Link to home
Create AccountLog in
Avatar of Nehemiah1
Nehemiah1

asked on

Protecting mySQL/PHP data which creates Google Map content

I have created a Google Map which uses data from a mySQL database. The records are retrieved and dumped in php using .json_encode. This is then parsed into Javascript with AJAX for Google Maps to create markers and other information.

I would like to secure the php file which is pretty easily accessible if you so happen to know the name of the file. One suggestion is to limit access to the script by authenticating the client using session cookies. With my novice understanding; is there any way to limit access to the php file directly by authentication and otherwise indirectly verifying the presence of a session cookie in the AJAX request.
SOLUTION
Avatar of Rob
Rob
Flag of Australia image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
But if you know what you're doing its easy enough to set up a request in the console of the browser, did it recently in fact. Will find the question as it may be relevant.
So people who want to get in, will get in.
Forcing the user to login gives you that little bit more control over your data but nothing is ever water tight. You just have to make it VERY hard to crack to the point people will give up.
Avatar of Nehemiah1
Nehemiah1

ASKER

But how do you force the user to login when attempting to access the file directly and accept access within the AJAX call when detecting the presence of a session cookie (which is generated on the page where the map is placed)?
The session cookie is determined by the server not the client so you should also be able to detect that in your "data" php.

I'm not sure how you're doing the authentication but when I wanted to secure a page I would include a simple php file "authentication.php" at the top of the script that checked for the session.  If it wasn't there it dies and the requested page is never served.  That's regardless of ajax or otherwise.
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Ok so the first thing i will attempt is to restrict browser access via .htaccess.

The next thing (please correct if necessary), i will have the map page create a session cookie in which the the 'data.php' file will check for this session (via an authentication.php include). If it cannot be found, the rest of the script will not be executed.

Does this sound right?

So in this case there is no requirement for human authentication since this is handled by the existence of the session cookie?
ASKER CERTIFIED SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
What Ray said, and that's right about the rest of the authentication script not running if the session variable aren't present.