I need to write an AJAX request that is secure, and cannot be accessed through the source code or by any other means. Seeing as AJAX requests are written in javaScript/jQuery which is client-side, the request can easily be viewed. Is there any way to make AJAX requests invisible to users and unhackable?
Is it somehow possible to write AJAX requests with a server-side language such as PHP? From what I know I understand that PHP is a sever-side language, and that you need to write AJAX requests with a client-side language; however is there a way around this?
Thanks in advance :)
Is there any way to make AJAX requests invisible to users
No. Users can always see what your JavaScript asks their browsers to do.
and unhackable?
The same way as any other request. Use SSL where appropriate. Use Auth where appropriate. Keep data in appropriate places. Pass identification tokens instead of real data where appropriate.
Is it somehow possible to write AJAX requests with a server-side language such as PHP?
No. Ajax is, by definition, a request triggered by client side JavaScript.
You might be able to achieve the effect you want by making an HTTP request from the server instead of using Ajax, but that depends on what effect you actually want.
Related
I need to call a PHP Script and Run (a function) on the Server .. by calling from client side by using Javascript. I know only Ajax Call from Javascript.
Is there any other standardized way to communicate from Javascript to PHP?
Please correct me if i'm wroing. Is XMLRPC an another approach?
Nothing that is well supported or practical.
Ajax is just shorthand for "Making an HTTP request from JavaScript without leaving the page".
PHP is heavily geared towards being a server side web language (so it is optimised for being accessed over HTTP). Browsers are focused on accessing content over HTTP.
No, you use a XmlHttpRequest (that is, I assume you don't want the user to experience any sort of page refresh).
To work cross browser easily I'd recommend using a library like jQuery which handles everything for you, everything is nicely encapsulated and abstracted so you don't need to worry about any of the details. That way calling your script becomes extremely easy.
XMLHttpRequest is the best way, as far as I know, but there are other techniques too. There is the old school way some sites still use. Using hidden iframes and sending request through it.You create an iframe with javascript, append it with 0 width and height and the request the php file. The output must be script that somehow communicates with the parent window script.
For AJAX on my website, I make calls from a Javascript file to something.php?request=bla. I don't want the user to view the results of this request or even run the PHP file by typing in www.myurl.com/something.php?request=bla. I only want files on my server to be able to call PHP files. There are many things I have considered, such as secret values that get compared in the PHP scripts themselves, but that sounds too complicated for what I want. I am sure there is a simpler way.
How do I make it so that a PHP file can only be run if a script existing ON THE SERVER calls it? Users should not be able to run it using their address bar.
This is fundamentally impossible. Your Ajax request is always coming from the client.
You could in theory check for the HTTP_REFERER header, but as a security measure, this is completely useless. Every aspect of a request (Ajax or not) that comes from the client can be freely manipulated, including the referer field. It is trivial to fake an Ajax request that allegedly was started on your page.
It shouldn't be necessary for you to impose such a restriction in the first place: If you have a security system in place (like a login), that system's restrictions will (or should) apply to Ajax requests as well.
If you have Ajax requests that allow harmful actions (like deleting) without authentication, you will need to add authentication. There is no way you can limit those requests to a certain context or web site.
Use POST for all your AJAX calls, and reject all GET requests. That won't be perfect, but it will be good enough.
As workaround (only!) you can probe for the X-Requested-With: header. That differentiates real AJAX requests from address bar invocations. You cannot ensure the origin of the request with that.
if (stristr($_SERVER["HTTP_X_REQUESTED_WITH"], "XMLHttpRequest")) {
(You could inject some more obfuscation headers with your $.ajax() calls. But again, that's just making it more cumbersome to fake, not impossible.)
I was wondering if it's possible for a PHP-based proxy to handle AJAX data.
I'm trying to make one or use a ready-made script.
Thanks!
Yes.
Your client-side javascript can make an AJAX request to a same-domain server side script (e.g. PHP in this example), the PHP script could then make a request to a third-party url, process it however, and then return the result to the original client-side javascript.
If you can provide some additional detail, I, or someone else, may be able to provide a more concrete solution/explanation.
EDIT: See http://developer.yahoo.com/javascript/howto-proxy.html for an excellent explanation of the process.
AJAX Request using PHP as a proxy
AJAX data isn't different from any other kind.
Is there a way to make a PHP file so that it can only be loaded and executed by the Javascript code that I write? I.e can I make sure that someone can't read my JS, load up the PHP page in their browser with their own variables, and make unauthorized changes to my database?
Any help much appreciated.
No.
You can check if $_SERVER['HTTP_X_REQUESTED_WITH'] is set and equals "XMLHttpRequest", but this is just an HTTP header that can be faked.
Javascript just makes standard HTTP requests which can be reproduced in any number of ways. HTTP is a very simple protocol that does not offer the possibility to distinguish between clients in any reliable way. Identical requests are identical. You need to build your user identification and authorization scheme yourself on top of HTTP, it's not part of the protocol. The server needs to decide and enforce what is authorized and what isn't based on rules (that you establish), not on who asked.
Is there a way to make a PHP file so that it can only be loaded and executed by the Javascript code that I write?
Not reliably, no. Any request can be forged on client side. This method is not acceptable to establish security. You will have to use some kind of authentication on server side.
No. It is simple to write a 10 line program in e.g. Python, to spoof any useragent. You can not ever trust anything that any user sends you ever under any circumstances.
Doing so will bring shame on your entire family, all of your ancestors and cause your descendents to be forever stigmatized as the offspring of "that guy".
Maybe you can check the request header sent by Javascript. AJAX calls should send this line:
X-Requested-With: XMLHttpRequest
Is it possible for a web page using Javascript to get data from another website? In my case I want to get it for calculations and graphing a chart. But I'm not sure if this is possible or not due to security concerns. If it is considered a no no but there is a work around I would appreciate being told the work around. I don't want to have to gather this information on the server side if possible.
Any and all help is appreciated.
Learn about JSONP format and cross-site requests (http://en.wikipedia.org/wiki/JSON#JSONP).
You may need to use the "PHP-proxy" script at your server side which will get the information from the websites and provide it to yours Javascript.
The only reliable way is to let "your" webserver act as a proxy. In PHP you can use curl() to fire a HTTP request to an external site and then just echo the response.
You can't pull data from another server due to the same origin policy. You can do some tricks to get around it, such as putting the URL in a <script> tag, but in your case it wouldn't work for just parsing HTML.
Use simple_dom_html, to parse your data server side. it is much easier than doing it in JavaScript anyways.
A simple way you might be able to do this is to use an inline iframe. If the web page you are getting the data from has no headers, or you can isolate the data being pulled in (to say an image or SWF), this might work.
cross-domain javascript used to be impossible, using a (php-)proxy was a workaround for that.
jsonp changes this entirely, it allows to request javascript from another server (if it has an API that supports jsonp, a lot of the bigger webplayers like google, twitter, yahoo, ... do), specifying the callback-function in your code that needs to be triggered to act on the response.
the response in javascript will contain:
a call to a callback-function you defined
the actual payload as a javascript-object.
frameworks like jquery offer easy support for jsonp out of the box.
once you have the raw data you could tie into google chart tools to create graphs on the fly and insert them in your webapp.
Also worth considering is support for XMLHttpRequest Access Control which is support in some modern browsers.
If the service provider that you are trying to access via a web page has this set up, it is a very simple call to XMLHttpRequest and you will get access to the resources on that site without the need for JSONP (especially useful for requests that are not GET, i.e. POST, HEAD etc)