Solved

security issues with Ajax

Posted on 2014-03-07
14
273 Views
Last Modified: 2014-03-07
Hi,

Im curious if there is major issues with security when using Ajax to grab and process php scripts.
currently i use a function to grab data and replace content like so
//GRAB PHP INFO
function ajax_update_status(value){
	   // Get all the form data 
	   $.ajax({
         type: "POST",
         url: "ajax/online_status.php?s=" + value
		 
    	});
	 
}
	 

Open in new window


i then use the following command to execute the function

onclick="ajax_update_status('invisible'); return false" data-status="status-invisible"

Open in new window


the online users php script requested is as follows

//GET THE USERS CURRENT ONLINE SESSION STATUS AND CHANGE IT IF NESSECARY

if(isset($_GET['s']) && !empty($_GET['s'])){
	
	//THE VARIABLE IS SET
	if($_GET['s'] == 'online'){
		//SET THE SESSION VARIABLE TO ONLINE
		$_SESSION["online_status"] ='online';
		
		//CHANGE THE USERS DATABASE ENTRY
		online_status($_SESSION["uid"], 'online', $datetime);
		
	}elseif($_GET['s'] == 'away'){
		//SET THE SESSION VARIABLE TO AWAY
		$_SESSION["online_status"] = 'away';
		
		//CHANGE THE USERS DATABASE ENTRY
		online_status($_SESSION["uid"], 'away', $datetime);
		
	}elseif($_GET['s'] == 'invisible'){ 
		//SET THE SESSION VARIABLE TO INVISIBLE
		$_SESSION["online_status"] = 'invisible';
		
		//CHANGE THE USERS DATABASE ENTRY
		online_status($_SESSION["uid"], 'invisible', $datetime);
		
	}
}

the function of  online status is 

[code]//CHANGE THE USERS DATABASE ONLINE STATUS WHEN THE USER LOGS ON
function online_status($uid, $status, $date){
	global $link;
	$date_clean =mysqli_real_escape_string($link,str_replace(",","-",$date));
	if($status==="online" || $status==="away" || $status==="invisible" || $status==="offline"){
		$sql=" UPDATE bb_users SET online_status='".$status."', online_status_time='".$date_clean."' WHERE uid='".$uid."' LIMIT 1";	
		mysqli_query($link, $sql) or die;
	}
}

Open in new window


i was worried about SQL injection in the function from the date variable and the status variable. im not sure if i need to worry about the uid var as it is a session variable which i have set upon logon. am i going about this the right way? what could i do to make this more secure. i really do not want to have SQL injection or any massive holes.

thanks in advance
0
Comment
Question by:M. Jayme Nagy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 3
14 Comments
 
LVL 58

Accepted Solution

by:
Gary earned 250 total points
ID: 39912950
You should be binding the columns or using placeholders. You are executing your sql the old way
http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
Everything else is fine.
0
 
LVL 6

Author Comment

by:M. Jayme Nagy
ID: 39913004
Thanks

i took a quick read of that link from what i understood prepared statements are faster as they are only parsed once and can be executed multiple times which is why im kind of lost

do i prepare a statement for each sql query i would like to run (the ones i reuse i typically just make a function so instead would i just prepare a statement instead?) an is the statment reusable on each page or do i have to rewrite it? any help would be GREATLY appreciated
0
 
LVL 58

Expert Comment

by:Gary
ID: 39913024
Not only faster but they negate the need for sanitizing the sql input.
You can create a prepared statement that can be used multiple times on the page but you need it on every page - it only exists for the life of that php page.
You need a prepared statement for each sql that is different, it's not something you can 'share'

It just requires a small change to how you write your sql and how you execute it.
0
Why You Need a DevOps Toolchain

IT needs to deliver services with more agility and velocity. IT must roll out application features and innovations faster to keep up with customer demands, which is where a DevOps toolchain steps in. View the infographic to see why you need a DevOps toolchain.

 
LVL 110

Assisted Solution

by:Ray Paseur
Ray Paseur earned 250 total points
ID: 39913034
This article maps the MySQL, MySQLi and PDO extensions.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/PHP_Databases/A_11177-PHP-MySQL-Deprecated-as-of-PHP-5-5-0.html

This resource on my web site might be useful, too:
http://www.iconoun.com/mysql_mysqli_pdo_function_map.php

There is nothing wrong, per se, with using MySQLi as long as you understand that the query strings you create in the PHP scripts are computer programs that the SQL engine will run.  Therefore when you use external data in the query strings, you're allowing someone else to decide what gets sent to the SQL engine.  If you understand this and your scripts filter and escape the external data appropriately, it's fine to use MySQLi.  The main advantage of using PDO is that if you enforce appropriate coding standards with PDO, even an idiot cannot write a query that will get your data base destroyed.
0
 
LVL 6

Author Comment

by:M. Jayme Nagy
ID: 39913047
Thanks guys ill read over the material.

It seems like PDO is a no brainer

so just to recap (im trying to draw a comparison)

prepared statement is just like a variable containing a "string"

until it is executed and then it becomes a full SQL query?
0
 
LVL 58

Assisted Solution

by:Gary
Gary earned 250 total points
ID: 39913060
Ermm no.
When you create a prepared statement it is sent to MySQL and then MySQL waits for the data to fill in the 'blanks'.  MySQL remembers the statement (for the duration of the page request) and that is why you only need to declare it once.  Then you just push the data to MySQL, doesn't matter if you are only executing the query once or a hundred times all you are giving to MySQL is the values to insert/select etc.
This is why it is safe from sql injection as the data is separate from the sql statement itself.
0
 
LVL 6

Author Comment

by:M. Jayme Nagy
ID: 39913119
OIC

that paints a lot clearer picture.

So im preparing the statement which is effectively the commands i want without the values/inputs and then SQL holds this command

then when i get the values/inputs i send it up to SQL and it interprets it and relays me the results

does this sound somewhat correct?


my next questions would be- do i need to do anything to the values such as  real escape string or anything?
0
 
LVL 110

Assisted Solution

by:Ray Paseur
Ray Paseur earned 250 total points
ID: 39913129
If you're converting a script from the familiar but obsolete MySQL you will find there is more work to do with PDO, because the queries must change.  The queries do not need to be changed with MySQLi.

A prepared statement is does not contain any variables.  It contains placeholders.  The SQL engine will put the "variables" in place for query execution, but these variables will not make any changes to the prepared statement.  That said, if you have a DELETE FROM...WHERE id= query and you prepare it improperly, it will still be possible for an attacker to get 3 OR 1=1 into the query engine.  All external data must be considered tainted until it has been filtered.

If you're doing a lot of queries, you might want to benchmark MySQLi against PDO. There are instances in which PDO can be slower. If you have a dozen queries needed to build a web page, it won't matter, but if there are lots of queries involved it's worth optimizing first the tables, then the queries, and then the extension.
0
 
LVL 110

Assisted Solution

by:Ray Paseur
Ray Paseur earned 250 total points
ID: 39913130
0
 
LVL 58

Expert Comment

by:Gary
ID: 39913136
You've got it.
You don't need to do anything, there is no possibility of sql injection as the data never touches the sql statement
But that doesn't preclude you from any other normal data sanitizing like HTML injection etc.
0
 
LVL 58

Expert Comment

by:Gary
ID: 39913151
Ray,
The delete you mention couldn't happen with PDO prepared statements.

@Jay
I'm biased to PDO, multi database engine whereas MySQLi is purely for MySQL only.
MySQLi can be faster (they both use the same underlying API), but weighing up the advantages of PDO those few extra millisecs don't really matter.
0
 
LVL 6

Author Comment

by:M. Jayme Nagy
ID: 39913156
at what amount of queries would using PDO be slower than mysqli
0
 
LVL 58

Assisted Solution

by:Gary
Gary earned 250 total points
ID: 39913166
PDO would win the higher the number of queries.

In the thousands
http://jnrbsn.com/2010/06/mysqli-vs-pdo-benchmarks

In the hundreds of thousands
http://wooptoo.com/blog/pdo-vs-mysqli-performance-comparison/

Everything will depend on the setup of course.
0
 
LVL 6

Author Comment

by:M. Jayme Nagy
ID: 39913171
AWESOME!!

BIG BIG HELP!

THANKS A BUNCH
0

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A publishing tool, a Version Control System, or a Collaboration Platform! These can be some of the defining words for the two very famous web-hosting Git repositories: Bitbucket and Github. Git is widely used amongst the programmers and developers f…
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question