Protecting the Run of PHP pages to your own server only ...HOW TO?

bostonmacosx

I'm designing an application. I have two questions.

I'm using some AJAX which directs to the pages do to the processing.
It is easy to see the javascript so you know what your post variables are and it is also easy to see what PHP page they are being sent to. This makes it in secure.

Is there any way to guarantee that the only calls to the processing PHP pages are from the application and not someone calling the script remotely?

All options considered.

Thanks in advance.

Robert

suntra

Well the only "good" thing I can think of would be to use some kind of sessions... when the first page is called, a session is created, then on the second page it checks if the session exists and is valid...

Piranha

bostonmacosx wrote:
I'm using some AJAX which directs to the pages do to the processing.
It is easy to see the javascript so you know what your post variables are and it is also easy to see what PHP page they are being sent to. This makes it in secure.

It does not make it secure against database injection if you do not handle it in PHP for every variable in every query. Look at [man]mysql_real_escape_string[/man] if you run MySQL, there are simular functions for other databases.

MarkR

The trick is, to not care whether the AJAX processor is called from your own pages or elsewhere.

Every type of AJAX request should have adequate authentication and authorisation checks built into it, ensuring that even if someone can make one from somewhere else (Which they will be able to, easily), then they won't be able to achieve anything that they couldn't do with the standard interface anyway.

Ultimately if someone wants to write their own client app for your AJAX RPC layer, they can do so - look at Gmail etc, this has been done many times.

You should design the API / Protocol to ensure that things can't happen out of order or violate your application's business rules. But this is common sense anyway.

Mark

MarkR

On another note, you could use some stats / reporting to attempt to detect "unusual" or modified clients accessing the site, which you could do by seeing IP addresses connecting which never fetch inline images, script files or other client-side things.

This will enable you to retrospectively detect people using unusual clients for your application- if they are abusing the system, you can then ban them by IP address, or make API modifications which cause their app to break.

Ultimately the AJAX protocol you use only needs to work for your own application- you're not responsible for supporting third party applications. Small occasional changes to it (such as renaming a parameters) will make things very inconvenient for people trying to abuse it.

Mark