0

Ok guys, So I know this has been covered before, but what my question strictly relates to is the security of doing such a thing. I have a page that is mostly generated by PHP functions which are on in a class in a separate file. my page calls...

<div class="transferfunds">
<?php dashboardFunction::buildPickers($uid); ?>
</div>

like so and my PHP function is (obviously abbreviated)...

function buildPickers($uid){
$user =& JFactory::getUser();
}

now, what I'd like to happen is, it loads specific content on load, but when a user interacts with something specific(say a drop down) I'd like to use AJAX to call this function again and reload that specific div.

I get I could pass a variable through ajax and call tat function like... 

    $.ajax({
        type : 'POST',
        url : 'post.php',
        dataType : 'html',
        data: {
            dataTest : 'test'
        },
        success : function(data){
                 $('#div').html(data);
        },
        error : function(XMLHttpRequest, textStatus, errorThrown) {

        }
    });

and test for it in php like so... 

if(isset($_POST['dataTest']) && !empty($_POST['dataTest'])) {
 dashboardFunction::buildPickers($uid);
}

But A. would this work for sure, and B. would this actually be safe? Is it vulnerable to any type of injection etc.? thanks!

Improve this question

3 Answers 3

Reset to default
1

I assume that you'll be passing user credentials this way, am I right? If so, this method is not very secure. It would be better to rely on a user session to share user data between scripts.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

@Greg Thompson: if the above is the case don't look at my answer since I have misunderstood your question.
I'm assuming user credentials because of the 'transerfunds' class assigned to the div in Greg's first codeblock. Might be a stretch :p
it doesn;t hurt to double check :D
could I use user sessions with AJAX?
@Greg Thompson-- well you can't access the PHP session from Ajax, though you could set the PHP session data in the view page, and access the same session data from the action page.
0

A. would this work for sure

Sure it would work. However calling different url might be cleaner if different stuff is retrieved. But it will work

B. would this actually be safe

It is safe. However if you want to access multiple functions this way:

$func = $_POST['dataTest']; dashboardFunction->$func();

You should add some whitelist of allowed functions of course.

But if you just want to access 1 function which is hardcoded and you check if the variable is set there is no problem.

Improve this answer

Comments

0

From your function names it looks like you're using this function to build pick lists or load content-- so as long as you're not deleting/inserting/updating data, but only selecting, then you're probably fine as long as you sanitize your inputs properly before the query is run in the PHP page (buildPickers function).

You can also do something like pass in a token with the Ajax request, and check the token on the action page, so it would be more difficult to simply fire the events using a direct call to the URL of the action page.

Finally, if you're actually doing a SELECT operation, you should probably use a GET rather than a POST, though in real terms it won't matter.

Improve this answer

1 Comment

just noticed you're using Joomla-- so yes, pass in a token using JUtility::getToken() and then test for it using JRequest::checkToken('get') or jexit('Invalid Token'); (remove that get if you end up POSTing the data.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.