The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!
security issues with Ajax
Hi,
Im curious if there is major issues with security when using Ajax to grab and process php scripts.
currently i use a function to grab data and replace content like so
i then use the following command to execute the function
the online users php script requested is as follows
i was worried about SQL injection in the function from the date variable and the status variable. im not sure if i need to worry about the uid var as it is a session variable which i have set upon logon. am i going about this the right way? what could i do to make this more secure. i really do not want to have SQL injection or any massive holes.
thanks in advance
Im curious if there is major issues with security when using Ajax to grab and process php scripts.
currently i use a function to grab data and replace content like so
//GRAB PHP INFO
function ajax_update_status(value){
// Get all the form data
$.ajax({
type: "POST",
url: "ajax/online_status.php?s=" + value
});
}
i then use the following command to execute the function
onclick="ajax_update_status('invisible'); return false" data-status="status-invisible"
the online users php script requested is as follows
//GET THE USERS CURRENT ONLINE SESSION STATUS AND CHANGE IT IF NESSECARY
if(isset($_GET['s']) && !empty($_GET['s'])){
//THE VARIABLE IS SET
if($_GET['s'] == 'online'){
//SET THE SESSION VARIABLE TO ONLINE
$_SESSION["online_status"] ='online';
//CHANGE THE USERS DATABASE ENTRY
online_status($_SESSION["uid"], 'online', $datetime);
}elseif($_GET['s'] == 'away'){
//SET THE SESSION VARIABLE TO AWAY
$_SESSION["online_status"] = 'away';
//CHANGE THE USERS DATABASE ENTRY
online_status($_SESSION["uid"], 'away', $datetime);
}elseif($_GET['s'] == 'invisible'){
//SET THE SESSION VARIABLE TO INVISIBLE
$_SESSION["online_status"] = 'invisible';
//CHANGE THE USERS DATABASE ENTRY
online_status($_SESSION["uid"], 'invisible', $datetime);
}
}
the function of online status is
[code]//CHANGE THE USERS DATABASE ONLINE STATUS WHEN THE USER LOGS ON
function online_status($uid, $status, $date){
global $link;
$date_clean =mysqli_real_escape_string($link,str_replace(",","-",$date));
if($status==="online" || $status==="away" || $status==="invisible" || $status==="offline"){
$sql=" UPDATE bb_users SET online_status='".$status."', online_status_time='".$date_clean."' WHERE uid='".$uid."' LIMIT 1";
mysqli_query($link, $sql) or die;
}
}
i was worried about SQL injection in the function from the date variable and the status variable. im not sure if i need to worry about the uid var as it is a session variable which i have set upon logon. am i going about this the right way? what could i do to make this more secure. i really do not want to have SQL injection or any massive holes.
thanks in advance
Who is Participating?
Thanks
i took a quick read of that link from what i understood prepared statements are faster as they are only parsed once and can be executed multiple times which is why im kind of lost
do i prepare a statement for each sql query i would like to run (the ones i reuse i typically just make a function so instead would i just prepare a statement instead?) an is the statment reusable on each page or do i have to rewrite it? any help would be GREATLY appreciated
i took a quick read of that link from what i understood prepared statements are faster as they are only parsed once and can be executed multiple times which is why im kind of lost
do i prepare a statement for each sql query i would like to run (the ones i reuse i typically just make a function so instead would i just prepare a statement instead?) an is the statment reusable on each page or do i have to rewrite it? any help would be GREATLY appreciated
Not only faster but they negate the need for sanitizing the sql input.
You can create a prepared statement that can be used multiple times on the page but you need it on every page - it only exists for the life of that php page.
You need a prepared statement for each sql that is different, it's not something you can 'share'
It just requires a small change to how you write your sql and how you execute it.
You can create a prepared statement that can be used multiple times on the page but you need it on every page - it only exists for the life of that php page.
You need a prepared statement for each sql that is different, it's not something you can 'share'
It just requires a small change to how you write your sql and how you execute it.
This article maps the MySQL, MySQLi and PDO extensions.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/PHP_Databases/A_11177-PHP-MySQL-Deprecated-as-of-PHP-5-5-0.html
This resource on my web site might be useful, too:
http://www.iconoun.com/mysql_mysqli_pdo_function_map.php
There is nothing wrong, per se, with using MySQLi as long as you understand that the query strings you create in the PHP scripts are computer programs that the SQL engine will run. Therefore when you use external data in the query strings, you're allowing someone else to decide what gets sent to the SQL engine. If you understand this and your scripts filter and escape the external data appropriately, it's fine to use MySQLi. The main advantage of using PDO is that if you enforce appropriate coding standards with PDO, even an idiot cannot write a query that will get your data base destroyed.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/PHP_Databases/A_11177-PHP-MySQL-Deprecated-as-of-PHP-5-5-0.html
This resource on my web site might be useful, too:
http://www.iconoun.com/mysql_mysqli_pdo_function_map.php
There is nothing wrong, per se, with using MySQLi as long as you understand that the query strings you create in the PHP scripts are computer programs that the SQL engine will run. Therefore when you use external data in the query strings, you're allowing someone else to decide what gets sent to the SQL engine. If you understand this and your scripts filter and escape the external data appropriately, it's fine to use MySQLi. The main advantage of using PDO is that if you enforce appropriate coding standards with PDO, even an idiot cannot write a query that will get your data base destroyed.
Thanks guys ill read over the material.
It seems like PDO is a no brainer
so just to recap (im trying to draw a comparison)
prepared statement is just like a variable containing a "string"
until it is executed and then it becomes a full SQL query?
It seems like PDO is a no brainer
so just to recap (im trying to draw a comparison)
prepared statement is just like a variable containing a "string"
until it is executed and then it becomes a full SQL query?
Ermm no.
When you create a prepared statement it is sent to MySQL and then MySQL waits for the data to fill in the 'blanks'. MySQL remembers the statement (for the duration of the page request) and that is why you only need to declare it once. Then you just push the data to MySQL, doesn't matter if you are only executing the query once or a hundred times all you are giving to MySQL is the values to insert/select etc.
This is why it is safe from sql injection as the data is separate from the sql statement itself.
When you create a prepared statement it is sent to MySQL and then MySQL waits for the data to fill in the 'blanks'. MySQL remembers the statement (for the duration of the page request) and that is why you only need to declare it once. Then you just push the data to MySQL, doesn't matter if you are only executing the query once or a hundred times all you are giving to MySQL is the values to insert/select etc.
This is why it is safe from sql injection as the data is separate from the sql statement itself.
OIC
that paints a lot clearer picture.
So im preparing the statement which is effectively the commands i want without the values/inputs and then SQL holds this command
then when i get the values/inputs i send it up to SQL and it interprets it and relays me the results
does this sound somewhat correct?
my next questions would be- do i need to do anything to the values such as real escape string or anything?
that paints a lot clearer picture.
So im preparing the statement which is effectively the commands i want without the values/inputs and then SQL holds this command
then when i get the values/inputs i send it up to SQL and it interprets it and relays me the results
does this sound somewhat correct?
my next questions would be- do i need to do anything to the values such as real escape string or anything?
If you're converting a script from the familiar but obsolete MySQL you will find there is more work to do with PDO, because the queries must change. The queries do not need to be changed with MySQLi.
A prepared statement is does not contain any variables. It contains placeholders. The SQL engine will put the "variables" in place for query execution, but these variables will not make any changes to the prepared statement. That said, if you have a DELETE FROM...WHERE id= query and you prepare it improperly, it will still be possible for an attacker to get 3 OR 1=1 into the query engine. All external data must be considered tainted until it has been filtered.
If you're doing a lot of queries, you might want to benchmark MySQLi against PDO. There are instances in which PDO can be slower. If you have a dozen queries needed to build a web page, it won't matter, but if there are lots of queries involved it's worth optimizing first the tables, then the queries, and then the extension.
A prepared statement is does not contain any variables. It contains placeholders. The SQL engine will put the "variables" in place for query execution, but these variables will not make any changes to the prepared statement. That said, if you have a DELETE FROM...WHERE id= query and you prepare it improperly, it will still be possible for an attacker to get 3 OR 1=1 into the query engine. All external data must be considered tainted until it has been filtered.
If you're doing a lot of queries, you might want to benchmark MySQLi against PDO. There are instances in which PDO can be slower. If you have a dozen queries needed to build a web page, it won't matter, but if there are lots of queries involved it's worth optimizing first the tables, then the queries, and then the extension.
my next questions would be...It's all in here:
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/PHP_Databases/A_11177-PHP-MySQL-Deprecated-as-of-PHP-5-5-0.html
You've got it.
You don't need to do anything, there is no possibility of sql injection as the data never touches the sql statement
But that doesn't preclude you from any other normal data sanitizing like HTML injection etc.
You don't need to do anything, there is no possibility of sql injection as the data never touches the sql statement
But that doesn't preclude you from any other normal data sanitizing like HTML injection etc.
Ray,
The delete you mention couldn't happen with PDO prepared statements.
@Jay
I'm biased to PDO, multi database engine whereas MySQLi is purely for MySQL only.
MySQLi can be faster (they both use the same underlying API), but weighing up the advantages of PDO those few extra millisecs don't really matter.
The delete you mention couldn't happen with PDO prepared statements.
@Jay
I'm biased to PDO, multi database engine whereas MySQLi is purely for MySQL only.
MySQLi can be faster (they both use the same underlying API), but weighing up the advantages of PDO those few extra millisecs don't really matter.
PDO would win the higher the number of queries.
In the thousands
http://jnrbsn.com/2010/06/mysqli-vs-pdo-benchmarks
In the hundreds of thousands
http://wooptoo.com/blog/pdo-vs-mysqli-performance-comparison/
Everything will depend on the setup of course.
In the thousands
http://jnrbsn.com/2010/06/mysqli-vs-pdo-benchmarks
In the hundreds of thousands
http://wooptoo.com/blog/pdo-vs-mysqli-performance-comparison/
Everything will depend on the setup of course.
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
All Courses
From novice to tech pro — start learning today.
-
Course of the Month7 days, 18 hours left to enrollMonitoring and Operating a Private Cloud with System Center 2012 R2 273 lessons
http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
Everything else is fine.