Page 1 of 1

AJAX security

Posted: Sun Oct 01, 2006 2:24 am
by Jeroen Oosterlaar
Occasionally I use AJAX to develop certain functionality, such as updating a select component that depends on what is selected in another select component. The JavaScript requests a PHP script with one or more parameters and the PHP script returns the result to the JavaScript. However, the AJAX PHP scripts are accessible directly as well. One only needs to type the URL to the script and that is it. Of course, using strict parameter value validation all kinds of injection attempts can be neutralized. But I was wondering whether there are better ways, since the AJAX scripts are not meant to be invoked directly in the first place and therefore they shouldn't be.

Thanks in advance.

Re: AJAX security

Posted: Sun Oct 01, 2006 3:06 am
by jmut
Jeroen Oosterlaar wrote:Occasionally I use AJAX to develop certain functionality, such as updating a select component that depends on what is selected in another select component. The JavaScript requests a PHP script with one or more parameters and the PHP script returns the result to the JavaScript. However, the AJAX PHP scripts are accessible directly as well. One only needs to type the URL to the script and that is it. Of course, using strict parameter value validation all kinds of injection attempts can be neutralized. But I was wondering whether there are better ways, since the AJAX scripts are not meant to be invoked directly in the first place and therefore they shouldn't be.

Thanks in advance.
What problem do you see with scripts invoked directly. As long as you validate all parameters and the script does what it is supposed to do....you should not really care if the interface (html page) is used or some other way - the goal is achieved either way.

Re: AJAX security

Posted: Sun Oct 01, 2006 3:19 am
by Christopher
Jeroen Oosterlaar wrote:But I was wondering whether there are better ways, since the AJAX scripts are not meant to be invoked directly in the first place and therefore they shouldn't be.
Well they have to be accessable or they cannot be accessed ... that's the nature of the web Ajax or no. I suppose you could add some sort of validation parameter to attempt to limit access to only you own Ajax calls.