Solved

security issues with Ajax

Posted on 2014-03-07
14
267 Views
Last Modified: 2014-03-07
Hi,

Im curious if there is major issues with security when using Ajax to grab and process php scripts.
currently i use a function to grab data and replace content like so
//GRAB PHP INFO
function ajax_update_status(value){
	   // Get all the form data 
	   $.ajax({
         type: "POST",
         url: "ajax/online_status.php?s=" + value
		 
    	});
	 
}
	 

Open in new window


i then use the following command to execute the function

onclick="ajax_update_status('invisible'); return false" data-status="status-invisible"

Open in new window


the online users php script requested is as follows

//GET THE USERS CURRENT ONLINE SESSION STATUS AND CHANGE IT IF NESSECARY

if(isset($_GET['s']) && !empty($_GET['s'])){
	
	//THE VARIABLE IS SET
	if($_GET['s'] == 'online'){
		//SET THE SESSION VARIABLE TO ONLINE
		$_SESSION["online_status"] ='online';
		
		//CHANGE THE USERS DATABASE ENTRY
		online_status($_SESSION["uid"], 'online', $datetime);
		
	}elseif($_GET['s'] == 'away'){
		//SET THE SESSION VARIABLE TO AWAY
		$_SESSION["online_status"] = 'away';
		
		//CHANGE THE USERS DATABASE ENTRY
		online_status($_SESSION["uid"], 'away', $datetime);
		
	}elseif($_GET['s'] == 'invisible'){ 
		//SET THE SESSION VARIABLE TO INVISIBLE
		$_SESSION["online_status"] = 'invisible';
		
		//CHANGE THE USERS DATABASE ENTRY
		online_status($_SESSION["uid"], 'invisible', $datetime);
		
	}
}

the function of  online status is 

[code]//CHANGE THE USERS DATABASE ONLINE STATUS WHEN THE USER LOGS ON
function online_status($uid, $status, $date){
	global $link;
	$date_clean =mysqli_real_escape_string($link,str_replace(",","-",$date));
	if($status==="online" || $status==="away" || $status==="invisible" || $status==="offline"){
		$sql=" UPDATE bb_users SET online_status='".$status."', online_status_time='".$date_clean."' WHERE uid='".$uid."' LIMIT 1";	
		mysqli_query($link, $sql) or die;
	}
}

Open in new window


i was worried about SQL injection in the function from the date variable and the status variable. im not sure if i need to worry about the uid var as it is a session variable which i have set upon logon. am i going about this the right way? what could i do to make this more secure. i really do not want to have SQL injection or any massive holes.

thanks in advance
0
Comment
Question by:M. Jayme Nagy
  • 6
  • 5
  • 3
14 Comments
 
LVL 58

Accepted Solution

by:
Gary earned 250 total points
ID: 39912950
You should be binding the columns or using placeholders. You are executing your sql the old way
http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
Everything else is fine.
0
 
LVL 6

Author Comment

by:M. Jayme Nagy
ID: 39913004
Thanks

i took a quick read of that link from what i understood prepared statements are faster as they are only parsed once and can be executed multiple times which is why im kind of lost

do i prepare a statement for each sql query i would like to run (the ones i reuse i typically just make a function so instead would i just prepare a statement instead?) an is the statment reusable on each page or do i have to rewrite it? any help would be GREATLY appreciated
0
 
LVL 58

Expert Comment

by:Gary
ID: 39913024
Not only faster but they negate the need for sanitizing the sql input.
You can create a prepared statement that can be used multiple times on the page but you need it on every page - it only exists for the life of that php page.
You need a prepared statement for each sql that is different, it's not something you can 'share'

It just requires a small change to how you write your sql and how you execute it.
0
 
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 250 total points
ID: 39913034
This article maps the MySQL, MySQLi and PDO extensions.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/PHP_Databases/A_11177-PHP-MySQL-Deprecated-as-of-PHP-5-5-0.html

This resource on my web site might be useful, too:
http://www.iconoun.com/mysql_mysqli_pdo_function_map.php

There is nothing wrong, per se, with using MySQLi as long as you understand that the query strings you create in the PHP scripts are computer programs that the SQL engine will run.  Therefore when you use external data in the query strings, you're allowing someone else to decide what gets sent to the SQL engine.  If you understand this and your scripts filter and escape the external data appropriately, it's fine to use MySQLi.  The main advantage of using PDO is that if you enforce appropriate coding standards with PDO, even an idiot cannot write a query that will get your data base destroyed.
0
 
LVL 6

Author Comment

by:M. Jayme Nagy
ID: 39913047
Thanks guys ill read over the material.

It seems like PDO is a no brainer

so just to recap (im trying to draw a comparison)

prepared statement is just like a variable containing a "string"

until it is executed and then it becomes a full SQL query?
0
 
LVL 58

Assisted Solution

by:Gary
Gary earned 250 total points
ID: 39913060
Ermm no.
When you create a prepared statement it is sent to MySQL and then MySQL waits for the data to fill in the 'blanks'.  MySQL remembers the statement (for the duration of the page request) and that is why you only need to declare it once.  Then you just push the data to MySQL, doesn't matter if you are only executing the query once or a hundred times all you are giving to MySQL is the values to insert/select etc.
This is why it is safe from sql injection as the data is separate from the sql statement itself.
0
 
LVL 6

Author Comment

by:M. Jayme Nagy
ID: 39913119
OIC

that paints a lot clearer picture.

So im preparing the statement which is effectively the commands i want without the values/inputs and then SQL holds this command

then when i get the values/inputs i send it up to SQL and it interprets it and relays me the results

does this sound somewhat correct?


my next questions would be- do i need to do anything to the values such as  real escape string or anything?
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 250 total points
ID: 39913129
If you're converting a script from the familiar but obsolete MySQL you will find there is more work to do with PDO, because the queries must change.  The queries do not need to be changed with MySQLi.

A prepared statement is does not contain any variables.  It contains placeholders.  The SQL engine will put the "variables" in place for query execution, but these variables will not make any changes to the prepared statement.  That said, if you have a DELETE FROM...WHERE id= query and you prepare it improperly, it will still be possible for an attacker to get 3 OR 1=1 into the query engine.  All external data must be considered tainted until it has been filtered.

If you're doing a lot of queries, you might want to benchmark MySQLi against PDO. There are instances in which PDO can be slower. If you have a dozen queries needed to build a web page, it won't matter, but if there are lots of queries involved it's worth optimizing first the tables, then the queries, and then the extension.
0
 
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 250 total points
ID: 39913130
0
 
LVL 58

Expert Comment

by:Gary
ID: 39913136
You've got it.
You don't need to do anything, there is no possibility of sql injection as the data never touches the sql statement
But that doesn't preclude you from any other normal data sanitizing like HTML injection etc.
0
 
LVL 58

Expert Comment

by:Gary
ID: 39913151
Ray,
The delete you mention couldn't happen with PDO prepared statements.

@Jay
I'm biased to PDO, multi database engine whereas MySQLi is purely for MySQL only.
MySQLi can be faster (they both use the same underlying API), but weighing up the advantages of PDO those few extra millisecs don't really matter.
0
 
LVL 6

Author Comment

by:M. Jayme Nagy
ID: 39913156
at what amount of queries would using PDO be slower than mysqli
0
 
LVL 58

Assisted Solution

by:Gary
Gary earned 250 total points
ID: 39913166
PDO would win the higher the number of queries.

In the thousands
http://jnrbsn.com/2010/06/mysqli-vs-pdo-benchmarks

In the hundreds of thousands
http://wooptoo.com/blog/pdo-vs-mysqli-performance-comparison/

Everything will depend on the setup of course.
0
 
LVL 6

Author Comment

by:M. Jayme Nagy
ID: 39913171
AWESOME!!

BIG BIG HELP!

THANKS A BUNCH
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Developer tools in browsers have been around for a while, yet they are still heavily underused by developers. Developers still fix html or CSS then refresh page to see effect, or they put alert or debugger in JavaScript and then try again and again …
Introduction A frequently used term in Object-Oriented design is "SOLID" which is a mnemonic acronym that covers five principles of OO design.  These principles do not stand alone; there is interplay among them.  And they are not laws, merely princ…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now