protecting json call

I am using DataTables to present data.  I am using the following code:
          var editorUsers = new $.fn.dataTable.Editor( {
            ajax: "lib/getUsers.php",
            table: "#usertable",

Open in new window

and then getUsers.php has this code:
 * Editor server script for DB table usertable
 * Created by
$myPath = dirname(__FILE__);
// DataTables PHP library and database connection
include( "../../DataTables/Editor/php/DataTables.php" );

// Alias Editor classes so they are easy to use

// Build our Editor instance and process the data coming from _POST
Editor::inst( $db, 'usertable', 'uid' )
		Field::inst( 'uid' )->validator( 'Validate::notEmpty' ),
		Field::inst( 'FirstName' )->validator( 'Validate::notEmpty' ),
		Field::inst( 'LastName' )->validator( 'Validate::notEmpty' ),
		Field::inst( 'isAdmin' )->validator( 'Validate::notEmpty' ),
		Field::inst( 'isSupervisor' )->validator( 'Validate::notEmpty' )
	->process( $_POST )

Open in new window

now, I find if I navigate to getUsers.php manually it will return a list of users. I have tried to google the solution on how to protect the json data but I don't understand how to implement what is suggested.

Can someone please help me edit my code to make it secure?

Thanks in advance.
Who is Participating?
Slick812Connect With a Mentor Commented:
Since the   ->process( $_POST )   is already in your code, then that is not a solution for your problem.
I am not very sure what  $_POST is sent up from the datatables. You use someone else's code , and I am not sure what that code does, perhaps you can get in touch with who wrote that code, to learn of a solution?
You could implement some kind of login system and then in your php you could check if the user is logged in before returning any results. I'm not too familiar with php systems that manage credentials so I can't offer any specific methods but I would be willing to help interpret any methods you have already found.
Ray PaseurCommented:
You can try a couple of things, either of which can be workable - it's up to your unique application requirements which you would use.

1. Use the PHP session or a cookie to provide a level of authentication.  If the session or cookie is not present, return an error object instead of the live data.  To use the PHP session, your calling script would need to start the session and load it with the credentials that are checked in the server-side datatables script.  To use the cookie, either PHP or JavaScript could set the cookie, but if you set the cookie in JavaScript, its settings will be apparent to inquiring eyes.  That may or may not be what you want.

2. Make the request via POST instead of GET.  Looking at line 28 in the second snippet, I'm not sure what I am seeing, but the different HTTP protocols offer you a way to provide different responses to GET and POST requests.  A browser that addresses the URL of the server-side script will make a GET request, so if your script only responds to POST, the GET requests will not return data.
hello UniqueData, , I do not see any code in that PHP segment , that seems related to making it specifically for an AJAX return response, expect for the JSON at  ->json(); .

First you MUST check to see if there is any $_POST content, and if the $_Post, has no content, then return an error web page, with the <!doctype html> and the <html> as a web page, not an Ajax response, because you say - "if I navigate to getUsers.php manually", you need to show a page as a sever error, maybe like -
    "Server Error as no Response, error code:  vsp173"
do not say exactly what the error was, as this helps hackers to know how your page is set up.
UniqueDataAuthor Commented:
line 28 in my code above says it is Post.  That doesn't do the trick?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.