Solved

protecting json call

Posted on 2015-02-23
5
107 Views
Last Modified: 2015-03-29
I am using DataTables to present data.  I am using the following code:
          var editorUsers = new $.fn.dataTable.Editor( {
            ajax: "lib/getUsers.php",
            table: "#usertable",

Open in new window


and then getUsers.php has this code:
<?php
 /*
 * Editor server script for DB table usertable
 * Created by http://editor.datatables.net/generator
 */
$myPath = dirname(__FILE__);
// DataTables PHP library and database connection
include( "../../DataTables/Editor/php/DataTables.php" );

// Alias Editor classes so they are easy to use
use
	DataTables\Editor,
	DataTables\Editor\Field,
	DataTables\Editor\Format,
	DataTables\Editor\Join,
	DataTables\Editor\Validate;


// Build our Editor instance and process the data coming from _POST
Editor::inst( $db, 'usertable', 'uid' )
	->fields(
		Field::inst( 'uid' )->validator( 'Validate::notEmpty' ),
		Field::inst( 'FirstName' )->validator( 'Validate::notEmpty' ),
		Field::inst( 'LastName' )->validator( 'Validate::notEmpty' ),
		Field::inst( 'isAdmin' )->validator( 'Validate::notEmpty' ),
		Field::inst( 'isSupervisor' )->validator( 'Validate::notEmpty' )
	)
	->process( $_POST )
	->json();
?>

Open in new window


now, I find if I navigate to getUsers.php manually it will return a list of users. I have tried to google the solution on how to protect the json data but I don't understand how to implement what is suggested.

Can someone please help me edit my code to make it secure?

Thanks in advance.
0
Comment
Question by:UniqueData
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 17

Expert Comment

by:OriNetworks
ID: 40627295
You could implement some kind of login system and then in your php you could check if the user is logged in before returning any results. I'm not too familiar with php systems that manage credentials so I can't offer any specific methods but I would be willing to help interpret any methods you have already found.
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 40627904
You can try a couple of things, either of which can be workable - it's up to your unique application requirements which you would use.

1. Use the PHP session or a cookie to provide a level of authentication.  If the session or cookie is not present, return an error object instead of the live data.  To use the PHP session, your calling script would need to start the session and load it with the credentials that are checked in the server-side datatables script.  To use the cookie, either PHP or JavaScript could set the cookie, but if you set the cookie in JavaScript, its settings will be apparent to inquiring eyes.  That may or may not be what you want.

2. Make the request via POST instead of GET.  Looking at line 28 in the second snippet, I'm not sure what I am seeing, but the different HTTP protocols offer you a way to provide different responses to GET and POST requests.  A browser that addresses the URL of the server-side script will make a GET request, so if your script only responds to POST, the GET requests will not return data.
0
 
LVL 34

Expert Comment

by:Slick812
ID: 40628526
hello UniqueData, , I do not see any code in that PHP segment , that seems related to making it specifically for an AJAX return response, expect for the JSON at  ->json(); .

First you MUST check to see if there is any $_POST content, and if the $_Post, has no content, then return an error web page, with the <!doctype html> and the <html> as a web page, not an Ajax response, because you say - "if I navigate to getUsers.php manually", you need to show a page as a sever error, maybe like -
    "Server Error as no Response, error code:  vsp173"
do not say exactly what the error was, as this helps hackers to know how your page is set up.
0
 
LVL 7

Author Comment

by:UniqueData
ID: 40657930
line 28 in my code above says it is Post.  That doesn't do the trick?
0
 
LVL 34

Accepted Solution

by:
Slick812 earned 500 total points
ID: 40659721
Since the   ->process( $_POST )   is already in your code, then that is not a solution for your problem.
I am not very sure what  $_POST is sent up from the datatables. You use someone else's code , and I am not sure what that code does, perhaps you can get in touch with who wrote that code, to learn of a solution?
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
The Confluence of Individual Knowledge and the Collective Intelligence At this writing (summer 2013) the term API (http://dictionary.reference.com/browse/API?s=t) has made its way into the popular lexicon of the English language.  A few years ago, …
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question