protecting json call
I am using DataTables to present data. I am using the following code:
and then getUsers.php has this code:
now, I find if I navigate to getUsers.php manually it will return a list of users. I have tried to google the solution on how to protect the json data but I don't understand how to implement what is suggested.
Can someone please help me edit my code to make it secure?
Thanks in advance.
var editorUsers = new $.fn.dataTable.Editor( {
ajax: "lib/getUsers.php",
table: "#usertable",and then getUsers.php has this code:
<?php
/*
* Editor server script for DB table usertable
* Created by http://editor.datatables.net/generator
*/
$myPath = dirname(__FILE__);
// DataTables PHP library and database connection
include( "../../DataTables/Editor/php/DataTables.php" );
// Alias Editor classes so they are easy to use
use
DataTables\Editor,
DataTables\Editor\Field,
DataTables\Editor\Format,
DataTables\Editor\Join,
DataTables\Editor\Validate;
// Build our Editor instance and process the data coming from _POST
Editor::inst( $db, 'usertable', 'uid' )
->fields(
Field::inst( 'uid' )->validator( 'Validate::notEmpty' ),
Field::inst( 'FirstName' )->validator( 'Validate::notEmpty' ),
Field::inst( 'LastName' )->validator( 'Validate::notEmpty' ),
Field::inst( 'isAdmin' )->validator( 'Validate::notEmpty' ),
Field::inst( 'isSupervisor' )->validator( 'Validate::notEmpty' )
)
->process( $_POST )
->json();
?>now, I find if I navigate to getUsers.php manually it will return a list of users. I have tried to google the solution on how to protect the json data but I don't understand how to implement what is suggested.
Can someone please help me edit my code to make it secure?
Thanks in advance.
You could implement some kind of login system and then in your php you could check if the user is logged in before returning any results. I'm not too familiar with php systems that manage credentials so I can't offer any specific methods but I would be willing to help interpret any methods you have already found.
You can try a couple of things, either of which can be workable - it's up to your unique application requirements which you would use.
1. Use the PHP session or a cookie to provide a level of authentication. If the session or cookie is not present, return an error object instead of the live data. To use the PHP session, your calling script would need to start the session and load it with the credentials that are checked in the server-side datatables script. To use the cookie, either PHP or JavaScript could set the cookie, but if you set the cookie in JavaScript, its settings will be apparent to inquiring eyes. That may or may not be what you want.
2. Make the request via POST instead of GET. Looking at line 28 in the second snippet, I'm not sure what I am seeing, but the different HTTP protocols offer you a way to provide different responses to GET and POST requests. A browser that addresses the URL of the server-side script will make a GET request, so if your script only responds to POST, the GET requests will not return data.
1. Use the PHP session or a cookie to provide a level of authentication. If the session or cookie is not present, return an error object instead of the live data. To use the PHP session, your calling script would need to start the session and load it with the credentials that are checked in the server-side datatables script. To use the cookie, either PHP or JavaScript could set the cookie, but if you set the cookie in JavaScript, its settings will be apparent to inquiring eyes. That may or may not be what you want.
2. Make the request via POST instead of GET. Looking at line 28 in the second snippet, I'm not sure what I am seeing, but the different HTTP protocols offer you a way to provide different responses to GET and POST requests. A browser that addresses the URL of the server-side script will make a GET request, so if your script only responds to POST, the GET requests will not return data.
hello UniqueData, , I do not see any code in that PHP segment , that seems related to making it specifically for an AJAX return response, expect for the JSON at ->json(); .
First you MUST check to see if there is any $_POST content, and if the $_Post, has no content, then return an error web page, with the <!doctype html> and the <html> as a web page, not an Ajax response, because you say - "if I navigate to getUsers.php manually", you need to show a page as a sever error, maybe like -
"Server Error as no Response, error code: vsp173"
do not say exactly what the error was, as this helps hackers to know how your page is set up.
First you MUST check to see if there is any $_POST content, and if the $_Post, has no content, then return an error web page, with the <!doctype html> and the <html> as a web page, not an Ajax response, because you say - "if I navigate to getUsers.php manually", you need to show a page as a sever error, maybe like -
"Server Error as no Response, error code: vsp173"
do not say exactly what the error was, as this helps hackers to know how your page is set up.
ASKER
line 28 in my code above says it is Post. That doesn't do the trick?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.