|
PHP - Securing Ajax With A Bespoke Key
Hi,
I want to secure my AJAX routines which use the POST method. I want to prevent people from posting to my method with their own program/script. I have read about making a random seed that the server knows to expect from authorized AJAX sources. What is the basic code for doing this? Similar TutorialsI posted this in the CSS forum with no success. Hello all! I have been trying for days to get HTML purifier to filter my CSS, with no prevail at all. Do you guys recommend any certain way to filter user inputted CSS style sheets? Any filter to use? Hello everyone, this is my first post. This isn't just a simple post and leave, I'm looking to expand into this community and learn as much as I can. Well on to the problem at hand! I decided to start with something simple as a login page and now want to expand it to make it fully functional. Code: (index.html) [Select] <html> <head> <title>Deadnode.com</title> <LINK href="style.css" rel="stylesheet" type="text/css"> </head> <body> <div style=width:150px;height:80px;position:absolute;left:40%;top:35%; margin-left:-135px;margin-top:-50px;"> <div class="sidebox"> <div class="boxhead"><h2>Login Required</h2></div> <div class="boxbody"> <form method="post" action="check.php"> <center><table> <tr><td><font face="verdana,arial" size=-1>User:</td><td><input type="text" name="user"></td></tr> <tr><td><font face="verdana,arial" size=-1>Pass:</td><td><input type="text" name="pwd"></td></tr> <tr><td><font face="verdana,arial" size=-1> </td><td><font face="verdana,arial" size=-1><input type="submit" value="Login"></td></tr> </table></center> </form> </div> </div> </body> </html> Code: (function.php) [Select] <?php function check() { $admin="test"; $pass="test"; if ( $_POST["user"] == $admin & $_POST["pwd"] == $pass) { header('Location: output.php'); } else { header('Location: index.html'); } } ?> Code: (check.php) [Select] <?php require('function.php'); check(); ?> This is just the code in it originally form; completely functional. I tried to use start_session() in my check() function. I know I should be using cookies, but I haven't gotten that far yet. Is it possible to use my check function as a way to block pages? I tried inserting the same code that is in check.php onto a html page, but I've had no luck with it redirecting back to my index.html page. Hello,
I am quite new to the php and website scene and i am trying to find the best way to validate and sterilize my $_post the way i have come up with is
$id = filter_var(mysql_real_escape_string($_POST['id']),FILTER_SANITIZE_NUMBER_INT);or $id = mysql_real_escape_string($_POST['id']); $id1 = filter_var($id,FILTER_SANITIZE_NUMBER_INT);which will be the best way to do it or is there a better way. Thanks Edited by AdamHull12, 04 October 2014 - 11:15 AM. Hey, I'm wondering how to secure my unsubscribe link. Currently the link looks something like this delete.php?id=6 the number is the field id of the email address. However when if someone then changed the to delete.php?id=5 then the email address with the id 5 would be deleted. I have tried doing an MD5 but it doesn't seem to work. Any ideas I've been trying all day. Hey everyone, I am new to PHP and I want to learn how to secure a PHP session properly. I wrote a few lines, but I don't know if it's secure enough. Code: [Select] <?php session_start(); if (isset($_SESSION['exists'])) { if ($agent != $_SERVER['HTTP_USER_AGENT']) { session_unset(); session_destroy(); session_regenerate_id(True); } } else { $_SESSION['exists']=1; $agent=$_SERVER['HTTP_USER_AGENT']; session_regenerate_id(); } ?> Can anybody help me correct or improve my code? Thanks in advance. Hey everyone, I am trying to secure php includes and I wrote the following lines: Code: [Select] <?php $dir=scandir('.'); if (in_array('copyright.php',$dir)) { include('copyright.php'); } else { echo 'That page could not be found'; } ?> Is this code secure enough, can anyone help me improve it? Thanks in advance. Hello, I'm writing an application that will have to interact with my webserver and it will be using php to input data into the database and retrieve from as well. However, I'm not sure what is the best approach on securing my database from people sniffing while using my application. The only thing that I can do that is coming to mind is try to use a unique key as a password and have one of my GET vars be that password, but that is easily sniff-able. What can I do to secure my database and prevent people from filling up my databases if they sniff out my password key? Is there any kind of encryption I can use that will defeat this? I was told that my login page could easily be manipulated to set themselves as my username (Mod Justin), giving them powers. How can I further secure my website's use of cookies? Quote I just visited your site as you - Mod Justin, simply by setting a 'user' cookie for your domain with your username in it. Your login code is NOT effective at stopping anyone or any bot script from impersonating any of the users, even impersonating you. My login code: http://pastebin.com/cBLybGKq Any possible solution to this? I've just gotten back into re learning web development, I have created a contact form however my server is forcing me to use SMTP which will require me to have a config include with my details inside. How do I ensure nobody can open the files in the browser? I have heard of putting the files outside of the webroot or using htaccess files however the passive aggressive answers I got from stack over flow didn't tell me HOW to implement them. The files are Form.HTML Bin/config.php Bin/mail.php Any help is appreciated. I tried searching but came up empty handed, hoping you guys can give me some assistance. I have a login script that I would like to lock down a little from flooding. What is the easiest way to do this? Something that will restrict the IP if the script encounters x amount of failed attempts in x amount of minutes. Thanks! Hello, I wish to secure the PayPal form button. As my button is used on a subscription website, I don't want people changing the parameters and code needs to be hidden from peering eyes with firebug for instance. I have heard that you can pass the data to PayPal be given a CMD URL in return and you simply forward the user to such URL. Anyone know of this? - or another method? The button manager is not acceptable as the values will change in the hidden fields. George. Hi my website offers the users to buy the videos. But the hackers are stealing my video links through view source. So there any option to hide my video links in view source and firebug etc..My videos are comign from amazon. and we are using JW Players to play the videos The methods i have tried.. 1)Encode and decode the urls still the embed tag displays the complete path in firebug. 2)Amazon provide signed url(temporary url)-Still have some problem in this.. 3)call the video through ajax call. Still the complete HTML code will be displayed in the firebug. please check here i have attached the firebug sample how it displays the code. Here we can find the complete video path in file: attribute in embed tag Is there any to hide the urls I am building an e-commerce site and have a security question. My Payment Gateway has given me "Log-In ID" and "Transaction Key" that I use to log in to their server to submit payments. What is a *reasonable* way to protect this information? I have a VPS with root access, although I'm relying on using sFTP and the Plesk Control Panel since I don't know SSH yet. Can I just store my "Log-In ID" and "Transaction Key" in a php file outside of my Web Root and include it? Would that be secure enough for now? Thanks, Debbie If I store a value in a hidden form control, and then use that as a means to pass the value to another PHP script, could that cause any security issues?
This topic has been moved to Application Design. http://www.phpfreaks.com/forums/index.php?topic=346762.0 This topic has been moved to Ajax Help. http://www.phpfreaks.com/forums/index.php?topic=358932.0 Right now I redirect to index page after I delete a record. However I am looking to make it so that I can delete a record without redirecting the page. I know this can be accomplised using Ajax. I have spent countless hours before trying to make it work, but it did not work.
So here is a basic setup I created. Can you please update it with ajax code so that I can see how it's done properly?
<!DOCTYPE HTML> <html lang="en"> <head> <meta charset="UTF-8"> <title>Home Page</title> </head> <body> <div class="record" > <a href="record.php?id=<?php echo $record_id ?>"><?php echo $record_name; ?></a> <div class="delete-record"> <a href="delete.php">Delete Record</a> </div> </div> </body> </html> Edited by man5, 18 August 2014 - 08:55 PM. Now I'm having this strange issue with my website I'm currently working on a tester system and I've encountered a problem that I'm unable to find the issue, tho I'm thinking my ajax php part of the script to be the thing causing it even tho it seems strange that it would cause it. The first part which is connected to where the problem occurs is the echo"<form>"; and from there, It should take you to index.php?page=tester&select=answer, now that is where it in the browser goes there tho it still shows the page stuff from the last page which is index.php?page=tester&select=applications, so it's like showing both &select=answer and &select=applications on the same page. <?php $q=$_GET["q"]; include'../config/connection.php'; $result = mysql_query("SELECT * FROM applications WHERE id = '$q'"); echo "<center><table border='1'> <tr> <th>Account Name</th> <th>Character Name</th> <th>Gender</th> <th>Skin Color</th> </tr>"; $row = mysql_fetch_array($result); echo "<tr>"; echo "<td>" . $row['name'] . "</td>"; echo "<td>" . $row['charactername'] . "</td>"; echo "<td>" . $row['gender'] . "</td>"; echo "<td>" . $row['race'] . "</td>"; echo "</tr></table></center>"; echo"<br/>"; echo"<table><tr> <th>Description</th> <th>Metagaming</th> <th>Powergaming</th></tr>"; echo"<tr>"; echo "<td><textarea readonly='readonly' style='width:22em; height:20em;'>".$row['description']."</textarea></td>"; echo "<td><textarea readonly='readonly' style='width:22em; height:20em;'>".$row['mg']."</textarea></td>"; echo "<td><textarea readonly='readonly' style='width:22em; height:20em;'>".$row['pg']."</textarea></td>"; echo"</tr></table><table><br/><center><h1>Answer</h1><br/><form action='index.php?page=tester&select=answer' method='post'>"; echo"<textarea name='why' style='height:10em; width:60em;'></textarea><br/>"; echo"<input type='submit' name='answer' value='Accept' /><a/>"; echo"<input type='submit' name='answer' value='Decline' /></center>"; echo"<input type='hidden' name='id' value='$q'/>"; echo"</form></table>"; ?> Now on &select=answer it included a page which the script of that include consist of the stuff below, it outputs that the query was successfully, and all that. <? if(!empty($_POST['why'])) { $why = mysql_real_escape_string($_POST['why']); $answer = trim($_POST['answer']); $id = $_POST['id']; if($answer == "Accept") { $query1 = mysql_query("UPDATE characters SET accepted = '1' WHERE id = '".$id."'"); echo"Successfully accepted"; $answer = 1; } elseif($answer == "Decline") { echo"Successfully declined"; $answer = 0; } $query = mysql_query("UPDATE applications SET answer = '$why' AND tester = '".$_COOKIE['Username']."' AND accepted = '$answer' AND answered = '1' WHERE cid = '".$id."'") or die('Could not connect: ' . mysql_error()); if($query) { echo"<br/>Query went through without problems"; header("Refresh: 5;url=index.php?page=tester"); } } ?> This is the ajax part javascript of it which gets the information for index.php?page=tester&select=applications Code: [Select] <script type="text/javascript"> function showApplication(str) { if (str==""||str==0) { document.getElementById("txtHint").innerHTML=""; return; } if (window.XMLHttpRequest) {// code for IE7+, Firefox, Chrome, Opera, Safari xmlhttp=new XMLHttpRequest(); } xmlhttp.onreadystatechange=function() { if (xmlhttp.readyState==4 && xmlhttp.status==200) { document.getElementById("txtHint").innerHTML=xmlhttp.responseText; } } xmlhttp.open("GET","tester/applications.php?q="+str,true); xmlhttp.send(); } </script>If you need any more information feel free to ask for it. Thanks in advance. Hello, I've been trying this for hours now, looking at different examples and trying to change them to work for me, but with no luck... This is what I am trying to do: I have a simple form with: - 1 input field, where I can enter a number - 1 Submit Button When I enter a number into the field and click submit, I want that number to be send to the php file that is in the ajax call, then the script will take that number and run a bunch of queries and then return a new number. I want that new number to be used to call the php script via ajax again, until no number is returned, or something else is returned like the word "done" or something like that, at which point is simply makes an alert or populated a div with a message... The point is, that depending on the number entered it could take up to an hour to complete ALL the queries, so I want the script that is called to only run a fixed amount of queries at a time and then return the number it is currently at (+1), so that it can continue with the next number when it is called again. I would like to use jquery, but could also be any other way, as long as I get this to work. I already have the php script completed that needs to be called by the ajax, it returns a single number when being called. Thank you, vb As the title say, I can not for the life of me get the "$bank" content to display, no matter HOW much I try... Does anyone see any errors. I am sooooooo wiped out at this! main page <? $body = ' <script type="text/javascript" src="change-content.js"></script> <div id="addSold"> <form action="'.$_SERVER['REQUEST_URI'].'" method="post" name="form" autocomplete="off"> <fieldset id="Vehicle"> <legend>Vehicle</legend> <ul> <li><label for="Year">Year</label>'.$Year.'</li> <li><label for="Make">Make</label>'.$Make.'</li> <li><label for="Model">Model</label>'.$Model.'</li> <li><label for="Trim">Trim</label><input type="text" name="Trim" id="Trim" size="10" value="'.$trim.'" disabled="disabled"></li> </ul> <ul> <li><label for="Mileage">Mileage</label><input type="text" name="Mileage" id="Mileage" size="5" maxlength="6" value="'.$row['mileage'].'"></li> <li><label for="VIN">VIN</label><input type="text" name="VIN" id="VIN" size="23" maxlength="17" value="'.$row['vin'].'" disabled="disabled"></li> <li><label for="Color">Color</label>'.$Exterior.'</li> </ul> </fieldset> <fieldset id="Deal"> <legend>Deal</legend> <ul> <li> <label for="soldDte1">Date</label> <input type="text" name="soldDte1" id="soldDte1" size="1" maxlength="2" onkeyup="return autoTab(this, 2, event)" value="08"> / <input type="text" name="soldDte2" id="soldDte2" size="1" maxlength="2" onkeyup="return autoTab(this, 2, event)" value="30"> / <input type="text" name="soldDte3" id="soldDte3" size="1" maxlength="2" value="'.$year.'"> <a href="#"><img id="date_'.$row[stock].'" src="images/Icons/dateOff.png" onfocus="this.select();lcs(this)" onmouseover="MM_swapImage(\'date_'.$row[stock].'\',\'\',\'images/Icons/dateOn.png\',1)" onmouseout="MM_swapImgRestore()" alt="Choose Date"></a> </li> <li> <label for="salesman">Salesman</label> <select name="salesman" id="salesman"> <option></option> '.$salesmen.' </select> </li> </ul> <ul> <li> <label for="dealType">Deal Type</label> <select name="dealType" class="select-content" onchange="getFile(this.value)"> <option></option> <option value="AL">Auto Loan</option> <option value="Cash">Cash</option> <option value="CAC">Credit Acceptance</option> <option value="IH">In House</option> <option value="SAL">Sensible Auto</option> </select> </li> <li> <label for="tradeDrop">Trade</label> <select name="tradein" id="tradeDrop" onchange="show_hide_trade(this.value);"> <option value="No">No</option> <option value="Yes">Yes</option> </select> </li> </ul> </fieldset> <div id="Bank" class="view">'.$bank.'</div> </form> </div> '; ?> get_Bank.php <? if ($_GET['dealType'] == "AL") { $bank = ' <fieldset id="AL"> <legend>Auto Loan Figures</legend> <ul> <li><label for="price">Price</label><input type="text" name="price" id="price" class="price" size="7" onchange="currency(this)"></li> <li><label for="down">Down</label><input type="text" name="down" id="down" class="price" size="6" onchange="currency(this)"></li> <li><label for="tax">Tax</label><input type="text" name="tax" id="tax" class="price" size="6" onchange="currency(this)"></li> <li><label for="reg">Plates</label><input type="text" name="reg" id="reg" class="price" size="4" onchange="currency(this)"></li> <li><label for="gap">Gap</label><input type="text" name="gap" id="gap" class="price" size="4" onchange="currency(this)"></li> </ul> <ul> <li> <label for="pymtNum">--------------- Payment ---------------</label> <input type="text" name="pymtNum" id="pymtNum" size="3" maxlength="3" onkeyup="return autoTab(this, 3, event)"> @ <input type="text" name="pymtAmnt" id="pymtAmnt" class="price" size="5" onchange="currency(this)"> per <select name="pymtType"> <option value="Weekly" selected="selected">Week</option> <option value="Monthly">Month</option> </select> </li> <li><label for="APR">APR</label><input type="text" name="APR" id="APR" class="rate" size="6" value="19.00"></li> </ul> </fieldset> '; } elseif ($_GET['dealType'] == "CAC") { $bank = ' Credit Acceptance stuff goes here '; } else { $bank = 'You must choose a bank before continuing'; } ?> change-content.js Code: [Select] window.onload = init; // finds all <select> tags will class="select-content" and activates function function init() { var sel = document.getElementsByTagName("select"); for (var i=0; i<sel.length; i++){ if (sel[i].className == "select-content") { sel[i].onchange = getFile; } sel[i].selectedIndex = 0; } } function getFile (url) { var url = "AJAX/get_Bank.php?dealType="+ this.value; if (window.XMLHttpRequest) {xmlhttp=new XMLHttpRequest();} else {xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");} xmlhttp.open("GET",url,false); xmlhttp.send(); // a loop that looks through all <div>s on the page // and then replaces the id with the value and gets that file var divs = document.getElementsByTagName("div"); for (var i=0; i<divs.length; i++) { if(divs[i].id == "bank") { divs[i].id = this.value; divs[i].innerHTML=xmlhttp.responseText; } } } |
|||||||