Avatar of Nehemiah1
Nehemiah1 asked on

Protecting mySQL/PHP data which creates Google Map content

I have created a Google Map which uses data from a mySQL database. The records are retrieved and dumped in php using .json_encode. This is then parsed into Javascript with AJAX for Google Maps to create markers and other information.

I would like to secure the php file which is pretty easily accessible if you so happen to know the name of the file. One suggestion is to limit access to the script by authenticating the client using session cookies. With my novice understanding; is there any way to limit access to the php file directly by authentication and otherwise indirectly verifying the presence of a session cookie in the AJAX request.
JavaScriptPHPMySQL Server

Avatar of undefined
Last Comment
Rob

8/22/2022 - Mon
SOLUTION
Rob

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Rob

But if you know what you're doing its easy enough to set up a request in the console of the browser, did it recently in fact. Will find the question as it may be relevant.
So people who want to get in, will get in.
Forcing the user to login gives you that little bit more control over your data but nothing is ever water tight. You just have to make it VERY hard to crack to the point people will give up.
ASKER
Nehemiah1

But how do you force the user to login when attempting to access the file directly and accept access within the AJAX call when detecting the presence of a session cookie (which is generated on the page where the map is placed)?
Rob

The session cookie is determined by the server not the client so you should also be able to detect that in your "data" php.

I'm not sure how you're doing the authentication but when I wanted to secure a page I would include a simple php file "authentication.php" at the top of the script that checked for the session.  If it wasn't there it dies and the requested page is never served.  That's regardless of ajax or otherwise.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
SOLUTION
Ray Paseur

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
Nehemiah1

Ok so the first thing i will attempt is to restrict browser access via .htaccess.

The next thing (please correct if necessary), i will have the map page create a session cookie in which the the 'data.php' file will check for this session (via an authentication.php include). If it cannot be found, the rest of the script will not be executed.

Does this sound right?

So in this case there is no requirement for human authentication since this is handled by the existence of the session cookie?
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Rob

What Ray said, and that's right about the rest of the authentication script not running if the session variable aren't present.