Radu Radu Radu Radu - 2 months ago 14
Ajax Question

Secure Ajax call

I have a dataTable with server-side processing but I don't know how to secure the ajax call because if anyone go to the ajax php file can read all the content.

This is my jquery:

$(document).ready(function() {
$('#netflow').DataTable( {
aaSorting: [[ 5, "desc" ]],
responsive: {
details: {
renderer: function ( api, rowIdx ) {
var data = api.cells( rowIdx, ':hidden' ).eq(0).map( function ( cell ) {
var header = $( api.column( cell.column ).header() );
return '<p style="color:#00A">'+header.text()+' : '+api.cell( cell ).data()+'</p>'; // changing details mark up.
} ).toArray().join('');

return data ? $('<table/>').append( data ) : false;
}
}
},
processing: true,
serverSide: true,
ajax: "/adm/includes/netflow_processing.php",
} );
var oTable = $('#netflow').dataTable();
var table = $('#netflow').DataTable();
$('#netflow_filter input').unbind();
$('#netflow_filter input').bind('keyup', function(e) {
if(e.keyCode == 13) {
oTable.fnFilter(this.value);
}
});
// AƱadir filtro para cad acelda
$('#netflow tfoot th').each( function (i) {
$(this).html( '<input type="text"/style = "width: 100%; " placeholder="Filtra...">' );
} );
// Aplicar filtro al introducir en cada celda
table.columns().eq( 0 ).each( function ( colIdx ) {
$( 'input', table.column( colIdx ).footer() ).on( 'keyup change', function () {
table
.column( colIdx )
.search( this.value )
.draw();
} );
} );
} );


And this is the ajax script:

<?php

$table = 'netflow';
$primaryKey = 'id';

$columns = array(
array( 'db' => 'flow_src', 'dt' => 0 ),
array( 'db' => 'flow_dst', 'dt' => 1 ),
array( 'db' => 'flow_proto', 'dt' => 2 ),
array( 'db' => 'out_packets', 'dt' => 3 ),
array( 'db' => 'in_packets', 'dt' => 4 ),
array( 'db' => 'flow_start', 'dt' => 5 )
);

$sql_details = array(
'user' => '6g43tfr3',
'pass' => 'XXXXXXXXX',
'db' => 'DBNAME',
'host' => 'bbdd.localdomain'
);

require( 'ssp.class.php' );

echo json_encode(
SSP::simple( $_GET, $sql_details, $table, $primaryKey, $columns )
);


How can I make a hash/token request?

Answer

You could simply check HTTP_REFERER. HTTP_REFERER is overwritten by the browser and cannot be altered meaning you cannot fake a request as it was called from within your script. So if name of the page (referer) that legally may access your script is

http://example.com/page42

(check what your script is called by echoing out $_SERVER['HTTP_REFERER']) then add

<?
if ($_SERVER['HTTP_REFERER'] != 'http://example.com/page42') {
   header('HTTP/1.0 403 Forbidden');
   die('You are not allowed to access this script.');     
}
...

as the very first lines to your /adm/includes/netflow_processing.php script.

Comments