Dennie
asked on
secure jquery post to php script
Hi,
I'm using jquery to create a POST which is sent in the background to a php script, which returns a value that is used by jquery again.
How can I ensure that no one else can generate/alter a POST and send it to my PHP script en receive a response.
$_SERVER['HTTP_REFERER'] check in the php script isn't enough. I need to generate some kind of hash at both ends.. but how to do this as javascript/jquery can be altered?
I'm using jquery to create a POST which is sent in the background to a php script, which returns a value that is used by jquery again.
How can I ensure that no one else can generate/alter a POST and send it to my PHP script en receive a response.
$_SERVER['HTTP_REFERER'] check in the php script isn't enough. I need to generate some kind of hash at both ends.. but how to do this as javascript/jquery can be altered?
Using $_SERVER['HTTP_REFERER'] and other variations to check where the data came from on the PHP receiving script is pointless as all this data is from the header which can easily be manupilated.
Good luck with the rest of your coding!! And I hope you implement a captcha image onto your user input form!
Good luck with the rest of your coding!! And I hope you implement a captcha image onto your user input form!
Also just to add, using a Captcha image with jQuery Ajax Post is essentially the same thing as using it on a traditional HTML <form> Post. So it will be fully compatible with the jQuery form Post.
Quickstart guide at http://www.phpcaptcha.org/documentation/quickstart/
ASKER
I can't use CAPTCHA because the POST is automatically submitted, besides this CAPTCHA is really annoying where I'll be using it. I'm really looking for some hash check solution
Well, use Encryption Pluggin can help you here in many ways...
http://www.jcryption.org/
http://plugins.jquery.com/taxonomy/term/1575
Have Fun!.. ;)
VanHackman that is one awesome plugin (http://www.jcryption.org/)!!! Im going to start using that myself more often
@SleepinDevil:
Yes, I Agree with you.
Yes, I Agree with you.
ASKER
But this is to encrypt the connection right? I need to verify in the php script (server side) that the request in coming from a form generated by my code...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
which then gets checked when the next PHP script which receives the data to see if it was from the page) will always be circumvented by a skiller coder.
The best way to ensure such things dont happen is to have a Captcha(http://en.wikipedia.org/wiki/CAPTCHA) image on the form which the user is trying to input. This is what most websites use to make sure the data being recieved by the script is both 1) not made by a mindless internet bot hellbent on spamming your website, 2) not made by some external program some person created to try to abuse your website.
There is a nice site for beginners who cant make their own captcha images, http://www.phpcaptcha.org/captcha-gallery/ , they have a wide variety of free codes to use. And also explains how they work and how to check the input against the value that is shown to the person in the form of an image.
Try the website > http://www.phpcaptcha.org/ I hope this helped you abit.