Hello all! I have written a helpdesk ticket webapp which uses many
javascript calls to different php scripts to update a mysql database.
My question is, a) is there a way to prevent access from users trying
to access the php scripts via a URL..ex.. http://www.???.org/scripts/getTicket...3234&user=jdoe
and if so, b) what is the best way to do this? I can't hide these in a
different, non-web directory because then I can't access the scripts
once the page loads. I'm sure this is a simple yes there is or no
there isn't a way type question, but I can't figure out what to do.
Any input is greatly appreciated, and if I missed this in a previous
post I apologize, I tried searching and couldn't find any posts related
to this. Thanks!! 6  1730 
Unless there are other solutions that I'm not aware of:
a) Short answer. No
b) - Checking whether the request are mal-formed. (example: a request
must always have tid and user).
- Authenticate user before retrieving their ticket? (Inferring
from the URL, you are trying to retrieve an entry).
- Take precaution of SQLInjection
Just my 2cents,
Hendri Kurniawan
geek7 wrote:
Hello all! I have written a helpdesk ticket webapp which uses many
javascript calls to different php scripts to update a mysql database.
My question is, a) is there a way to prevent access from users trying
to access the php scripts via a URL..ex..
http://www.???.org/scripts/getTicket...3234&user=jdoe
and if so, b) what is the best way to do this? I can't hide these in a
different, non-web directory because then I can't access the scripts
once the page loads. I'm sure this is a simple yes there is or no
there isn't a way type question, but I can't figure out what to do.
Any input is greatly appreciated, and if I missed this in a previous
post I apologize, I tried searching and couldn't find any posts related
to this. Thanks!!
geek7 wrote:
Hello all! I have written a helpdesk ticket webapp which uses many
javascript calls to different php scripts to update a mysql database.
My question is, a) is there a way to prevent access from users trying
to access the php scripts via a URL..ex..
http://www.???.org/scripts/getTicket...3234&user=jdoe
and if so, b) what is the best way to do this?
1. Use HTTPS, HTTP is not secure.
2. Authenticate, either by authenticationheaders sent to the server or by
some cookie/session.
--
Rik Wasmus
Thank you much for the replies. Question though, I would like to use
authentication since I already am using that for the site. I use a
php/mysql with session_start (not sure what that's called) as
authentication. However, I can't seem to figure out how to add this to
the php scripts I am calling since they are being called from a
javascript function (i suppose this would fall under the realm of
AJAX). Should the session variable still be available from these
addTicket.php, getTickets.php..ect? Thanks again!
Rik wrote:
geek7 wrote:
Hello all! I have written a helpdesk ticket webapp which uses many
javascript calls to different php scripts to update a mysql database.
My question is, a) is there a way to prevent access from users trying
to access the php scripts via a URL..ex..
http://www.???.org/scripts/getTicket...3234&user=jdoe
and if so, b) what is the best way to do this?
1. Use HTTPS, HTTP is not secure.
2. Authenticate, either by authenticationheaders sent to the server or by
some cookie/session.
--
Rik Wasmus
geek7 wrote:
Thank you much for the replies. Question though, I would like to use
authentication since I already am using that for the site. I use a
php/mysql with session_start (not sure what that's called) as
authentication. However, I can't seem to figure out how to add this
to the php scripts I am calling since they are being called from a
javascript function (i suppose this would fall under the realm of
AJAX). Should the session variable still be available from these
addTicket.php, getTickets.php..ect? Thanks again!
If you use a cookie based session, usually the cookie is sent with the
javascript request, regardless wether it is set by js, by the server on a
pagerequest or otherwise. You can just use the same code as you would use
when serving the user a page.
If you use a GET or POST based session you will have to make sure it is
sent to the browser manually, in bulding the request (or the formfields or
urls when you build the page).
--
Rik Wasmus
Good deal, this will definately be what I need, one last question.
Currently I am using a POST session.. Is it much work to switch to
cookie based? I have actually never used cookies before. I greatly
appreciate your help. Thanks!
Rik wrote:
geek7 wrote:
Thank you much for the replies. Question though, I would like to use
authentication since I already am using that for the site. I use a
php/mysql with session_start (not sure what that's called) as
authentication. However, I can't seem to figure out how to add this
to the php scripts I am calling since they are being called from a
javascript function (i suppose this would fall under the realm of
AJAX). Should the session variable still be available from these
addTicket.php, getTickets.php..ect? Thanks again!
If you use a cookie based session, usually the cookie is sent with the
javascript request, regardless wether it is set by js, by the server on a
pagerequest or otherwise. You can just use the same code as you would use
when serving the user a page.
If you use a GET or POST based session you will have to make sure it is
sent to the browser manually, in bulding the request (or the formfields or
urls when you build the page).
--
Rik Wasmus
geek7 wrote:
Good deal, this will definately be what I need, one last question.
Currently I am using a POST session.. Is it much work to switch to
cookie based? I have actually never used cookies before. I greatly
appreciate your help. Thanks!
Well, just call the php pages with javascript using the session postfield
and it should be easy.
--
Rik Wasmus This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: NickC |
last post by:
OK so not a JavaScript question but don't know where else to ask and judging
from some of the knowledge I have seen here in the past I reckon someone
here might just have some idea.
When the Web...
|
by: HikksNotAtHome |
last post by:
In Mozilla 1.4b, when the URL is set to a local URL, it works as expected.
function showIt(){
var xmlhttp = new XMLHttpRequest();
xmlhttp.open("GET", "blank.html" ,true);...
|
by: Randy Webb |
last post by:
Is the HTTPRequest Object in IE limited to the Same Origin Policy when
run from a webserver?
<URL: http://www.hikksworld.com/HTTPRequestIE.html />
When run in IE, throws a "Permission Denied"...
|
by: bobsawyer |
last post by:
I've been building a series of SELECT lists that are populated
dynamically using HTTPRequest. Things are going pretty well, and I've
got the whole thing working flawlessly in Mozilla/Firebird....
|
by: niftyhawk |
last post by:
Hi,
Can anybody give me a simple example of how to Call Web Services from
Mozilla based Browsers ? I can call web services from IE browser using
web service behavior file, without any problems....
|
by: YR |
last post by:
Hello,
I am tasked to write an application for a travel agency, that should be able to get a price for airline tickets from airline's website. Generally, airlines don't provide any web services...
|
by: Gunnar |
last post by:
I am finding some unusual behavior with techniques I am using to
show/hide/update data without having to refresh the page. I'm quite
sure it's developer ignorance on my part and would be grateful...
|
by: GD |
last post by:
Hi,
I am trying to call a webservice from a windows service application. It
works only if I launch the windows service app from VS.Net 2005 (Worked
around from Main()) or from a winform test...
|
by: Jeff |
last post by:
ASP.NET 2.0
I'm about to program a HttpRequest from my asp.net 2.0 website. I'll request
another server using HttpRequest and ask if password etc are okay....
So I've looked into the...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
| |
