Solved

protecting json call

Posted on 2015-02-23
5
86 Views
Last Modified: 2015-03-29
I am using DataTables to present data.  I am using the following code:
          var editorUsers = new $.fn.dataTable.Editor( {
            ajax: "lib/getUsers.php",
            table: "#usertable",

Open in new window


and then getUsers.php has this code:
<?php
 /*
 * Editor server script for DB table usertable
 * Created by http://editor.datatables.net/generator
 */
$myPath = dirname(__FILE__);
// DataTables PHP library and database connection
include( "../../DataTables/Editor/php/DataTables.php" );

// Alias Editor classes so they are easy to use
use
	DataTables\Editor,
	DataTables\Editor\Field,
	DataTables\Editor\Format,
	DataTables\Editor\Join,
	DataTables\Editor\Validate;


// Build our Editor instance and process the data coming from _POST
Editor::inst( $db, 'usertable', 'uid' )
	->fields(
		Field::inst( 'uid' )->validator( 'Validate::notEmpty' ),
		Field::inst( 'FirstName' )->validator( 'Validate::notEmpty' ),
		Field::inst( 'LastName' )->validator( 'Validate::notEmpty' ),
		Field::inst( 'isAdmin' )->validator( 'Validate::notEmpty' ),
		Field::inst( 'isSupervisor' )->validator( 'Validate::notEmpty' )
	)
	->process( $_POST )
	->json();
?>

Open in new window


now, I find if I navigate to getUsers.php manually it will return a list of users. I have tried to google the solution on how to protect the json data but I don't understand how to implement what is suggested.

Can someone please help me edit my code to make it secure?

Thanks in advance.
0
Comment
Question by:UniqueData
5 Comments
 
LVL 17

Expert Comment

by:OriNetworks
ID: 40627295
You could implement some kind of login system and then in your php you could check if the user is logged in before returning any results. I'm not too familiar with php systems that manage credentials so I can't offer any specific methods but I would be willing to help interpret any methods you have already found.
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 40627904
You can try a couple of things, either of which can be workable - it's up to your unique application requirements which you would use.

1. Use the PHP session or a cookie to provide a level of authentication.  If the session or cookie is not present, return an error object instead of the live data.  To use the PHP session, your calling script would need to start the session and load it with the credentials that are checked in the server-side datatables script.  To use the cookie, either PHP or JavaScript could set the cookie, but if you set the cookie in JavaScript, its settings will be apparent to inquiring eyes.  That may or may not be what you want.

2. Make the request via POST instead of GET.  Looking at line 28 in the second snippet, I'm not sure what I am seeing, but the different HTTP protocols offer you a way to provide different responses to GET and POST requests.  A browser that addresses the URL of the server-side script will make a GET request, so if your script only responds to POST, the GET requests will not return data.
0
 
LVL 33

Expert Comment

by:Slick812
ID: 40628526
hello UniqueData, , I do not see any code in that PHP segment , that seems related to making it specifically for an AJAX return response, expect for the JSON at  ->json(); .

First you MUST check to see if there is any $_POST content, and if the $_Post, has no content, then return an error web page, with the <!doctype html> and the <html> as a web page, not an Ajax response, because you say - "if I navigate to getUsers.php manually", you need to show a page as a sever error, maybe like -
    "Server Error as no Response, error code:  vsp173"
do not say exactly what the error was, as this helps hackers to know how your page is set up.
0
 
LVL 7

Author Comment

by:UniqueData
ID: 40657930
line 28 in my code above says it is Post.  That doesn't do the trick?
0
 
LVL 33

Accepted Solution

by:
Slick812 earned 500 total points
ID: 40659721
Since the   ->process( $_POST )   is already in your code, then that is not a solution for your problem.
I am not very sure what  $_POST is sent up from the datatables. You use someone else's code , and I am not sure what that code does, perhaps you can get in touch with who wrote that code, to learn of a solution?
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
jQuery is a JavaScript library that greatly simplifies JavaScript programming. AJAX is an acronym formed from "Asynchronous JavaScript and XML."  AJAX refers to any communication between client and server, when the human client does not observe a…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now