Solved

security issues with Ajax

Posted on 2014-03-07
14
269 Views
Last Modified: 2014-03-07
Hi,

Im curious if there is major issues with security when using Ajax to grab and process php scripts.
currently i use a function to grab data and replace content like so
//GRAB PHP INFO
function ajax_update_status(value){
	   // Get all the form data 
	   $.ajax({
         type: "POST",
         url: "ajax/online_status.php?s=" + value
		 
    	});
	 
}
	 

Open in new window


i then use the following command to execute the function

onclick="ajax_update_status('invisible'); return false" data-status="status-invisible"

Open in new window


the online users php script requested is as follows

//GET THE USERS CURRENT ONLINE SESSION STATUS AND CHANGE IT IF NESSECARY

if(isset($_GET['s']) && !empty($_GET['s'])){
	
	//THE VARIABLE IS SET
	if($_GET['s'] == 'online'){
		//SET THE SESSION VARIABLE TO ONLINE
		$_SESSION["online_status"] ='online';
		
		//CHANGE THE USERS DATABASE ENTRY
		online_status($_SESSION["uid"], 'online', $datetime);
		
	}elseif($_GET['s'] == 'away'){
		//SET THE SESSION VARIABLE TO AWAY
		$_SESSION["online_status"] = 'away';
		
		//CHANGE THE USERS DATABASE ENTRY
		online_status($_SESSION["uid"], 'away', $datetime);
		
	}elseif($_GET['s'] == 'invisible'){ 
		//SET THE SESSION VARIABLE TO INVISIBLE
		$_SESSION["online_status"] = 'invisible';
		
		//CHANGE THE USERS DATABASE ENTRY
		online_status($_SESSION["uid"], 'invisible', $datetime);
		
	}
}

the function of  online status is 

[code]//CHANGE THE USERS DATABASE ONLINE STATUS WHEN THE USER LOGS ON
function online_status($uid, $status, $date){
	global $link;
	$date_clean =mysqli_real_escape_string($link,str_replace(",","-",$date));
	if($status==="online" || $status==="away" || $status==="invisible" || $status==="offline"){
		$sql=" UPDATE bb_users SET online_status='".$status."', online_status_time='".$date_clean."' WHERE uid='".$uid."' LIMIT 1";	
		mysqli_query($link, $sql) or die;
	}
}

Open in new window


i was worried about SQL injection in the function from the date variable and the status variable. im not sure if i need to worry about the uid var as it is a session variable which i have set upon logon. am i going about this the right way? what could i do to make this more secure. i really do not want to have SQL injection or any massive holes.

thanks in advance
0
Comment
Question by:M. Jayme Nagy
  • 6
  • 5
  • 3
14 Comments
 
LVL 58

Accepted Solution

by:
Gary earned 250 total points
ID: 39912950
You should be binding the columns or using placeholders. You are executing your sql the old way
http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
Everything else is fine.
0
 
LVL 6

Author Comment

by:M. Jayme Nagy
ID: 39913004
Thanks

i took a quick read of that link from what i understood prepared statements are faster as they are only parsed once and can be executed multiple times which is why im kind of lost

do i prepare a statement for each sql query i would like to run (the ones i reuse i typically just make a function so instead would i just prepare a statement instead?) an is the statment reusable on each page or do i have to rewrite it? any help would be GREATLY appreciated
0
 
LVL 58

Expert Comment

by:Gary
ID: 39913024
Not only faster but they negate the need for sanitizing the sql input.
You can create a prepared statement that can be used multiple times on the page but you need it on every page - it only exists for the life of that php page.
You need a prepared statement for each sql that is different, it's not something you can 'share'

It just requires a small change to how you write your sql and how you execute it.
0
Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

 
LVL 109

Assisted Solution

by:Ray Paseur
Ray Paseur earned 250 total points
ID: 39913034
This article maps the MySQL, MySQLi and PDO extensions.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/PHP_Databases/A_11177-PHP-MySQL-Deprecated-as-of-PHP-5-5-0.html

This resource on my web site might be useful, too:
http://www.iconoun.com/mysql_mysqli_pdo_function_map.php

There is nothing wrong, per se, with using MySQLi as long as you understand that the query strings you create in the PHP scripts are computer programs that the SQL engine will run.  Therefore when you use external data in the query strings, you're allowing someone else to decide what gets sent to the SQL engine.  If you understand this and your scripts filter and escape the external data appropriately, it's fine to use MySQLi.  The main advantage of using PDO is that if you enforce appropriate coding standards with PDO, even an idiot cannot write a query that will get your data base destroyed.
0
 
LVL 6

Author Comment

by:M. Jayme Nagy
ID: 39913047
Thanks guys ill read over the material.

It seems like PDO is a no brainer

so just to recap (im trying to draw a comparison)

prepared statement is just like a variable containing a "string"

until it is executed and then it becomes a full SQL query?
0
 
LVL 58

Assisted Solution

by:Gary
Gary earned 250 total points
ID: 39913060
Ermm no.
When you create a prepared statement it is sent to MySQL and then MySQL waits for the data to fill in the 'blanks'.  MySQL remembers the statement (for the duration of the page request) and that is why you only need to declare it once.  Then you just push the data to MySQL, doesn't matter if you are only executing the query once or a hundred times all you are giving to MySQL is the values to insert/select etc.
This is why it is safe from sql injection as the data is separate from the sql statement itself.
0
 
LVL 6

Author Comment

by:M. Jayme Nagy
ID: 39913119
OIC

that paints a lot clearer picture.

So im preparing the statement which is effectively the commands i want without the values/inputs and then SQL holds this command

then when i get the values/inputs i send it up to SQL and it interprets it and relays me the results

does this sound somewhat correct?


my next questions would be- do i need to do anything to the values such as  real escape string or anything?
0
 
LVL 109

Assisted Solution

by:Ray Paseur
Ray Paseur earned 250 total points
ID: 39913129
If you're converting a script from the familiar but obsolete MySQL you will find there is more work to do with PDO, because the queries must change.  The queries do not need to be changed with MySQLi.

A prepared statement is does not contain any variables.  It contains placeholders.  The SQL engine will put the "variables" in place for query execution, but these variables will not make any changes to the prepared statement.  That said, if you have a DELETE FROM...WHERE id= query and you prepare it improperly, it will still be possible for an attacker to get 3 OR 1=1 into the query engine.  All external data must be considered tainted until it has been filtered.

If you're doing a lot of queries, you might want to benchmark MySQLi against PDO. There are instances in which PDO can be slower. If you have a dozen queries needed to build a web page, it won't matter, but if there are lots of queries involved it's worth optimizing first the tables, then the queries, and then the extension.
0
 
LVL 109

Assisted Solution

by:Ray Paseur
Ray Paseur earned 250 total points
ID: 39913130
0
 
LVL 58

Expert Comment

by:Gary
ID: 39913136
You've got it.
You don't need to do anything, there is no possibility of sql injection as the data never touches the sql statement
But that doesn't preclude you from any other normal data sanitizing like HTML injection etc.
0
 
LVL 58

Expert Comment

by:Gary
ID: 39913151
Ray,
The delete you mention couldn't happen with PDO prepared statements.

@Jay
I'm biased to PDO, multi database engine whereas MySQLi is purely for MySQL only.
MySQLi can be faster (they both use the same underlying API), but weighing up the advantages of PDO those few extra millisecs don't really matter.
0
 
LVL 6

Author Comment

by:M. Jayme Nagy
ID: 39913156
at what amount of queries would using PDO be slower than mysqli
0
 
LVL 58

Assisted Solution

by:Gary
Gary earned 250 total points
ID: 39913166
PDO would win the higher the number of queries.

In the thousands
http://jnrbsn.com/2010/06/mysqli-vs-pdo-benchmarks

In the hundreds of thousands
http://wooptoo.com/blog/pdo-vs-mysqli-performance-comparison/

Everything will depend on the setup of course.
0
 
LVL 6

Author Comment

by:M. Jayme Nagy
ID: 39913171
AWESOME!!

BIG BIG HELP!

THANKS A BUNCH
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What is Node.js? Node.js is a server side scripting language much like PHP or ASP but is used to implement the complete package of HTTP webserver and application framework. The difference is that Node.js’s execution engine is asynchronous and event…
A publishing tool, a Version Control System, or a Collaboration Platform! These can be some of the defining words for the two very famous web-hosting Git repositories: Bitbucket and Github. Git is widely used amongst the programmers and developers f…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question