October 19, 2011

how to protect php page used by jquery ajax call

Question by domino

I just finished coding my first jquery ajax call page. It calls a php page every 1 or 2 seconds and returns json data.

The page basically displays posts of the message board the user is viewing. There are multiple message boards and some users should not be able to view certain boards, however the same php page is used for the call. It pics out the message using $id that is sent by the ajax script.

My question is how would I protect the php page from being manipulated and opened directly? The user can easily change the board id by opening the file directly and changing the URL. Not to mention the other ways.

If there is no easy way, then I guess I’d have to duplicate the majority of the main page to check if the user has necessary permissions. That would mean more server load since the page is updated every second.

Answer by TheVillageIdiot

Ajax calls are treated by server in the same way as normal page requests. All the authentication and authorization mechanisms are called before serving the page. To make sure just log off and try to get stuff from your page using AJAX. It should not work if your page requires you to log into the site.

Answer by Starx

If an AJAX call can open the page, so can the user, you cannot rely on definitive technique to protect a page. Rest you can follow what @TheVillageIdiot has said in his answer.

October 14, 2011

How to prevent SQL Injection attack in applications programmed in Zend Framework?

Question by Kamil Mroczek

I don’t have any concept about ZF safety. Do I have to use Filter when operating on database? Maybe binding is enough ? How about this:

$users->update($data, 'id=1');

Should $data array be filtered somehow ? Feel free to write anything you know about the issue.

Could you give some links to good articles about safety in ZF (mainly about SQL Injection and XSS)?

Answer by Gordon

Short answer
While ZF takes and provides some measures to secure your app, you should still apply the same precautions that you’d use without Zend Framework.


Regarding your code snippet, check out the Chapter on Zend_Db in the Reference Guide:

By default, the values in your data array are inserted using parameters. This reduces risk of some types of security issues. You don’t need to apply escaping or quoting to values in the data array.

This doesn’t mean you don’t have to bother about security. For instance, for the Update method above

The third argument is a string containing an SQL expression that is used as criteria for the rows to change. The values and identifiers in this argument are not quoted or escaped. You are responsible for ensuring that any dynamic content is interpolated into this string safely. See Quoting Values and Identifiers for methods to help you do this.

Note since you are using Zend_Db_Table obviously, third argument is second argument. Internally, the table instance will delegate the call to the db adapter with the first param being the table instance’s tablename.


Regarding Zend_View and XSS attack vectors:

Zend_View comes with an initial set of helper classes, most of which relate to form element generation and perform the appropriate output escaping automatically.

Again most of which does not mean all. Zend_View does provide Zend_View::escape() to help you sanitize output, but this nothing special.

Answer by Starx

I will suggest the Use of Zend Filters, wherever you need something specific. You can use this at anypoint in your application.

Request Parameter

$alpha = new Zend_Filter_Alpha();
$name = $alpha -> filter($this -> _request -> getParam('name')); //while processing url parameters

Database

$int = new Zend_Filter_Int();
$select -> where("id = ?", $int -> filter($id)); //during db processing also

Also in Form Elements . I will skip this as example of this can be found abudantly.

...

Please fill the form - I will response as fast as I can!