3

I'm new to Ajax and PHP in general. So far, I managed to make an Ajax call to my PHP script which fetches data from my database. However, upon testing, I realized that, even if I'm not logged in, I can still access and run the PHP script directly and when that happens, it populates all the data from my table, which I don't want to happen.

Now based on that I see a major security issue where anyone can access and run the script and see user information.

Now I'm not familiar with security and stuff in PHP, kinda new to it. My question is how would I go about to make the script unaccessible directly, or only when the admin is logged in it could be accessible?

I read around that I could check the session, I tried but it didn't work for some reason. So I'll put what I coded below.

Here's the PHP which fetches data, getData.php:

<?php
    session_start(); 
    if(isset($_SESSION['id']) && isset($_SESSION['name']) && isset($_SESSION['admin']) && ($_SESSION['admin']==1)){
        include_once('config.php');
        //Create PDO Object
        $con = new PDO( DB_DSN, DB_USERNAME, DB_PASSWORD );
        //Set Error Handling for PDO
        $con->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
        //Query
        $sql = "SELECT users.name, users.email, users.admin, stores.admin, stores.name FROM users INNER JOIN stores ON users.id=stores.admin";
        //Prepare Statement
        $stmt = $con->prepare($sql);
        $stmt->execute();

        while ($row = $stmt->fetch()){
            echo '<tr>';
            echo    '<td>'.$row[4].'</td>';
            echo    '<td>'.$row[0].'</td>';
            echo    '<td>'.$row[1].'</td>';
            echo    '<td>**********</td>';
            if($row[2] == 1){
                echo    '<td>Yes</td>';
            }elseif ($row[2] == 0) {
                echo    '<td>No</td>';
            }
            echo '</tr>';
        }
        $con = null;
    }
?>

Here's the ajax that does the call to get the data. It's just a snippet, but it's part of a bigger thing(button on click to be precise), myAjax.js:

$.ajax({    //create an ajax request to getData.php
    type: "GET",
    url: "includes/getData.php",             
    dataType: "html",   //expect html to be returned                
    success: function(response){     
        $("#userInfo > tbody").html("<pre>"+response+"</pre>");
    },
    error:function (xhr, ajaxOptions, thrownError){
        alert(thrownError);
    }
});

Finally, this I set the following sessions, when user logs in:

$_SESSION['id']
$_SESSION['name']
$_SESSION['admin']

$_SESSION['admin'] == 1 means the user is an admin. Otherwise it's not.

Any help is greatly appreciated.

Edit:

Forgot to include what I tried to check the session. I update the PHP.

Thanks

Improve this question
7
  • 1
    "Now I'm not familiar with security and stuff in PHP, kinda new to it. My question is how would I go about to make the script unaccessible directly, or only when the admin is logged in it could be accessible?" — The same way as any other URL - authenticate the user and then check if they are authorised. Commented Oct 29, 2015 at 23:01
  • 1
    "I read around that I could check the session" — If you're using session based logins, then that will work. "I tried but it didn't work for some reason" — There's no sign of that attempt in the code you've shared. Commented Oct 29, 2015 at 23:02
  • All the php code that processes the ajax request could be encapsulated in an if( $_SESSION['admin']==1 ){ /* code */ } perhaps as one basic option Commented Oct 29, 2015 at 23:02
  • @Quentin I tried to put the PHP inside this if(isset($_SESSION['id']) && isset($_SESSION['name']) && isset($_SESSION['admin']) && ($_SESSION['admin']==1)){ and when I did that, no data would show. So I'm not sure what's wrong. Commented Oct 29, 2015 at 23:03
  • @nTuply — So do some debugging. You're testing four different things but all in one go so you haven't established which of them is failing. Commented Oct 29, 2015 at 23:06

1 Answer 1

Reset to default
1

I usually do like this for checking whether the user is loged in or not to display the result or output

use if(!empty($_SESSION['admin'] && $_SESSION['admin']==1 && !empty($_SESSION['name']) && !empty($_SESSION['id']))

using !empty will also check that if the variable is set and has any value or not! using isset shows true even if the value of variable is "null". so It will pass the if conditions argument and show the result.

One More thing:

when you logout you need to unset the session variables using...

<?php
session_destroy();
session_unset();

this technique has worked always with me...thanks

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Is empty is actually better than an if statement to check for nulls. I updated my code to this. Works perfect now. Thanks
See one more thing need to check, all the versions in shared hosting may not support empty function, for example godaddy, hostgator or bluehost etc...before making this project online just check for PHP version if it is 5.3 or more....thanks

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.