secure jquery post to php script

Dennie
Dennie used Ask the Experts™
on
Hi,

I'm using jquery to create a POST which is sent in the background to a php script, which returns a value that is used by jquery again.

How can I ensure that no one else can generate/alter a POST and send it to my PHP script en receive a response.
$_SERVER['HTTP_REFERER'] check in the php script isn't enough. I need to generate some kind of hash at both ends.. but how to do this as javascript/jquery can be altered?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
No matter what measures you put in place which is automated (either the PHP script makes some kind of hidden input with a secret hash on the page, or adds some extra bit of post code onto the javascript itself,
which then gets checked when the next PHP script which receives the data to see if it was from the page) will always be circumvented by a skiller coder.

The best way to ensure such things dont happen is to have a Captcha(http://en.wikipedia.org/wiki/CAPTCHA) image on the form which the user is trying to input. This is what most websites use to make sure the data being recieved by the script is both 1) not made by a mindless internet bot hellbent on spamming your website, 2) not made by some external program some person created to try to abuse your website.

There is a nice site for beginners who cant make their own captcha images, http://www.phpcaptcha.org/captcha-gallery/ , they have a wide variety of free codes to use. And also explains how they work and how to check the input against the value that is shown to the person in the form of an image.

Try the website > http://www.phpcaptcha.org/ I hope this helped you abit.
Using $_SERVER['HTTP_REFERER']  and other variations to check where the data came from on the PHP receiving script is pointless as all this data is from the header which can easily be manupilated.

Good luck with the rest of your coding!! And I hope you implement a captcha image onto your user input form!
Also just to add, using a Captcha image with jQuery Ajax Post is essentially the same thing as using it on a traditional HTML <form> Post. So it will be fully compatible with the jQuery form Post.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
I can't use CAPTCHA because the POST is automatically submitted, besides this CAPTCHA is really annoying where I'll be using it. I'm really looking for some hash check solution

Well, use Encryption Pluggin can help you here in many ways...

http://www.jcryption.org/
http://plugins.jquery.com/taxonomy/term/1575

Have Fun!.. ;)
VanHackman that is one awesome plugin (http://www.jcryption.org/)!!! Im going to start using that myself more often
@SleepinDevil:

Yes, I Agree with you.

Author

Commented:
But this is to encrypt the connection right? I need to verify in the php script (server side) that the request in coming from a form generated by my code...
Well Dennie, you can add a hash onto the form as a hidden <input> and read to check if its the same value on the other side.

EG lets say your website is form.php and formprocess.php. Ill attach the 2 files in a ZIP file to this comment.

This method is still not truely secure. You can just extend the illigit script out to make it fetch the first page first and get the hash and then send the hash to the second page. And as long as you do both from the same script then the browser name hash creation bit is also circumvented.

There really is no better way to make a secure form without using captchas these days. Even captchas are beatable now (best program to mention is jDownloader which uses anti captcha modules to work out the security code to enter for download websites like megaupload etc etc)
phpSecureForm.zip
"But this is to encrypt the connection right?"

No, it encrypts the data before make the POST/GET.


"I need to verify in the php script (server side) that the request in coming from a form generated by my code..."

So, all that you will need is this:

http://net.tutsplus.com/tutorials/php/secure-your-forms-with-form-keys/

No Seriously,  Believe me.. xD

In that tutorial you will get a in-deep step-by-step guide to keep your web forms secure
using Keys, that will garant to you that every request come from your forms.

Have Fun!!...

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial