I'm calling a php page using .load()
.load('page.php?user='+user+'&page='+page)
if you go to the actual page.php and type page.php?user=1&page=2
you get the same result, how could I stop this from happening?
encrypting data maybe?
Could someone point me in the right direction, cheers.
#lonesomeday,
this answer works for me, yours was correct though:
if(isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') { it's an ajax request validate id and continue! } else { this is not an ajax request, get out of here! }
submitted by "ifaour"
Ultimately, anything that is accessible using AJAX is accessible without using AJAX. That's the nature of the web.
You can try to ensure AJAX by checking for the XMLHTTPRequest header, but be aware that it can trivially be spoofed by a user who wants to:
if ($_SERVER['HTTP_X_REQUESTED_WITH'] === 'XMLHTTPRequest') {
// is probably an AJAX request
}
If you are making your request with jQuery, this should be safe, because jQuery adds this header itself. Be aware, though, that some browsers do not add it automatically if you are creating the XMLHTTPRequest object yourself.
Related
I made an ajax call to the php script, which would indicate whether the information input by the user were valid and he would be authorized to sign in.
The thing is I'm not really sure about the session variable. Can that php script save session id variable and pass it onto the next php page, where jquery would redirect me upon successful ajax call?
Or would php itself redirect me using header location?
I hope I made myself clear. It is a theoretical question.
You would set the userid in the session and return a "success" condition back to ajax. the ajax success callback would inspect the returned data to determine if the login was successful and act accordingly (for example, redirect to a logged-in homepage)
You cant not redirect with PHP in this case because the headers are not returned in the http response.
you can set a variable in the response that returns the state of your php proccess.
something like
data = array(
"connect"=>true
);
or
data = array(
"connect"=>false,
"errors"=>"There is an error in your request"
);
then in the success: function you can check if the variable is true or false and redirect if you need to.
success: function(response){
if(response.connect){
//succeded
}else{
//not succeded
}
hope that helps. cheers!
I disagree from #Mijail when he says
You cant not redirect with PHP in this case because the headers are not returned in the http response.
With jQuery (or plain XHR), you can verify if you got a redirection with the response status (one of 3xx) and then use getResponseHeader method from xhr object to get the 'location' header to see where you should be redirected :
success: function(data, textStatus, xhr) {
if(xhr.status > 300 && xhr.status < 400) {
document.location.href = xhr.getResponseHeader('location') || '/';
}
}
This is the right way of doing it when you don't want to replicate your redirection rules on the client side too.
In theory you could do it either way, but without seeing your actual code, it's hard to give a definitive answer.
If you are using jQuery to call your auth PHP script and setting your session in that PHP script, you would likely then just use your JS (Ajax) to redirect to the "protected" area on success (returned from your PHP script with session started).
My site is like this that user opens it and runs index.php, and in index.php there are many ajax calls to other php scripts in same server directory as index.php. Now im using post, but if user comes to know addresses of these other scripts (like from right-click ---> view page source) then he can run those scripts in their browser, which can lead to inconvenience (e.g sometimes causing blank entries to be inserted in to database, just an example). So how do I disable php execution of those scripts from a browser yet ajax can call them?
You can't, at least not reliably (you can use JavaScript to add extra request headers, for example, but the user can observe those requests and add the headers themselves).
Check that submitted data is sane instead. If a submission to add a blank entry comes, throw an error message back.
you should check in php script if it is Ajax Reponse
/* AJAX check */
if(!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {
echo 'call from ajax'; //here you have call request by ajax
}
else
{
die("You shouldn't be here");
}
/* not ajax, do more.... *
Source of code
Most of well known JS libraries use this header. If you don't use library you can set this header by your own.
var req = new XMLHttpRequest();
req.setRequestHeader("HTTP_X_REQUESTED_WITH", "xmlhttprequest");
These headers can be set when attacker tampers data but for common guy who wants to access page via browser it will show "you shouldn't be here" message.
Here's what I use to detect AJAX requests:
function isAjax()
{
/* AJAX check */
return (!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest');
}
Please note that this does NOT guarantee detection and can only help stall misguided users, not determined attackers.
For security purposes, I want to stop the users from being able to view or send anything to the php pages I am going to use for ajax purposes.
So is there any way by which I can check whether a page has been called because of an ajax request or the page has been opened?
Does self=top consider ajax request or not?
/* AJAX check */
if(!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {
/* special for ajax here */
}
else
{
//its a page request
}
this will only work when using JS frameworks that send this header :-by Bergi
No, you will need an other security model.
Of course you could set custom http headers (like X-Requested-With) or such when you are doing Ajax requests (many libraries do that automatically), and tell them apart from normal "view" requests. But everything can be faked, so there can be no security through determining that.
Even if you do stop people not using a ajax request, what's stopping people from changing the ajax request in the first place?
This would add little to none added security in my opinion especially with the ease this can be done with firebug for example.
I have an action that's meant to be accessed only through ajax. How can I make it give blank output when someone visits the url directly as http://site.com/controller/action? Is there a way that Zend can tell if it's an ajax call or direct url visit?
Edit: I found out about Zend's $this->getRequest()->isXmlHttpRequest(), but I wonder if this can be trusted enough?
There's no way of reliably telling an AJAX request and any other kind of request apart, so no you can't block non-AJAX access.
If you're using jQuery, you can check it like:
if(empty($_SERVER['HTTP_X_REQUESTED_WITH']) || strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) != 'xmlhttprequest') {
return die('No direct access allowed.');
}
I read that checking the X-Requested-With header of the ajax request is a good way to make sure the request isn't coming from outside. On the server side, how do I check this header? and what's the right way to react of this header is missing or wrong (redirect, throw exception, else)?
You can check it like this...
$isAjax = isset($_SERVER['HTTP_X_REQUESTED_WITH']) AND
strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest';
If you are only expecting access via XHR, then just exit if this header is not present.
Note: This header is trivial to spoof. Don't rely on this for anything but it looks like it came from na XHR.
The only sure fire way to ensure that the request came from your site and not someone else's is to issue a unique token to the user and store it in their session. In your code where you make the AJAX request you then need to pass this token back and if it matches the one in their session then you can be sure the request came from your site.
More info:
http://en.wikipedia.org/wiki/Cross-site_request_forgery