0

I have index.php, ajax.js and process.php (where I get my AJAX data).

I am using AJAX this way:

var = $('user_id').val();

$.ajax({
    url     : "somefile.php",
    method  : "GET",
    data    : {'user_id' : user_id},
    cache   : false,
    success : function(data) {
          // do something with "data"
    }
);

User_id I receive from PHP file:

    <input value="<?php echo $user_id; ?>" id="user_id" />

What do I need to do for increasing security?

Improve this question
5
  • 4
    What aspect of security to do want to improve exactly - security against who? The user? Third parties? Commented Apr 30, 2013 at 14:10
  • 2
    This site is replete with information about creating secure AJAX transactions. Do you have a specific problem not already covered? Commented Apr 30, 2013 at 14:12
  • I mean maybe like to encrypt sending data because it can be changed by someone while sending Commented Apr 30, 2013 at 14:13
  • Some useful info here: stackoverflow.com/questions/1012777/… Commented Apr 30, 2013 at 14:13
  • @M8R-1jmw5r thanks for your notice. By the way it's my first question here and i agree with the fact that my question wasn't quite correct. Next time i'll be more specific. Commented Apr 30, 2013 at 14:56

5 Answers 5

Reset to default
1

Following can be added, just for increasing security measures,

In PHP code 

<input value="<?php echo base64_encode($user_id); ?>" id="user_id" />

In JS Code: 

var = $('user_id').val();

$.ajax({
    url     : "somefile.php",
    method  : "POST",
    data    : {'user_id' : user_id},
    cache   : false,
    success : function(data) {
          // do something with "data"
    }
);

In "somefile.php" for getting the file use the $_POST method, if will only accept the variable posted by using POST method. This can be used: 

if(isset($_POST['user_id']))
{
$user_id=$_POST['user_id']
$user_id=base64_decode($user_id);
//all functionality here
} 
else
{
//shoot error message
}
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

This adds nothing to the security! Changing the encoding does not make anything more secure.
If you are sending sensitive data, HTTPS is a de facto standard.
0

I'd recommend you don't provide the userid to the client. Can you store it in a session variable instead?

Improve this answer

1 Comment

I was thinking about that but the problem is that i also use anchor navigation so i open SECOND file it this INDEX.PHP and in this second php file i cant startsession(), it give errors :(
0

If this user_id is being used to retrieve some confidential information related to the logged in user then that sounds like a security flaw.

You should be getting the user_id from a session variable

Improve this answer

Comments

0

I think is not an good idea to put 'user_id' in client HTML and send back to server. You need to do more validation with data that sent from client (do some checking and filtering).

I recommend to use session instead of sending it to client, But you will have problem if editing two or more data at same time (multi tab), So you need to use session and some trick.

With this example your real user_id will never sent to the client.

index.php:

session_start();
$edit_session_id = md5(uniqid() . microtime(true));

$_SESSION['edit_' . $edit_session_id] = $user_id;

ajax.js:

var edit_session_id = $('#edit_session_id').val();

$.ajax({
    url     : "process.php",
    method  : "POST",
    data    : {'edit_session_id' : edit_session_id},
    cache   : false,
    success : function(data) {
          // do code
    }
);

process.php:

session_start();

$edit_session_id = $_POST['edit_session_id'];
if(!isset($_SESSION['edit_' . $edit_session_id]))
{
    die('Invalid edit session, please go back & refresh');
}
$user_id    = $_SESSION['edit_' . $edit_session_id];

// Do something with user_id

//Clear the editing session
unset($_SESSION['edit_' . $edit_session_id]);
Improve this answer

Comments

0

You should use POST instead of GET and you should also use ssl so that yuor urls sart with https instead of http.Now you are secured enough but you can increase security by adding extra encryption layer.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.