That's a humongous, humongous security risk there.
What if someone goes http://example.com/gimmedata.php?query=DROP DATABASE hi?
Unless I misunderstood.
A better way would be in the script:
switch ($_GET['query']) {
case "fetch": $dbquery = 'SELECT stuff FROM stuff'; break;
case "eatsnacks": $dbquery = 'SELECT snacks FROM edibles'; break;
// ...
}
and fetch instead "http://example.com/gimmedata.php?query=eatsnacks";
On 5/10/07, Daevid Vincent <[EMAIL PROTECTED]> wrote:
Like most sites, someone needs to join up to use mine.
I'm using a wee-bit-o-AJAX to pull some results from a database and display
them dynamically.
For the AJAX to work, it has to hit a script that's accessible from the htdocs
tree right?
Effectively it's just a (JavaScript initiated) GET URL request correct?
For example, index.html calls http://example.com/gimmedata.php?query=foo
That in turn returns a JS formatted array which is eval() in JS and rendered on
the page.
(over simplified I know)
My question is, how do you protect gimmedata.php since it's sitting out there
sans normal web headers and stuff?
Can it include session_start() and do all that wonderful checking to make sure
the user is logged in before just happily doling out
my precious data?
What is the proper, secure, sanctioned and AJAX/PHP blessed way to do this?
I could set up a test environment and hack up something I'm sure -- and
probably will if I get too impatient, but nobody seems to
address this issue in any examples, they just do it as if information is *gasp*
free. I'm a PHP guru, but I am also an AJAX novice.
From what I gather, the return is really in XML transport format and all the
magic of converting to/from XML is transparent to me. I
worry that putting other headers or whatever may "corrupt" that?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
