www.webdeveloper.com
Results 1 to 7 of 7

Thread: Prevent calls from external domains? Is it possibile without sacrificing AJAX use?

  1. #1
    Join Date
    Jan 2013
    Posts
    82

    Exclamation Prevent calls from external domains? Is it possibile without sacrificing AJAX use?

    The question is simple.. I've created a register FORM that calls register.php file passing parmas througth AJAX. I've applyied some restrictions to the form compilation, such the necessity of a regular email address, regular name, and regular acceptation of terms and conditions.. After that i memorize data into my daabase

    But what i thinking is that someone calls the register.php file (for exemple, creating his own form), he could send invalid data tainting my database with invalid data... Is it possible to avoid it? A solution could be to add other controls about the data regularity inside the php file before memorize it into the database.. But it would be only an escamotage..

  2. #2
    Join Date
    Apr 2013
    Posts
    5
    That would not be enough to make it all protected. A guy can walk right into YOUR form, disable javascript and override all your protections and still send invalid data with the simple debugging tools readily available to common users and included with most modern browsers. Without it being from an external domain.

    To be sure, you need to perform server-side checks before adding things into the database. Never trust the information the client is giving.

  3. #3
    Join Date
    Jan 2013
    Posts
    82
    Ok thanks for the suggestion!

    I have a doubt... Php file can be accessed from external domains? In other words, the php file that inserts data into the DB can be called from a different domain? There is a way to prevent it?

  4. #4
    Join Date
    Apr 2013
    Posts
    5
    Quote Originally Posted by American horizo View Post
    Ok thanks for the suggestion!

    I have a doubt... Php file can be accessed from external domains? In other words, the php file that inserts data into the DB can be called from a different domain? There is a way to prevent it?
    I don't know exactly what you mean right now. So I'm going off of what sounds about right.

    You CAN restrict through what's called a HTTP Referrer, which is the page that is sending you from somewhere towards your server. Some people disable their referrers, though, and I'm not sure if all browsers do it perfectly, so I wouldn't advise you to block referrers. I guess you could also use certain kinds of session variables to guarantee the person is going through certain pages (can't access create account if hasn't accessed main page yet), but I also don't think that's a good solution. And these are all easy to ignore if you're trying to hack a website (pretty much every single thing the client sends your server can be changed, the server can only trust the server itself - and bad practices can make even that a problem).

    People cannot download your PHP and execute it at their server, if that's what you're asking. They can only do that with access to the files themselves (like having already hacked your website or through FTP access or something along those lines).

    But you should always assume that people are going to call your script in the manners you don't want them to. Always always always check your data. Again - they don't have to come from outside websites to bypass your javascript checking of the form, they can do that in the very website you are on. The only way to be 100% certain your data is valid is to check it server-side before you insert it into the DB.

    At the very least, your script should check that the person filling your form has all the permissions to send data to the database. If you really don't want to check this server-side, you should just make sure that invalid data can't break anything.

  5. #5
    Join Date
    Jan 2013
    Posts
    82
    I do an exemple.. On my domaine (exemple americanhorizon . com) I've created an admin panel what allow to add some "messages" and relative "username" to the database with a php file called insertMessage.php.. Obiuvsly for do that user have to been logged in, and so, have to been passed throught login procedure..

    But if someone holds an internet domain, for exemple, coolthings.com, and uploads a form on it setting the action property to "http://www.americanhorizon.com/insertMessage.php", he could insert junk data into my database, even putting some check in the php file itself. A good hacker could insert data associng it to another user...


    For these reason i asked if php files can be called from other domains than the one where it's placed
    Last edited by American horizo; 04-27-2013 at 02:59 PM.

  6. #6
    Join Date
    Apr 2013
    Posts
    5
    Quote Originally Posted by American horizo View Post
    I do an exemple.. On my domaine (exemple americanhorizon . com) I've created an admin panel what allow to add some "messages" and relative "username" to the database with a php file called insertMessage.php.. Obiuvsly for do that user have to been logged in, and so, have to been passed throught login procedure..

    But if someone holds an internet domain, for exemple, coolthings.com, and uploads a form on it setting the action property to "http://www.americanhorizon.com/insertMessage.php", he could insert junk data into my database, even putting some check in the php file itself. A good hacker could insert data associng it to another user...


    For these reason i asked if php files can be called from other domains than the one where it's placed
    Again.. He doesn't even need to go through all that trouble. He can open your form, bypass your javascript and send whatever he likes. From your domain.

    A good hacker can fake ANYTHING you ask from the client, and that is why you need to check things server-side, and not client-side with javascript. Anything you do client-side is avoidable. And, one more time, the guy wouldn't even need to have a form up in another domain, he can just modify yours on-the-fly.

    You can do many things to keep yourself safer from these. Like sanitizing your DB scripts to not allow SQL Injection, not doing random includes and the like without checking (you can't include $_GET['page'], like a few websites do, because then the guy can just set $_GET['page'] to "http://myevilcodes.com/hackeverything.php").

    Bottom line: if you want to be the safest you can get, never trust the client. Anything the client does can be changed with the right programs. In fact, anything you do with javascript is easily avoided with any debugging tool. I believe Firefox comes with one as default, though I could be wrong. Anyway, it's child's play. (not to mention DISABLING javascript, something every single browser can do).

  7. #7
    Join Date
    Mar 2009
    Posts
    452
    well thats really a wide topic to discuss.

    you can also CAPTCHA or similar tricks

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles