Is ajax post using jquery secured? - php

I would like to ask this because if no quite sure that it secure.
I am planning on changing my page to ajax based registration. So my data will be inserted using jquery ajax post.
But if someone uses firebug and see where my post is being sent, they can use other form of firefox addons to post data on that url and can easily register without going to my page.
Although I can validate the request first where it is comming from though but that would be extra codes and work.
I will also add server validations for my form since someone can register without validation using the direct url that they will see on firebug.
I just wanted to know if there is already a standard procedures in applying ajax based data post.
But with ajax based select / fetch is cool and very useful.
Currently this is what I am planning on doing on my registration page.
validate that all request's must come from my registration page.
might use a transaction / request code
might use cookie
might use session
might use date time comparisson
if validation fails I should have a form validation on server side
to clean my the posted data before inserting to db

Never trust a UI.
Whether you do an Ajax post or a standard post, people can figure out what you are posting and create their own client. Even if you use https, the person controlling the browser can see what is posted and decipher the protocol.
You need to create your service so that it is not vulnerable to a user handcrafting a client.

If a user can use their browser to register on your site via Ajax, they can spoof the registration using some other programming language. There isn't anything you can do to make it so they can only register from your site via Ajax.
You can implement tricks to make it difficult for them to figure out, but you can't make it impossible. They can spoof the referrer, load other pages to get the required cookies/session variables, spoof Ajax request headers etc.

Related

POST to page on website and only accept if data is from the same url?

I'm working on a simple contact form right now that will just post to a /contact endpoint and update a message via ajax if success or failure. I plan on having other forms such as account settings work in this sort of way too so I can avoid having to refresh the page. I'm new to working with ajax and creating my own api's so any help would be awesome.
Basically what I want to do right now is verify that the post request/body is being sent from my website and not an external source. I thought about just checking the url with PHP but I'm not sure if this can be spoofed. Any help would be great, thanks!
One method is to create a unique ID/GUID when the form is created, embed it in the form (hidden field, JS var), and also store it to $_SESSION. When your script is called via AJAX, pass this value in the AJAX call, and then compare it on the server side. That way, you not only know it came from your page, but from the same session.
To check this things security i would pass a hash generated on the client (with certain rules) and check if the hash is valid on the server php endpoint. You can use $_SERVER["HTTP_REFERER"] to check if the domain matches but that can be easily spoofed and sometimes it may actually not even be available. I hope i answered the question. This is what i understood you were asking.

Using PHP to submit a Webform that uses javaScript:submitForm()

I have previously used PHP CURL to submit web forms by using the post URL.
I'm trying to automate the process of logging into a website, I can't change server side code.
The submit button on the HTML form uses the action of javaScript:submitForm() how can I submit information to this form using PHP.
Is CURL still an option?
Thanks!
You'll need to find the function declaration for submitForm and see where it is posting to. Then you can use php and curl to submit.
Edit:
Since the submitForm function doesn't change the form action, you can still use the action in the form tag.
Regardless of how client-side code is crafting the form submit, it still needs to send an HTTP request to the server. If you can do this manually by interacting with the site in question, then capture that request using browser debugging tools (FireBug, Chrome dev tools, etc.). That should have all of the information needed to craft a custom request of your own.
Note, however, that the website in question might have measures in place to prevent something like this. Especially if they're using a framework that handles the form posts for them (such as ASP.NET WebForms or anything like that). They may be emitting a form field to the page which contains a one-time-use token to be validated in the subsequent form submit request. If that's the case, any time you want to craft an automated form submit you'll first need to craft an automated request to parse out that token so you can use it in your submit.
If they take even more involved measures to prevent what you're doing, then you're going to have more of an uphill battle automating it.

How to send custom tracking data to my server from another domain

I am creating a form handling service that will allow users to copy and paste a form action and the service will store the data in a database and redirect to confirmation page on the users website.
What I'm trying to achieve:
I would like to include some analytics on the form such as, time taken to complete each field, form views, form activation etc. I'm guessing this would need some javascript also pasted on the users page that would link to an external script (on my site). But my question is, how would this work in practice?
I can't use ajax as it would be on different domains and I also want as little code as possible to be copy and pasted by the user.
My question is not what specific code I need to use here, rather what approach do I take?
I'm thinking it will be similar to the google analytics snippet that they provide for tracking but im not 100% sure on how that works.
For cross-site requests, there is always the option of using script injection, as used with JSONP. For example, you could use jQuery.getJSON to pass some data as GET parameters to another site. Of course, only being able to do GET requests is a disadvantage. If you want/need to perform post requests, you could wrap your initial request in a web service, which basically converts GET parameters to POST parameters and forwards your request; YQL could do that for example.

redirect to a page on a different server and post parameters to it

I am supposed to capture data from a form and send the data to a url on a different server.For eg:-I have a form on a page at the url http://www.form.com/register.php.
I capture all the data from this form and for some reason need this data to be processed on a page on another server at http://www.thereceivingpage.com/process.php.
As of now I am using headers to redirect with the parameters in the query string something like this:-Header(Location:http://www.thereceivingpage.com/process.php?name=alice&address=a1&address2=a2) but I need to send a larger amount of data which wont happen as GET request. Can anyone suggest a better way where in I can post data rather than the data in the query string ...thanks
Use cURL. If you have to redirect to the site, it gets a bit trickier but you can still do it. You can get the cookie and redirect information back from the site and then do a GET redirect using header.
Can you not update the action to simply post directly to that form? Otherwise, you might want to look into something like curl: http://ca.php.net/manual/en/function.curl-exec.php
You'll pretty much re-use the header redirect syntax with the parameters but instead you'll tell it to be a post.
redirect to a page on a different server and post parameters to it
thanks to internet standards, that's impossible.
if it's third-party site, let user to interact with it directly. do not interfere between them, it smells
If you want to develop secure applications then you should be aware that http://www.thereceivingpage.com/process.php is vulnerable to Cross-site Request Forgery (CSRF), meaning that anyone, from any site, can post form data to process.php.
process.php should be checking for a token (which www.thereceivingpage.com transmitted to the user as part of the form) and should be rejecting form submissions that don't contain the token to prevent submissions coming from anywhere but www.thereceivingpage.com and thus protecting your users from being manipulated into making requests they didn't want to.
In addition to your concern about the size of the GET requests you cause the client to make when redirecting, it's also not a good practice to turn POST requests into GET requests.
The best solution is to completely rethink the notion of delivering a form from one site to be submitted to a different site.
You can manually set headers and send request or you can use curl
see this
http://www.askapache.com/htaccess/sending-post-form-data-with-php-curl.html

Can i make POST after a POST is submitted?

What I'm trying to do is:
I have a form. I submit that form. In the code of the target script I want to make some validations. In a certain case, I want to make a POST to another URL. I don't want to just make a redirect to an URL.
I don't know if this is possible, that's why I'm asking.
I'm working with PHP.
Thanks!
To the people who suggested cURL: Building a request like so will send the data on behalf of the server not the client. I don't think he wants that.
He wants POST forwarding and that, if it were to exist (and I don't think it does), should be implemented by the browser.
What I suggest is to use an AJAX call to make the validation before posting. And then depending on the response you choose the destination for posting (on the client side).
To summarize: You request a validation from the client. You do that validation on the server. You send back instructions to the client. You post according to the instructions received from the server.
I'm not sure if you understand this, but any details of requests made by the user(client) are known in full by him. You can't make him POST to an URL, have a password in that POST, and not have access to that password.
Note: If it's easier you can read JavaScript and PHP instead of client and server.
It is definitely possible. You could use the PHP cURL library to easily create a POST request. But this might be overkill for what you are trying to achieve. Is it a possibiity to do the validation in JavaScript and change the form action attribute with JavaScript after submitting?
In what case would you need to post it to another PHP file.
Couldn't you simply use IF statements to redirect the script to another script depending on the results of the validation?

Categories