Prevent calls from external domains? Is it possibile without sacrificing AJAX use?
The question is simple.. I've created a register FORM that calls register.php file passing parmas througth AJAX. I've applyied some restrictions to the form compilation, such the necessity of a regular email address, regular name, and regular acceptation of terms and conditions.. After that i memorize data into my daabase
But what i thinking is that someone calls the register.php file (for exemple, creating his own form), he could send invalid data tainting my database with invalid data... Is it possible to avoid it? A solution could be to add other controls about the data regularity inside the php file before memorize it into the database.. But it would be only an escamotage..
To be sure, you need to perform server-side checks before adding things into the database. Never trust the information the client is giving.
Ok thanks for the suggestion!
I have a doubt... Php file can be accessed from external domains? In other words, the php file that inserts data into the DB can be called from a different domain? There is a way to prevent it?
I don't know exactly what you mean right now. So I'm going off of what sounds about right.
Originally Posted by American horizo
You CAN restrict through what's called a HTTP Referrer, which is the page that is sending you from somewhere towards your server. Some people disable their referrers, though, and I'm not sure if all browsers do it perfectly, so I wouldn't advise you to block referrers. I guess you could also use certain kinds of session variables to guarantee the person is going through certain pages (can't access create account if hasn't accessed main page yet), but I also don't think that's a good solution. And these are all easy to ignore if you're trying to hack a website (pretty much every single thing the client sends your server can be changed, the server can only trust the server itself - and bad practices can make even that a problem).
People cannot download your PHP and execute it at their server, if that's what you're asking. They can only do that with access to the files themselves (like having already hacked your website or through FTP access or something along those lines).
At the very least, your script should check that the person filling your form has all the permissions to send data to the database. If you really don't want to check this server-side, you should just make sure that invalid data can't break anything.
I do an exemple.. On my domaine (exemple americanhorizon . com) I've created an admin panel what allow to add some "messages" and relative "username" to the database with a php file called insertMessage.php.. Obiuvsly for do that user have to been logged in, and so, have to been passed throught login procedure..
But if someone holds an internet domain, for exemple, coolthings.com, and uploads a form on it setting the action property to "http://www.americanhorizon.com/insertMessage.php", he could insert junk data into my database, even putting some check in the php file itself. A good hacker could insert data associng it to another user...
For these reason i asked if php files can be called from other domains than the one where it's placed
Last edited by American horizo; 04-27-2013 at 02:59 PM.
Originally Posted by American horizo
You can do many things to keep yourself safer from these. Like sanitizing your DB scripts to not allow SQL Injection, not doing random includes and the like without checking (you can't include $_GET['page'], like a few websites do, because then the guy can just set $_GET['page'] to "http://myevilcodes.com/hackeverything.php").
well thats really a wide topic to discuss.
you can also CAPTCHA or similar tricks
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)