Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

security issues with Ajax

Posted on 2014-03-07
14
270 Views
Last Modified: 2014-03-07
Hi,

Im curious if there is major issues with security when using Ajax to grab and process php scripts.
currently i use a function to grab data and replace content like so
//GRAB PHP INFO
function ajax_update_status(value){
	   // Get all the form data 
	   $.ajax({
         type: "POST",
         url: "ajax/online_status.php?s=" + value
		 
    	});
	 
}
	 

Open in new window


i then use the following command to execute the function

onclick="ajax_update_status('invisible'); return false" data-status="status-invisible"

Open in new window


the online users php script requested is as follows

//GET THE USERS CURRENT ONLINE SESSION STATUS AND CHANGE IT IF NESSECARY

if(isset($_GET['s']) && !empty($_GET['s'])){
	
	//THE VARIABLE IS SET
	if($_GET['s'] == 'online'){
		//SET THE SESSION VARIABLE TO ONLINE
		$_SESSION["online_status"] ='online';
		
		//CHANGE THE USERS DATABASE ENTRY
		online_status($_SESSION["uid"], 'online', $datetime);
		
	}elseif($_GET['s'] == 'away'){
		//SET THE SESSION VARIABLE TO AWAY
		$_SESSION["online_status"] = 'away';
		
		//CHANGE THE USERS DATABASE ENTRY
		online_status($_SESSION["uid"], 'away', $datetime);
		
	}elseif($_GET['s'] == 'invisible'){ 
		//SET THE SESSION VARIABLE TO INVISIBLE
		$_SESSION["online_status"] = 'invisible';
		
		//CHANGE THE USERS DATABASE ENTRY
		online_status($_SESSION["uid"], 'invisible', $datetime);
		
	}
}

the function of  online status is 

[code]//CHANGE THE USERS DATABASE ONLINE STATUS WHEN THE USER LOGS ON
function online_status($uid, $status, $date){
	global $link;
	$date_clean =mysqli_real_escape_string($link,str_replace(",","-",$date));
	if($status==="online" || $status==="away" || $status==="invisible" || $status==="offline"){
		$sql=" UPDATE bb_users SET online_status='".$status."', online_status_time='".$date_clean."' WHERE uid='".$uid."' LIMIT 1";	
		mysqli_query($link, $sql) or die;
	}
}

Open in new window


i was worried about SQL injection in the function from the date variable and the status variable. im not sure if i need to worry about the uid var as it is a session variable which i have set upon logon. am i going about this the right way? what could i do to make this more secure. i really do not want to have SQL injection or any massive holes.

thanks in advance
0
Comment
Question by:M. Jayme Nagy
  • 6
  • 5
  • 3
14 Comments
 
LVL 58

Accepted Solution

by:
Gary earned 250 total points
ID: 39912950
You should be binding the columns or using placeholders. You are executing your sql the old way
http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
Everything else is fine.
0
 
LVL 6

Author Comment

by:M. Jayme Nagy
ID: 39913004
Thanks

i took a quick read of that link from what i understood prepared statements are faster as they are only parsed once and can be executed multiple times which is why im kind of lost

do i prepare a statement for each sql query i would like to run (the ones i reuse i typically just make a function so instead would i just prepare a statement instead?) an is the statment reusable on each page or do i have to rewrite it? any help would be GREATLY appreciated
0
 
LVL 58

Expert Comment

by:Gary
ID: 39913024
Not only faster but they negate the need for sanitizing the sql input.
You can create a prepared statement that can be used multiple times on the page but you need it on every page - it only exists for the life of that php page.
You need a prepared statement for each sql that is different, it's not something you can 'share'

It just requires a small change to how you write your sql and how you execute it.
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
LVL 109

Assisted Solution

by:Ray Paseur
Ray Paseur earned 250 total points
ID: 39913034
This article maps the MySQL, MySQLi and PDO extensions.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/PHP_Databases/A_11177-PHP-MySQL-Deprecated-as-of-PHP-5-5-0.html

This resource on my web site might be useful, too:
http://www.iconoun.com/mysql_mysqli_pdo_function_map.php

There is nothing wrong, per se, with using MySQLi as long as you understand that the query strings you create in the PHP scripts are computer programs that the SQL engine will run.  Therefore when you use external data in the query strings, you're allowing someone else to decide what gets sent to the SQL engine.  If you understand this and your scripts filter and escape the external data appropriately, it's fine to use MySQLi.  The main advantage of using PDO is that if you enforce appropriate coding standards with PDO, even an idiot cannot write a query that will get your data base destroyed.
0
 
LVL 6

Author Comment

by:M. Jayme Nagy
ID: 39913047
Thanks guys ill read over the material.

It seems like PDO is a no brainer

so just to recap (im trying to draw a comparison)

prepared statement is just like a variable containing a "string"

until it is executed and then it becomes a full SQL query?
0
 
LVL 58

Assisted Solution

by:Gary
Gary earned 250 total points
ID: 39913060
Ermm no.
When you create a prepared statement it is sent to MySQL and then MySQL waits for the data to fill in the 'blanks'.  MySQL remembers the statement (for the duration of the page request) and that is why you only need to declare it once.  Then you just push the data to MySQL, doesn't matter if you are only executing the query once or a hundred times all you are giving to MySQL is the values to insert/select etc.
This is why it is safe from sql injection as the data is separate from the sql statement itself.
0
 
LVL 6

Author Comment

by:M. Jayme Nagy
ID: 39913119
OIC

that paints a lot clearer picture.

So im preparing the statement which is effectively the commands i want without the values/inputs and then SQL holds this command

then when i get the values/inputs i send it up to SQL and it interprets it and relays me the results

does this sound somewhat correct?


my next questions would be- do i need to do anything to the values such as  real escape string or anything?
0
 
LVL 109

Assisted Solution

by:Ray Paseur
Ray Paseur earned 250 total points
ID: 39913129
If you're converting a script from the familiar but obsolete MySQL you will find there is more work to do with PDO, because the queries must change.  The queries do not need to be changed with MySQLi.

A prepared statement is does not contain any variables.  It contains placeholders.  The SQL engine will put the "variables" in place for query execution, but these variables will not make any changes to the prepared statement.  That said, if you have a DELETE FROM...WHERE id= query and you prepare it improperly, it will still be possible for an attacker to get 3 OR 1=1 into the query engine.  All external data must be considered tainted until it has been filtered.

If you're doing a lot of queries, you might want to benchmark MySQLi against PDO. There are instances in which PDO can be slower. If you have a dozen queries needed to build a web page, it won't matter, but if there are lots of queries involved it's worth optimizing first the tables, then the queries, and then the extension.
0
 
LVL 109

Assisted Solution

by:Ray Paseur
Ray Paseur earned 250 total points
ID: 39913130
0
 
LVL 58

Expert Comment

by:Gary
ID: 39913136
You've got it.
You don't need to do anything, there is no possibility of sql injection as the data never touches the sql statement
But that doesn't preclude you from any other normal data sanitizing like HTML injection etc.
0
 
LVL 58

Expert Comment

by:Gary
ID: 39913151
Ray,
The delete you mention couldn't happen with PDO prepared statements.

@Jay
I'm biased to PDO, multi database engine whereas MySQLi is purely for MySQL only.
MySQLi can be faster (they both use the same underlying API), but weighing up the advantages of PDO those few extra millisecs don't really matter.
0
 
LVL 6

Author Comment

by:M. Jayme Nagy
ID: 39913156
at what amount of queries would using PDO be slower than mysqli
0
 
LVL 58

Assisted Solution

by:Gary
Gary earned 250 total points
ID: 39913166
PDO would win the higher the number of queries.

In the thousands
http://jnrbsn.com/2010/06/mysqli-vs-pdo-benchmarks

In the hundreds of thousands
http://wooptoo.com/blog/pdo-vs-mysqli-performance-comparison/

Everything will depend on the setup of course.
0
 
LVL 6

Author Comment

by:M. Jayme Nagy
ID: 39913171
AWESOME!!

BIG BIG HELP!

THANKS A BUNCH
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to dynamically set the form action using jQuery.

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question