Hi there,
do you have any ideas how I could secure my php files against direct
calls of the functions an ajax script calls? For example if I let my
AJAX script send a request to foo.php and foo.php returns a line of code
the AJAX script usually writes onto my site, how can I avoid that these
Arne-Kolja Bachstein-2 wrote:
do you have any ideas how I could secure my php files against direct
calls of the functions an ajax script calls? For example if I let my
AJAX script send a request to foo.php and foo.php returns a line of code
the AJAX script usually writes onto my site, how
halfer wrote:
Checking the referrer in the HTTP header is about as much as you can do,
although of course this can be faked by individual users. This approach will
prevent other sites using your AJAX service however, as they would be
unlikely to be able to fake the referrer provided by their
Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Arne-Kolja
Bachstein
Sent: Monday, February 05, 2007 1:17 PM
To: jQuery Discussion.
Subject: Re: [jQuery] Securing AJAX/PHP against direct calls?
halfer wrote:
Checking the referrer in the HTTP header is about as much as you
On 2/5/07, Arne-Kolja Bachstein [EMAIL PROTECTED] wrote:
but is the referrer still correct when sending it via js? is the
referrer the javascript file itself then or the web page it is accessing?
You should really, really install Firebug. I know this sounds like an
obnoxious remark that was
Nandi:
I didn't know that, thanks for the info. Yes, a quickly expiring hash would
be a very good protection against this.
arne:
The referrer is correct, and is the page that calls it, not the JS file
itself. Get Firefox + Firebug to see this in action on your favourite
AJAX-powered site -
Yeah, theres no real way to stop ajax requests from being send, as its very
easy to get all of the information sent, and spoof anything that is
verified.
On 2/5/07, halfer [EMAIL PROTECTED] wrote:
Nandi:
I didn't know that, thanks for the info. Yes, a quickly expiring hash
would
be a very
Hi there,
do you have any ideas how I could secure my php files against direct
calls of the functions an ajax script calls? For example if I let my
AJAX script send a request to foo.php and foo.php returns a line of code
the AJAX script usually writes onto my site, how can I avoid that these
Arne-Kolja Bachstein schreef:
Hi there,
do you have any ideas how I could secure my php files against direct
calls of the functions an ajax script calls? For example if I let my
AJAX script send a request to foo.php and foo.php returns a line of code
the AJAX script usually writes onto my site,
You should check out Preventing Unwanted Access to Your API[1] at the Zend
Developer Zone[2]. For a more general overview, you should check out
Cross-Site
Request Forgeries[3] by Chris Shiflett.
Another thing you could do is check for an X-Requested-With header
$_SERVER['X-Requested-With'] ==
Arne-Kolja Bachstein wrote:
Hi there,
do you have any ideas how I could secure my php files against direct
calls of the functions an ajax script calls? For example if I let my
AJAX script send a request to foo.php and foo.php returns a line of code
the AJAX script usually writes onto my
Hi Arne-Kolja.
The short answer is that if you are running a site that requires users
to authenticate, your ajaxable php URLs need to require the same kind of
authentication that all your other pages do.
If you are running a public site that does not require authentication
there's nothing you
12 matches
Mail list logo