calling PHP with HTTPrequest security

**Hendri Kurniawan** · Jan 2 '07, 11:05 PM

Re: calling PHP with HTTPrequest security

Unless there are other solutions that I'm not aware of:
a) Short answer. No
b) - Checking whether the request are mal-formed. (example: a request
must always have tid and user).
- Authenticate user before retrieving their ticket? (Inferring
from the URL, you are trying to retrieve an entry).
- Take precaution of SQLInjection

Just my 2cents,

Hendri Kurniawan

geek7 wrote:

Hello all! I have written a helpdesk ticket webapp which uses many
javascript calls to different php scripts to update a mysql database.
My question is, a) is there a way to prevent access from users trying
to access the php scripts via a URL..ex..
>
http://www.???.org/scripts/getTicket...3234&user=jdoe
>
and if so, b) what is the best way to do this? I can't hide these in a
different, non-web directory because then I can't access the scripts
once the page loads. I'm sure this is a simple yes there is or no
there isn't a way type question, but I can't figure out what to do.
Any input is greatly appreciated, and if I missed this in a previous
post I apologize, I tried searching and couldn't find any posts related
to this. Thanks!!
>

**Rik** · Jan 3 '07, 12:35 AM

Re: calling PHP with HTTPrequest security

geek7 wrote:

Hello all! I have written a helpdesk ticket webapp which uses many
javascript calls to different php scripts to update a mysql database.
My question is, a) is there a way to prevent access from users trying
to access the php scripts via a URL..ex..
>
http://www.???.org/scripts/getTicket...3234&user=jdoe
>
and if so, b) what is the best way to do this?

1. Use HTTPS, HTTP is not secure.
2. Authenticate, either by authenticationh eaders sent to the server or by
some cookie/session.
--
Rik Wasmus

**geek7** · Jan 3 '07, 04:05 PM

Re: calling PHP with HTTPrequest security

Thank you much for the replies. Question though, I would like to use
authentication since I already am using that for the site. I use a
php/mysql with session_start (not sure what that's called) as
authentication. However, I can't seem to figure out how to add this to
the php scripts I am calling since they are being called from a
javascript function (i suppose this would fall under the realm of
AJAX). Should the session variable still be available from these
addTicket.php, getTickets.php. .ect? Thanks again!

Rik wrote:

geek7 wrote:

Hello all! I have written a helpdesk ticket webapp which uses many
javascript calls to different php scripts to update a mysql database.
My question is, a) is there a way to prevent access from users trying
to access the php scripts via a URL..ex..

http://www.???.org/scripts/getTicket...3234&user=jdoe

and if so, b) what is the best way to do this?

>
1. Use HTTPS, HTTP is not secure.
2. Authenticate, either by authenticationh eaders sent to the server or by
some cookie/session.
--
Rik Wasmus

**Rik** · Jan 3 '07, 04:35 PM

Re: calling PHP with HTTPrequest security

geek7 wrote:

Thank you much for the replies. Question though, I would like to use
authentication since I already am using that for the site. I use a
php/mysql with session_start (not sure what that's called) as
authentication. However, I can't seem to figure out how to add this
to the php scripts I am calling since they are being called from a
javascript function (i suppose this would fall under the realm of
AJAX). Should the session variable still be available from these
addTicket.php, getTickets.php. .ect? Thanks again!

If you use a cookie based session, usually the cookie is sent with the
javascript request, regardless wether it is set by js, by the server on a
pagerequest or otherwise. You can just use the same code as you would use
when serving the user a page.

If you use a GET or POST based session you will have to make sure it is
sent to the browser manually, in bulding the request (or the formfields or
urls when you build the page).
--
Rik Wasmus

**geek7** · Jan 3 '07, 04:45 PM

Re: calling PHP with HTTPrequest security

Good deal, this will definately be what I need, one last question.
Currently I am using a POST session.. Is it much work to switch to
cookie based? I have actually never used cookies before. I greatly
appreciate your help. Thanks!

Rik wrote:

geek7 wrote:

Thank you much for the replies. Question though, I would like to use
authentication since I already am using that for the site. I use a
php/mysql with session_start (not sure what that's called) as
authentication. However, I can't seem to figure out how to add this
to the php scripts I am calling since they are being called from a
javascript function (i suppose this would fall under the realm of
AJAX). Should the session variable still be available from these
addTicket.php, getTickets.php. .ect? Thanks again!

>
>
If you use a cookie based session, usually the cookie is sent with the
javascript request, regardless wether it is set by js, by the server on a
pagerequest or otherwise. You can just use the same code as you would use
when serving the user a page.
>
If you use a GET or POST based session you will have to make sure it is
sent to the browser manually, in bulding the request (or the formfields or
urls when you build the page).
--
Rik Wasmus

**Rik** · Jan 3 '07, 05:05 PM

Re: calling PHP with HTTPrequest security

geek7 wrote:

Good deal, this will definately be what I need, one last question.
Currently I am using a POST session.. Is it much work to switch to
cookie based? I have actually never used cookies before. I greatly
appreciate your help. Thanks!

Well, just call the php pages with javascript using the session postfield
and it should be easy.

--
Rik Wasmus

calling PHP with HTTPrequest security

calling PHP with HTTPrequest security

Comment

Comment

Comment

Comment

Comment

Comment