1. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Nobbies beach, Gold Coast. It's beautiful.
    Rep Power

    Is this Javascrip - PHP combination secure?


    I decided to show members phone numbers on screen only to logged in members. I generate the html baes on user's status:
    PHP Code:
    $this->logged $this->session->userdata['logged_data']['logged_in'];
    $data['click_to_see_number'] = '<a onclick = "view_phone_number('.$id.')">show number</a>';
    $data['click_to_see_number'] = '<a href= "'.base_url('register').'">Login</a> to see contact details';
    If they are logged in they see the "Show Number" link.

    They can click on show number and the jquery reloads the div and shows the rest of the number.

    If they are not logged in they see the "Login to see contact details" in html. That's what you probably will see.

    I want to make sure the page called with Jquery is secure. By is secure, I mean it shows the number ONLY if the member is logged in.


    javascript Code:
    function view_phone_number(id)
    				$.post('http://test.goldcoast-flatmates.com/phone_number/index/'+id, { id: id, csrf_GCFEL: '53abf72974f13eaf988e5e772c907601'},function(output){$('#phone_number').html(output).show();});
    (I am sure I am gonna get some comments on this Jquery's security)

    Thank you.
  2. #2
  3. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2012
    Burb of Detroit, Michigan
    Rep Power
    Maybe an alternative would to do something like the following?

    PHP Code:
    $('.myButton').on('click', function(e) {
    e.preventDefault(); // Prevent the myButtonfrom firing:
    var url 'phoneNumbers.php'// Grab the html from php file:
    $('#phoneNum').load(url ' #displayPhone'); // Display Phone No back:
    Then you could do something like this:
    PHP Code:
    <div id="phoneNum"></div
    Of course the JQuery and PHP would have to be rework to do what you are doing for I just grab this code from something I was doing, so I could show as a possible example/solution? That way not only would you be keeping PHP and JavaScript separate for the most part, it would also have graceful degradation? Though I am no security expert and I'm sure others will have better input on this matter.
    Last edited by Strider64; December 25th, 2013 at 07:32 AM.
  4. #3
  5. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Rep Power
    Hi English Breakfast Tea,

    you're still not escaping your HTML input, and you're still using the bad variable definition pattern we talked about 5 days ago.

    Any dynamic value you put into the HTML document must be escaped first.

    Please write this down and stick it onto your screen or something like that. This is absolutely crucial.

    PHP Code:
    $data['click_to_see_number'] = '<a onclick = "view_phone_number('.$id.')">show number</a>'
    PHP Code:
    $data['click_to_see_number'] = '<a href= "'.base_url('register').'">Login</a> to see contact details'
    The first one is even worse, because you insert $id directly into a JavaScript context. This makes it very easy for an attacker to inject their own JavaScript code. They don't even have to create a script element.

    I hope you've at least type-casted the variable into an integer. But this doesn't change the fact that the whole technique is very, very wrong.

    I repeat: You must escape your stuff. Unfortunately, this is not as easy as calling a function when you wanna PHP values to JavaScript. This requires a special technique, as I pointed out a week ago (I guess you've missed that post).

    In this particular case, however, you should be able to simply fetch the ID from the URL with JavaScript itself. That's where it comes from, right?

    PHP Code:
    $data['click_to_see_number'] = '<a onclick = "view_phone_number()">show number</a>';    // fetch the ID from within JavaScript 
    PHP Code:
    $data['click_to_see_number'] = '<a href= "'.html_escape(base_url('register')).'">Login</a> to see contact details'
    Some people may argue that escaping the second value isn't necessary, because it's trusted. Maybe. But distinguishing between trusted and untrusted data is extremely error-prone. And putting raw URLs into an HTML document often leads to the infamous ampersand issue.

    Please write this down. Don't forget it.

    As to the original question:

    It doesn't matter if a PHP script is executed after an Ajax request or a "classical" request. The logic is always the same: The server must authenticate the user by checking the session. If the user is authorized to see the resource, the server will send it, otherwise it won't.

    In practice, this means your phone number script also needs a "logged in" check on top.

    However, I wonder why you're even using Ajax. Why not simply show the full phone numbers to authorized users rather than asking them for a click?

    And why is there a hard-coded anti-CSRF token?
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers? There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo