AJAX security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Jeroen Oosterlaar
Forum Commoner
Posts: 37
Joined: Sun Nov 06, 2005 4:12 pm

AJAX security

Post by Jeroen Oosterlaar »

Occasionally I use AJAX to develop certain functionality, such as updating a select component that depends on what is selected in another select component. The JavaScript requests a PHP script with one or more parameters and the PHP script returns the result to the JavaScript. However, the AJAX PHP scripts are accessible directly as well. One only needs to type the URL to the script and that is it. Of course, using strict parameter value validation all kinds of injection attempts can be neutralized. But I was wondering whether there are better ways, since the AJAX scripts are not meant to be invoked directly in the first place and therefore they shouldn't be.

Thanks in advance.
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Re: AJAX security

Post by jmut »

Jeroen Oosterlaar wrote:Occasionally I use AJAX to develop certain functionality, such as updating a select component that depends on what is selected in another select component. The JavaScript requests a PHP script with one or more parameters and the PHP script returns the result to the JavaScript. However, the AJAX PHP scripts are accessible directly as well. One only needs to type the URL to the script and that is it. Of course, using strict parameter value validation all kinds of injection attempts can be neutralized. But I was wondering whether there are better ways, since the AJAX scripts are not meant to be invoked directly in the first place and therefore they shouldn't be.

Thanks in advance.
What problem do you see with scripts invoked directly. As long as you validate all parameters and the script does what it is supposed to do....you should not really care if the interface (html page) is used or some other way - the goal is achieved either way.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: AJAX security

Post by Christopher »

Jeroen Oosterlaar wrote:But I was wondering whether there are better ways, since the AJAX scripts are not meant to be invoked directly in the first place and therefore they shouldn't be.
Well they have to be accessable or they cannot be accessed ... that's the nature of the web Ajax or no. I suppose you could add some sort of validation parameter to attempt to limit access to only you own Ajax calls.
(#10850)
Post Reply