Security issue. Ajax shows php script URL

xmlHttp.open("POST","folder/page.php",true);

when using AJAX you can give away the URL of another file. this could be a a potential security issue.

whats the best solution for this?

i can password protect the directory that contains that file but i dont really want hackers to know where the file exists.

so now i am rethinking what i wrote. is it really a security issue? if they run the php file they wont be able to see any php code anyway.

Are you being security conscious when writing your PHP in your code? Have you made any security attempts? Best bet: Go to a hacking site if you don't know how to hack. Ask them to hack your site, but not seriously. Just to see if they can get by DarkMindZ is a site where they will "beta test" your stuff. Enjoy

thanks for the answer. i will look into that website.

i was dooing some browsing and i came across some advice. basically i should treat page.php just like a normal php script. any user could run the script directly and hence i need to set permissions for what they can do.

are there any articles online about this issue?

In other words you want security through obscurity. Good luck.

Sure. Anything can be a security issue. Just be aware that any holes here were punched by you--that "visible URLs" thing isn't a flaw in the design of the XmlHttpRequest object itself. Every URL a user's browser makes a request to can be made known to the user himself. If this wasn't the case then that would be a security flaw.

True, but they could leverage their knowledge of its location later in, say, a directory traversal attack. One thing you can do if the file contains sensitive information (aside from the obvious, the removal of the sensitive information) is alias the file's request URL using mod_rewrite. That way, at least, the attacker can't count on a correspondence between the URL of your file and the file system's directory structure. Of course, if the attacker has found a directory traversal bug you're probably screwed anyhow.

Okay, so sensitive information isn't the problem. It's just that this PHP file wreaks havoc on your database then has sex with your girlfriend, which is why you were thinking it should only be possible for you (and other administrators?) to call it. Fair enough.

That's where authentication comes into play. There are indeed a plethora of articles on the subject, at least one of which calls Devshed home. I haven't read that last article, but it does cover hashing (not drug related, but something every programmer should learn about nonetheless) and it will, if nothing else, equip you with a few more keywords to plug into Google.