}
?>
but when a user call it in browser directly like http:mysite.com/mydata.php?mydata=hello recive answer . i want dont allow users to get answer of http request directly , and just can show it from ajax result of main page is it possible ?
You're asking how to prevent an ajax-only request from being accessed directly by copy-pasting the URL into the web browser; that is, only allowing the URL to be accessible via ajax on the main web page.
Well, there are a few things you can try:
Check the Referrer for the URL of the main page with $_SERVER['HTTP_REFERER']
Set a header in Javascript using xhr.setRequestHeader() and then ensure it's value by checking for $_SERVER['HTTP_X_....'] in PHP
Like Jay Bhatt recommended, check for the X_REQUESTED_WITH header, but be aware this might not always be set (see: X-Requested-With header not set in jquery ajaxForm plugin)
However, in any of these situations you should be aware that anyone who knows what they are doing can easily set any HTTP header, variable, or even modify the referrer which is sent to the server. As such, there is no 100% guarantee that your resouce can be accessed only via AJAX on the main web page. There is no control built in the internet to verify where a request is coming from, so anyone can easily spoof or fake it.
Is it possible to include some message in a PHP header:
header("Location: http://somesite.com");
header("Message: hello");
then on site.com:
$message = some_function(); // "hello"
I am currently using a $_GET parameter in the URL, but looking for an alternative, maybe sending a $_POST?
I'm trying to not use $_GET, or use cookies (I know, those are the best ways..)
It sounds like you are wanting to send some extra data to the page you are redirecting to. No, this isn't possible outside of the query string. You should understand what is happening here.
When you send a 302 or 301 status code along with a Location: header, the browser sees this and then makes a separate request to the URL specified by the Location: header. The server isn't sending anything to that page. It's almost as if the user simply typed in that new URL in their browser.
I say almost because in some circumstances, there is a referrer set by the browser. This isn't guaranteed though.
What you can do is send some sort of token that contains more information. Perhaps your page saves off a message in a database or something, and then you pass the ID in the query string of the URL you're redirecting to.
Also, if you set session/cookie data and you're redirecting to something on the same domain, you can read that information on the page the user eventually lands on.
In addition to what Brad suggested, you can also send some info using # in the url without affecting the query string and then capture it with js.
header("Location: http://somesite.com#success");
in js:
if(window.location.href.indexOf('#success')>0) {
alert("operation successfully completed");
}
This question addresses the security / user end side of things.
Suppose I have a script that is called via ajax which will add something to a database.
The script checks for the request method. If it is from 'POST' then the script will carry out this function.
I do not want users accessing my pages and either getting an error or a blank page.
What is the 'ideal' way to deal with this?
My current plan is as follows: If it is not a POST method, redirect them to an error page in the same way as a 404 handler and then provide some links for elsewhere.
Returning a 400 Bad Request is a pretty standard way to indicate that the user got there without the proper data that's needed.
if(!isset($_POST)){
header("HTTP/1.0 400 Bad Request");
}
On top of that, you should spend some time investigating doing some cross site request forgery protection (CSRF) if you want to make sure only your UI posts to that page.
Try this, i use it in all my pages called via ajax:
if ($_POST['ajax'] == "ajax") { // You need to set this is your post ajax variables sent to this php file.
// all your code here
} else {
// Not needed for a blank page, or whatever you want for another page ie
header ("location: 404.php");
}
In my test.php file, I sent a request to a Flickr app I have using
header("Location: " . $request);
where $request is the URL that I am trying to reach on Flickr.
For my Flickr app, I have to set a callback URL. When Flickr is done with processing my request, it will call the callback URL.
I would like the callback URL to be my original page, test.php. When I try this, I get stuck in an infinite loop, because test.php is re-sending the request back to Flickr, and Flickr calls my test.php again (repeat ad infinitum until the browser quits).
Is there a way to put some kind of conditional in test.php to check if the request came from Flickr, or at least some way to let the script know that the request has been sent, so don't send it again.
I've already tried it where I changed the callback URL to another page of mine, and that works fine. I'm just seeing if I could re-use the same page.
Its ugly.
The two posted solutions won't work because:
The referer isnt changed on redirect (well it is cleared if its a http meta redirect, but not if its a header redirect. but it doesnt become something else so easy).
Putting exiting after a sent header is generally a good idea if there is something else normaly executed afterwards, but its not related to the problem.
Simply put, if it should be the SAME page, you need to to store in a file or database or something the redirect counts per ip adress/user and break or something but NONE of this is really reliable. You can make it more secure by having a secured token that cannot be reverse engeneered etc but all this doesn't make sense. You could also use cookies. Which is just as unreliable as well.
Regarding your problem, flickr does NOT redirect back to the samep age.
Regarding to their specifications they append ?frob=[frob].
http://www.flickr.com/services/api/auth.spec.html
Check for that:
<?php
if(!isset($_GET["frob"])) {
header("Location: " . $request);
exit();
}
?>
try checking the referer with the $_server['HTTP_REFERER']
[Edited]
I just wanted to say that, you should try adding if condition
// just and example, use some regular expression to check the refere
if($_SERVER['HTTP_REFERER'] != http://flicker.com){
header("Location: " . $request);
}else{
// another code
}
Thanks
As an alternative to checking for the (non-)existence of $_GET["frob"], couldn't you set the callback url in Flickr to be www.mysite.com/test.php?from_flickr=1 and then do
if (!$_GET['from_flickr']) {
header('Location: '.$request);
exit;
}
one of my php page returns data like this:
<?php
//...
echo "json string";
?>
but someone else use file_get_contents() to get my data and use in other website.
can anybody tell me what can i do to prevent such thing happen.
i consider if i can get the request's domain name to echo something else.but i dont know
the function to get request's domain name.and if the request is sent by a server,that
will be unhelpful. My English is poor, to express doubts, please bear with.
you can also use sessions. if somewhere in your application, before the user gets the json data, you start a session, then in this page where you are outputting json data, you can check for the session variable. this way only users that have passed the session generator page, can view your output.
suppose you have page A.php that generates the session. use this code before outputting anything in this page.
session_start();
$_SESSION['approvedForJson'] = true;
then in your page where you are outputting json data, before outputting anything, call session_start() again. the beginning of your PHP code is a good place to call it.
then before outputting the json data, check if the session variable for approved users exists, or not.
if ( isset($_SESSION['approvedForJson']) && $_SESSION['approvedForJson'] ) {
echo "json data";
} else {
// bad request
}
You can use $_SERVER['REMOTE_ADDR'] to get the address of the client address. You can also check $_SERVER['HTTP_REFERER'] and block external requests that way, but it's less reliable. There's probably a few other techniques involving $_SERVER that you can try.
Your fighting an uphill battle here. I am assuming your serverside process that responds in json is being consumed via javascript in your users browsers... so there is no easy way to encrypt it. You might try some of the techniques used to prevent xspf (see http://en.wikipedia.org/wiki/Cross-site_request_forgery ). If you developed the client to pass along some session token that is uniq per client you could reduce some of the problem. But, chances are whoever is stealing your data is gonna figure out whatever mechanism you put in place ... assuming this is some sort of ajax type thing. If its a server-server thing then as sli mentions, setting up some restrictions based on the remote ip would help, plus setting up some sort of API authentication tokens would help even more (see oauth for some pointers)
You could also using .htaccess with apache block every external request to the page if it get's called internally or block every request that is not from your domain:
Google search thingie
EDIT
You could also use some php file which includes the file which can not be read. So for example you have file.php:
<?php
$allowedFiles[] = 'somefile.php';
$allowedFiles[] = 'someotherFile.php';
$allowedFiles[] = 'jsonReturnFile.php';
if(in_array($_GET['file'], $allowedFiles)){
include( "include/".$_GET['file'] );
}
?>
Then you can allow file_ get _contents() on that file and write a rewriteRule in your .htacces to disallow any request to the include/ folder.
RewriteRule include* - [F,NC]
That will return a 403 forbidden error for a request to that directory or any file in the directory.
Then you can do you JSON request to something like: file.php?file=jsonReturnFile.php&someothherParamReadByJsonFile=1
And when someone tries to get the file contents for the JSON file they will get the forbidden error, and getting the file contents for the include.php won't return anything usefull.