So I've looked around to try to find some posts on this and there are many but none that address my specific question (that I could find).
So essentially I need to get some data from my database to my external javascript document.
What I am currently doing is something like this...
<?php for (loop through products): ?>
<script>
var $each_image_information = new Array(
"<?php echo $getVariable; ?>",
"<?php echo $getVariable; ?>");
</script>
<?php endfor ?>
And then my external .js file accesses the variable $each_image_information. I realize this is somewhat messy code since these variables are somewhat global - but I'm not sure I know of a possible (with my skillset) alternative.
My real question is if this lends any security holes for the website I am implementing it on. Since these values are echo'd from the database to the inline javascript file, can those variables be manipulated?
This may be a foolish question but I have had past experience with SQL injection when I had no idea that those were possible, so I am trying to err on the safe side.
Thanks in advance!
Ok, to understand this problem you have to understand that Javascript is client-side. That means anyone can do anything they want on it, so the answer to "can those variables be manipulated?" is a resounding yes! If you want just go download Firebug, and you can start changing them to the latest Google logo if you want :-)
But, none of that matters, because if a user can mess with their own client-side stuff, that's no security hole. What you need to be worried about is user A getting scary code on user B's client. That is only a problem if user A can pick the file names of these images, because then they can name their image insert scary code here and that code could get run on user B's computer.
But as long as you control the image file names (or just escape any JS in them), you should be all good.
This is what you are doing
Sql -> Php -> Javascript
As long as you are not doing this
Sql -> Php -> Javascript -> Php -> Sql, then you should be fine from an SQL injection point of view.
Javascript variables are ALWAYS modifiable, and if you are using them inside a SQL query you should sanitize them first (mysql_escape_string() or something similar).
So long as you don't provide a path back into your database, you should be fine.
Keep in mind that if you don't have a path back into your database, but may have one in the future, that you might want to do some obscuration of primary keys on your data; that's always a good idea just to make sure that your internal database representation isn't exposed.
Related
My webpage has the php extension, but there is no php code in it. There is handsontable and user would insert some numbers and get some cool JS effects on the same page. When I was writing the code for comments, I used strip_tags as a protection, but that was working for PHP. Now , I am curious if there is any danger leaving handsontable as it is?
Well the question is, can a visitor alter the content in a way that another visitor will load something to their browser that was not intended by developers. If it's purely client side and if you do not accept any user inputs, I think its pretty safe. If you have any unused php scripts, remove them.
I have searched and found another with quite close question but the result was YUI Compressor and I didn't find that useful.
I use php to obfuscate my JavaScript code but it is not enough. I need a php script that I can run and then rename all functions and variables to random names (only letters) and ofcause before I obfuscate.
I have seen a few but they are either standalone programs like Java or something you need to pay for, and I can't use that.
Does anyone know a class or code snippet that might be able to do that?
And if the YUI Compressor actually can do that, can anyone point out some help to how I implement it into php?
After writing this long-winded response I began to wonder why you need to obfuscate javascript code in the first place? Javascript code is by nature public and anyone looking at your page can see the result. If you have secret/proprietary things you need to do, look into something like AJAX or otherwise making a callback to your server to do the processing and have it spit out the results for javascript. Any processing you do in javascript will be visible by anyone. Obfuscating just makes debugging harder, and isn't guaranteed to keep someone from cracking the code.
In general use javascript to control presentation, parse results from a server call into the document, and validate user input. Anything secret you want done, do on the server side where they can't see the exact code that is going on.
And with that off my chest here is my response if you still want to go the renaming route:
I haven't taken the time to Google what a YUI compressor is yet, but what you're describing sounds like you would need to parse any javascript and from there go about renaming functions and variables. I see a few issues
If/when your javascript uses built-in variable names like document or window and like-wise built-in functions like .getElementById(). Those you can't touch or the script can't do what it was meant to do.
Javascripts are executed in the context of the browser and might use functions/variables from other javascript files ex an HTML like
<script type="text/javascript" src="a.js"></script>
<script type="text/javascript" src="b.js"></script>
Since b.js was included after a.js, b.js can refer to and use any functions or variables in a.js thus if you scramble the names you will have to make sure any references made in b.js are updated to your new names appropriately.
Depending on how often you are wanting to do this renaming you have a trade off of having the code being cracked easier vs completely trashing the browser cache
Modify the names just once and keep the results - then browsers will cache the responses correctly and your site should work pretty well, however since the names are consistant between calls it will be easier for someone to crack the renaming. Though for this solution you don't necessarily need PHP, just any language or script and run it once
Modify the names per session - probably the best solution and middle of the road though it would require you to keep extra memory associated with each session as to the name changes so any requests for new java script files from the same session get renamed as they should (most modern browsers and server settings will allow for caching of the same named javascript file so as described in point 2 if any functions/variables in a.js are used by another javascript file they will have to be updated accordingly
Modify javascript files per request - this may require you to disable caching of your javascript files as every request for a page will require downloading a new javascript file(s) even if the user reloads the same page. This will lower page loading performance considerably (you have to rename all the functions again and generate a new javascript file, that is then downloaded by the browser and parsed by it) and also increase bandwidth consumption, however no two scripts for a page will be alike.
Overall this doesn't seem like a 1 man (or even 2 or 3 man) project that you want to undertake (unless you have a lot of time on your hands, but then things will have changed), there could be something like this out there already or something close which you could fork off of and modify to your needs. Essentially I think what you are wanting to do would be more work than its worth.
I'm not sure why you want to do this, but it seems like a pretty easy task to do manually.
All you need is to write a function that generates random strings, and in you PHP define variables for all JavaScript functions that you have and have those get assigned random strings. Then just substitute them when you print out your code for the actual JavaScript methods. The only caveat is you need to double check that your random strings aren't ever duplicates. If you can't use numbers (as per your question) then use letters and increment them appending to the back of your random string. So in pseudo code...
$var1 = generateRandomString(); //custom method to create random string and append unique letter at end to guarantee no duplicates.
$function1 = generateRandomString();
and in javascript...
//variable assignment
<?php echo "$var1='foo'"; ?>;
//function definition
function <?php echo "$function1" ; ?>( myArg ){
alert(myArg); //this will alert 'foo'
}
//calling the function
<?php echo "$function1($var1)" ; ?>
etc.
Hello I have a question about PHP $_POST and $_GET.
Let's say I have a web page that is expecting $_GET variables.
Are the variable names anonymous?
Let's say index.php has the script of
if( isset( $_GET['somevariale'] ) )
{
rest of the code
}
Is it possible for anyone to find out the name of the $_GET variable the page is waiting for? Or would they have to play the guessing game?
They'd have to play a guessing game if you didn't publish it or it couldn't be inferred from existing links on your site.
Of course, don't put it in robots.txt either.
You cannot see the PHP code without parsing it. So no you cant get it. But maybe save it somwhere else, i. E. a database?
They can't see your index.php PHP code (let alone the variables) anyways unless they're opening the file directly. They'll only see the HTML.
That's simply impossible.
The only way they can find is if you server is not processing PHP properly and outputting it as is.
You can however protect your script in many ways like introducing passwords on scripts etc. but your source will have to know that password to use that script. Read more on HTTP auth, realms etc.
In you case however they will need to play a guessing game.
I have seen that some web sites have a PHP script to redirect the user to another web page if they try to access JavaScript files directly. How is that done?
Unfortunately, as the previous answers have stated, you can't prevent one from seeing the contents of a JS file; if you could do that, how is the browser supposed to parse it?
The next best thing to do is to "Obfuscate" it using something like http://www.javascriptobfuscator.com/default.aspx
This will convert your human-readable code into a bunch of character codes and obscure function names. The Obfuscator I linked to generates a unique ID and bases its encryption on that ID, making it harder to decrypt.
However, this isn't fool-proof, and someone who really wants to get at your JS, for whatever reason, will do it. Anything you really don't want users to have access too should be done server-side. ;)
No, that's not possible.
There are plenty of ways how to get JS files. Nothing helps in protection.
Javascript is meant to be client side. That means it always gets executed on the browser which is local and thus can not be hidden.
Hi I have a web form that sends a string to one php file which redirects them to a corresponding URL. I've searched about web form hacking and I've only received information about PHP and SQL... my site only uses a single PHP file, very basic etc. Would it be open to any exploits? I'm obviously not going to post the URL, but here is some code I was working on for the php file:
Newbie PHP coding problem: header function (maybe, I need someone to check my code)
Thanks
From that little snippet, I don't see anything dangerous. "Hackers" can enter pretty much anything they want into $_REQUEST['sport'] and thereby $searchsport, but the only place you use it is to access your array. If it's not found in your array.... nothing much will happen. I think you're safe in this limited scenario ;) Just be careful not to use $searchsport for...... just about anything else. Echoing it, or inserting it into a DB is dangerous.
Uh, it really depends. If you are inserting data into a MySQL DB without sanitizing, the answer is a huge yes. This is something you need to decide for yourself if you aren't going to show code.
The solution you've got in the linked question is pretty safe.
Every possible action is hardcoded in your script.
Nothing to worry about.
Though asking for the "web form like this" you'd better to provide a web form. Not the link to the question that contains a code that can be presumed as this form's handler.