Avatar of zerg_rush
zerg_rushFlag for United States of America asked on

What is the best practice for securing XMLfile but still allowing access to Javascript

I would like to use the Timeline widget from the SIMILE project at MIT.  


No problems here it took me only 15 minutes to download and setup.  My question regards securing the data that is passed to the DHTML/AJAX widget.  

I use PHP 5 to authenticate users and check authorization against a MySQL database.  If the user has the appropriate authorization a XHTML 1.0 strict webpage is dynamically created with the Timeline and other information.

It looks like the easiest way to pass the information to the widget is by simply telling the widget's Javascript  where it can find one or more XML files.  I would prefer to use this method and as far as I can tell it's the only way at the moment.  This is not a problem as I can either generate the XML file before the page is created or update an existing file to include the most current information.  Regardless of when or how the XML file is generated Javascript needs to be able to access it but i don't want just anyone to be able to access it, only those users that have been authenticated and authorized by the database.  The users' authorizations are stored in a PHP session.

I have thought about creating the XML file as needed.  Then letting Javascript get the data and generate the Timeline.  After the Timeline has generated I would immediately delete the file as the Timeline works independently once generated.  I'm left with a couple of questions on how to do that last part?

 What program, process or script will delete the file?
 What will prompt this program, process or script to run?
 Where should the file be stored between the time it is created and deleted?

I think I may be taking the wrong approach.  I feel that there is a simpler solution and that I just have a gap in my knowledge of Redhat, Apache, Javascript, XML or something.

Please let me know how you would approach the problem of securing the XML file against unauthorized users yet still allowing Javascipt access.  If you think my approach is the best or only solution please answer my three questions.

I was able to easily setup of the religious Timeline example they have here.  So I don't have any code for you other than what is on the SIMILE website.


Dedicated Server Specifications
Apache 2
I am the administrator and I have root access.
Web ApplicationsAJAXScripting Languages

Avatar of undefined
Last Comment
Jason C. Levine

8/22/2022 - Mon
Jason C. Levine

Hi zerg_rush,

If you have the data in a database, then you could use PHP to both authenticate access by session and then output the results of the query as XML for use by your AJAX code.  That allows for continuous, secure access for the AJAX code without having to deal with cleaning up temp files.


     I like the idea I'm just not sure how to implement it.  I've included the part of the AJAX where the XML is referenced.  In this case the timeline is displaying two bands; one band for each file referenced  "jewish.xml" and "christianity.xml".

How do I prevent someone who is not authenticated from making a http request directly?
Like 'http://www.mydomain.com/jewish.xml'

            tl.loadXML("jewish.xml", function(xml, url) {
                eventSourceJewish.loadXML(xml, url);
            tl.loadXML("christianity.xml", function(xml, url) {
                eventSourceChristianity.loadXML(xml, url);

Open in new window

Jason C. Levine

Here's a sample PHP file that describes better what I'm talking about.  If the user has the auth session set, it goes to a database and pulls out the relevant data and formats it as XML

If not, the XML output still occurs, but with no data.  Obviously, this file requires some cleanup :)

So to use you examples above, you would point the load XML command to the PHP files and let the PHP do the work.

if (isset($_SESSION['auth'])) {
$hostname_conn = "localhost";
$database_conn = "image_gallery";
$username_conn = "root";
$password_conn = "password";
$conn = mysql_pconnect($hostname_conn, $username_conn, $password_conn) or trigger_error(mysql_error(),E_USER_ERROR); 
// Query the database and get all the records from the Images table 
mysql_select_db($database_conn, $conn);
$query_rsAll = "SELECT * FROM images";
$rsAll = mysql_query($query_rsAll, $conn) or die(mysql_error());
$row_rsAll = mysql_fetch_assoc($rsAll);
$totalRows_rsAll = mysql_num_rows($rsAll);
// Send the headers
header('Content-type: text/xml');
header('Pragma: public');        
header('Cache-control: private');
header('Expires: -1');
<?php echo('<?xml version="1.0" encoding="utf-8"?>'); ?>
  <?php if ($totalRows_rsAll > 0) { // Show if recordset not empty ?>
  <?php do { ?>
		<?php foreach ($row_rsAll as $column=>$value) { ?>
		<<?php echo $column; ?>><![CDATA[<?php echo $row_rsAll[$column]; ?>]]></<?php echo $column; ?>>
		<?php } ?>
    <?php } while ($row_rsAll = mysql_fetch_assoc($rsAll)); ?>
	<?php } // Show if recordset not empty ?>

Open in new window

Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy

So I can create part of a XHTML 1.0 document, then point my Javascript to a PHP page, have it run and then return the information and then complete the last part of the XHTML 1.0 document?  I didn't think this type of interaction between JavaScript and PHP was possible.  I'll give it a try the worst that can happen is I'll just be left with the page I need to generate the XML file.
tl.loadXML("create_xml.php", function(xml, url) {
                eventSourceChristianity.loadXML(xml, url);

Open in new window

Jason C. Levine

Since AJAX is making http requests, it's possible.  

I don't think this particular widget works that way but I'll give it a try this week.  At the very least I'll give you some points for the php code that generates the XML document.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Jason C. Levine

Pfft.  That code is freely available by Googling, plus a ton more.  You may be right in that this particular app doesn't make the call via AJAX, and if not, then there is a problem.

In that case, since the file is called via an include, the only thing I can think of would be to move the XML outside of the public web space to prevent easy access to it.  You would embed a full path in the code above to call the XML, but since the path is not accessible through normal means, no one would be able to see the file.  The page with the Timeline is controlled by normal PHP access restrictions, so that isn't the issue.

Yes I think that is in fact the crux of my issue.

So you think something in the area of this would work?  I'll give it a try and get back to you.

<? include (home/user/xml_files/create_xml.php); ?>
", function(xml, url) {eventSourceChristianity.loadXML(xml, url);});

Open in new window

Jason C. Levine

No, not like that:

tl.loadXML("/home/user/xml_files/create_xml.php", function(xml, url) {eventSourceChristianity.loadXML(xml, url);});

Pass the path to the function, don't pass a PHP call.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Jason C. Levine

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

     I got it working using the:

    tl.loadXML("/home/user/thexml.xml", function(xml, url) {eventSourceChristianity.loadXML(xml, url);});

   Thank you for your help with this.
Jason C. Levine

Great, glad it works for you.