Solved

protecting json call

Posted on 2015-02-23
5
83 Views
Last Modified: 2015-03-29
I am using DataTables to present data.  I am using the following code:
          var editorUsers = new $.fn.dataTable.Editor( {
            ajax: "lib/getUsers.php",
            table: "#usertable",

Open in new window


and then getUsers.php has this code:
<?php
 /*
 * Editor server script for DB table usertable
 * Created by http://editor.datatables.net/generator
 */
$myPath = dirname(__FILE__);
// DataTables PHP library and database connection
include( "../../DataTables/Editor/php/DataTables.php" );

// Alias Editor classes so they are easy to use
use
	DataTables\Editor,
	DataTables\Editor\Field,
	DataTables\Editor\Format,
	DataTables\Editor\Join,
	DataTables\Editor\Validate;


// Build our Editor instance and process the data coming from _POST
Editor::inst( $db, 'usertable', 'uid' )
	->fields(
		Field::inst( 'uid' )->validator( 'Validate::notEmpty' ),
		Field::inst( 'FirstName' )->validator( 'Validate::notEmpty' ),
		Field::inst( 'LastName' )->validator( 'Validate::notEmpty' ),
		Field::inst( 'isAdmin' )->validator( 'Validate::notEmpty' ),
		Field::inst( 'isSupervisor' )->validator( 'Validate::notEmpty' )
	)
	->process( $_POST )
	->json();
?>

Open in new window


now, I find if I navigate to getUsers.php manually it will return a list of users. I have tried to google the solution on how to protect the json data but I don't understand how to implement what is suggested.

Can someone please help me edit my code to make it secure?

Thanks in advance.
0
Comment
Question by:UniqueData
5 Comments
 
LVL 17

Expert Comment

by:OriNetworks
ID: 40627295
You could implement some kind of login system and then in your php you could check if the user is logged in before returning any results. I'm not too familiar with php systems that manage credentials so I can't offer any specific methods but I would be willing to help interpret any methods you have already found.
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 40627904
You can try a couple of things, either of which can be workable - it's up to your unique application requirements which you would use.

1. Use the PHP session or a cookie to provide a level of authentication.  If the session or cookie is not present, return an error object instead of the live data.  To use the PHP session, your calling script would need to start the session and load it with the credentials that are checked in the server-side datatables script.  To use the cookie, either PHP or JavaScript could set the cookie, but if you set the cookie in JavaScript, its settings will be apparent to inquiring eyes.  That may or may not be what you want.

2. Make the request via POST instead of GET.  Looking at line 28 in the second snippet, I'm not sure what I am seeing, but the different HTTP protocols offer you a way to provide different responses to GET and POST requests.  A browser that addresses the URL of the server-side script will make a GET request, so if your script only responds to POST, the GET requests will not return data.
0
 
LVL 33

Expert Comment

by:Slick812
ID: 40628526
hello UniqueData, , I do not see any code in that PHP segment , that seems related to making it specifically for an AJAX return response, expect for the JSON at  ->json(); .

First you MUST check to see if there is any $_POST content, and if the $_Post, has no content, then return an error web page, with the <!doctype html> and the <html> as a web page, not an Ajax response, because you say - "if I navigate to getUsers.php manually", you need to show a page as a sever error, maybe like -
    "Server Error as no Response, error code:  vsp173"
do not say exactly what the error was, as this helps hackers to know how your page is set up.
0
 
LVL 7

Author Comment

by:UniqueData
ID: 40657930
line 28 in my code above says it is Post.  That doesn't do the trick?
0
 
LVL 33

Accepted Solution

by:
Slick812 earned 500 total points
ID: 40659721
Since the   ->process( $_POST )   is already in your code, then that is not a solution for your problem.
I am not very sure what  $_POST is sent up from the datatables. You use someone else's code , and I am not sure what that code does, perhaps you can get in touch with who wrote that code, to learn of a solution?
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
I imagine that there are some, like me, who require a way of getting currency exchange rates for implementation in web project from time to time, so I thought I would share a solution that I have developed for this purpose. It turns out that Yaho…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now