I was recently hit by a simple CSRF attack and realized a lot of my ajax scripts are open. These are accessed on my site with $.post().
Is there a way to automatically add a PHP token to all of these or do I need to go through and do it all one-by-one?
Using bwoebi's answer, I found a slightly better solution. jQuery has a built in setup function for ajax.
<script>var token ="<?= $_SESSION['token'] ?>";</script>
<script>
jQuery.ajaxSetup({
data: {
token: token
}
});
</script>
This will add your token to every jQuery request!
An idea would be to replace your $.post function:
jQuery["post"] = function (url, data, callback, type) {
data["token"] = token; // where token is a global variable
// you write in a <script> 'var token = <?php echo $_SESSION["token"]; ?>;'
return jQuery.ajax({ // copied from the jQuery code
url: url,
type: "POST",
dataType: type,
data: data,
success: callback
});
};
So you only have to add this little code after including the jq-lib.
Related
Below is my code and how i submit my data using the Ajax. On first submit, the data is posted successfully, however, when i try again, it fails which i suspect is from an invalid csrf since a new token may be generated. How can i solve this problem ?
$('#icon').on('click', '#test', function() {
var ids = $(this).data('id');
var csrfName = '<?php echo $this->security->get_csrf_token_name(); ?>',
csrfHash = '<?php echo $this->security->get_csrf_hash(); ?>';
var dataJson = { [csrfName]: csrfHash, ids: ids };
$.ajax({
url: '<?php echo base_url('client/data'); ?>',
type: 'POST',
data: dataJson,
}).done(function (result) {
});
});
I have same problem and i solve this by refreshing csrf token. New csrf token get in ajax response form server and replace it old token which is store in form hidden field and when you submit again use the new token.It solve my problem hopes your problem also fixed by doing this, for more use this link https://codeigniter.com/user_guide/libraries/security.html
The solution that worked for me when $config['csrf_regenerate'] = TRUE is that for subsequent ajax post when CSRF is enabled for every request is to make a GET request in AJAX Success when request fails because token has expired. Then have a hidden field that continue to be updated with latest token and if at the time of making request it has expired you make a GET REQUEST to fetch latest TOKEN and then evoke click event on function that submits form or function making POST request which means the function has to be passed "this" or ID as part of parameter.This makes the user not to realize the process of renewing token in the background
I am trying to fetch the contents of an external XML URL, into the javascript's ajax script, but it simply won't accept it, due to CROSS domain issue. I have searched through google regarding this issue, but nothing good so far, everything I've read so far stated that I need to incorporate PHP as well, but with that, the page would take reload.
I simply want that when a user enters a number that number gets passed as an argument in the URL, then displays the XML content in the screen without reloading.
SO any help will be highly appreciated.
Here's my code so far.
<script>
function myFunction() {
$("#dvContent").append("<ul></ul>");
$.ajax({
type: "GET",
url: "http://lx2.loc.gov:210/lcdb?operation=searchRetrieve&recordSchema=marcxml&version=1.1&maximumRecords=1&query=bath.isbn%3D9781452110103",
dataType: "xml",
success: function(xml){
$(xml).find('record').each(function(){
var sTitle = $(this).find('datafield[tag="245"]').find('subfield[code="a"]').text();
var sAuthor = $(this).find('datafield[tag="100"]').find('subfield[code="a"]').text();
var sIsbn = $(this).find('datafield[tag="020"]').find('subfield[code="a"]').text();
$(".mypanel").html(text);
});
$("<li></li>").html(sTitle).appendTo("#dvContent ul");
$("<li></li>").html(sAuthor).appendTo("#dvContent ul");
$("<li></li>").html(sIsbn).appendTo("#dvContent ul");
});
},
error: function() {
alert("An error occurred while processing XML file.");
}
});
}
</script>
How do you keep user login info during ajax post calls back to the server under wordpress and jQuery?
I'm using woocommerce on my wordpress site. I've implemented ajax post actions under jQuery that require the current user's session inside the PHP code. I'm not willing to come up with a custom authentication solution.
As you may know, runnning $.post or $.ajax will have your php code fail on things like if ( !is_user_logged_in() )...
SOLUTION
Here is a simple chunk of code which reads $_COOKIE for the session information on the current user, and creates a ready made callback that jQuery will later use to maintain session context:
//insert somewhere inside functions.php
add_action('wp_head', 'pluginname_ajaxurl');
function pluginname_ajaxurl() {
?>
<script type="text/javascript">
function ajaxSetup()
{
//Return a cookie setup function inserted into the ajax call
return function(xhr, settings) {
<?php
foreach ( $_COOKIE as $key => $value )
echo "xhr.setRequestHeader('$key', '$value');\n"
?>
return true;
};
}
var ajaxurl = '<?php echo admin_url('admin-ajax.php'); ?>';
</script>
<?php
Now your ajax call will look like this:
$.ajax({
type: "POST",
url: '/', //ajaxurl, depending on your ajax hook implementation
beforeSend: ajaxSetup(), //Pass in the cookie information into header
data: {action: 'my_action', some_data: 'info_about_things'},
dataType: "json",
success: function (data) {
if (data.success)
alert("Awesome");
else
alert("Maybe next time");
}
});
Now ajax post will maintain session and login info for the current user inside the custom php action.
I'm trying to implement a simple api request to the SEOmoz linkscape api. It works if I only use the php file but I want to do an ajax request using jquery to make it faster and more user friendly. Here is the javascript code I'm trying to use:
$(document).ready(function(){
$('#submit').click(function() {
var url=$('#url').val();
$.ajax({
type: "POST",
url: "api_sample.php",
data: url,
cache: false,
success: function(html){
$("#results").append(html);
}
});
});
});
And here is the part of the php file where it takes the value:
$objectURL = $_POST['url'];
I've been working on it all day and can't seem to find the answer... I know the php code works as it returns a valid json object and displays correctly when I do it that way. I just can't get the ajax to show anything at all!!
...data: 'url='+encodeURIComponent(url),
I have an application with URLs like this:
domain.com/category1/category2/ etc.
I see that ajax understands the # and can pass the params to my php script. I am wondering if there is a way in ajax to do the following URL:
domain.com/#category1/category2/
If so, is there a function that I can use in jquery to do this? I have seen jquery bbq but im a big confused how this helps me. It feels like there is an easier way, to just remove the hash and pass the remaining url to my php script, then return the page fragment?
How would I set up my php script to return the main page fragment without the header and footer being refreshed? Do I need to detect that # or javascript has been called and then return the relevant fragment?
i am trying it this way but its not posting the Ajax : hasher parameter.
<script>
hasher = document.location.hash;
hasher = hash.replace(/^.*#/, '');
$.ajax({ type: 'POST', url: url, data: {ajax:hasher}, dataType: 'html' });
</script>
<?php
echo $_POST['ajax'];
?>
Am I doing something wrong?
Cheers for any helps
Ke
You can get the hash value (after #) by getting document.location.hash property (this is standard property, not jQuery) and then pass it to the server-side script by calling $.ajax with some param like {hash:document.location.hash} in data.
Am I doing something wrong?
Yes.
You are using hash var in second line instead of hasher.
wrong regexp: you're trying to find anything BEFORE the #symbol, but you have just to remove # from the start of the document.location.hash
Take a look into following example
$('a.submit').click(function(){
var hasher = document.location.hash;
hasher = (hasher.length>0)?hasher.substr(1):'';
$.ajax({
type: 'POST',
url: '/test.php',
data: {ajax:hasher},
dataType: 'html',
success:function(response) {
$('#ajax').html(response)
}
});
return false;
});