1

On my website, I have a search.php page that makes $.get requests to pages like search_data.php and search_user_data.php etc.

The problem is all of these files are located within my public html folder.

Even though someone could browse to www.mysite.com/search_user_data.php, all of the data processed is properly escaped and handled, but on a professional level this is inadequate to even have this file within public reach.

I have tried moving the sensitive files to my web root, however since Jquery is making $.get requests and passing variables in the URL, this doesn't work.

Does anyone know any methods to firmly secure these vulnerable pages?

Improve this question
4
  • @zerkms So all files on every web page that exists should have no privacy whatsoever? Commented Mar 12, 2012 at 9:30
  • 2
    PHP is not exposed to the public, hence "server side language". It's executed, and the results are outputted. Commented Mar 12, 2012 at 9:33
  • @andrewjackson Right, but I would prefer to not give anyone the chance to be able to play around with the url by doing things like search_data.php?id=394&pass=493202. Is that not reasonable? Commented Mar 12, 2012 at 9:35
  • Uhm, could any moderator explain why my comment has been deleted? Commented Mar 12, 2012 at 10:03

2 Answers 2

Reset to default
2

What you describe is normal.

You have PHP files that are reachable in your www directory so apache (or your favored webserver) can read and process them. If you move them out you can't reach them anymore so there is no real option of that sort.

After all your PHP files for AJAX are just regular php files, likely your other project also contains php files. Right ? They are not more or less at risk than any script on your server.

Make sure you program "clean". Think about evil requests when writing your php functions, not after writing them. As you already did: correctly quote all incoming input that might hit a database or sensitive function.

You can add security checks on your incoming values and create an automated email if you detect someone trying evil stuff. So you'll likely receive a warning in such cases. But on the downside: You'll regularly receive warnings because some companies automatically scan websites for possible bugs. So you will receive a warning on such scans as well.

On top of writing your code as "secure" as you can, you may want to add a referer check in your code. That means your PHP file will only react if your website was given as referer when accessing it. That's enough to block 80% of the kids out there. But on the downside: a few internet users do not send a referer at all, some proxies filter that. (I personally would ignore them, half the (www) internet breaks on them anyway)

One more layer of protection can be added by htaccess, you can do most within PHP but it might still be of interest for you: http://httpd.apache.org/docs/2.0/howto/htaccess.html

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I should maybe add: When I make ajax requests and the users have an account on my server then I usually pass a userid and a md5hash of the password (and some salt). That was you can easily see if the ajax request originates from a legal user.
2

You can store a uid each time your page is loaded and store it in $_SESSION['uid']. You give this uid to javascript by doing :

var uid = <?php print $_SESSION['uid']; ?>;

Then you pass it with your get request, compare it to your $_SESSION :

if($_GET['uid'] != $_SESSION['uid']) // Stop with an error message or send a forbidden header.

If it's ok, do what you need.

It's not perfect since someone can request search.php and get the current uid, and then request the other pages, but it may be the best possible solution.

Improve this answer

2 Comments

If you used this method but with $_POST instead, would that be alot safer?
Not really. It would be harder for newbies but quite as simple for others.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.