I have a dataTable with server-side processing but I don't know how to secure the ajax call because if anyone go to the ajax php file can read all the content.
This is my jquery:
$(document).ready(function() {
$('#netflow').DataTable( {
aaSorting: [[ 5, "desc" ]],
responsive: {
details: {
renderer: function ( api, rowIdx ) {
var data = api.cells( rowIdx, ':hidden' ).eq(0).map( function ( cell ) {
var header = $( api.column( cell.column ).header() );
return '<p style="color:#00A">'+header.text()+' : '+api.cell( cell ).data()+'</p>'; // changing details mark up.
} ).toArray().join('');
return data ? $('<table/>').append( data ) : false;
}
}
},
processing: true,
serverSide: true,
ajax: "/adm/includes/netflow_processing.php",
} );
var oTable = $('#netflow').dataTable();
var table = $('#netflow').DataTable();
$('#netflow_filter input').unbind();
$('#netflow_filter input').bind('keyup', function(e) {
if(e.keyCode == 13) {
oTable.fnFilter(this.value);
}
});
// Añadir filtro para cad acelda
$('#netflow tfoot th').each( function (i) {
$(this).html( '<input type="text"/style = "width: 100%; " placeholder="Filtra...">' );
} );
// Aplicar filtro al introducir en cada celda
table.columns().eq( 0 ).each( function ( colIdx ) {
$( 'input', table.column( colIdx ).footer() ).on( 'keyup change', function () {
table
.column( colIdx )
.search( this.value )
.draw();
} );
} );
} );
And this is the ajax script:
<?php
$table = 'netflow';
$primaryKey = 'id';
$columns = array(
array( 'db' => 'flow_src', 'dt' => 0 ),
array( 'db' => 'flow_dst', 'dt' => 1 ),
array( 'db' => 'flow_proto', 'dt' => 2 ),
array( 'db' => 'out_packets', 'dt' => 3 ),
array( 'db' => 'in_packets', 'dt' => 4 ),
array( 'db' => 'flow_start', 'dt' => 5 )
);
$sql_details = array(
'user' => '6g43tfr3',
'pass' => 'XXXXXXXXX',
'db' => 'DBNAME',
'host' => 'bbdd.localdomain'
);
require( 'ssp.class.php' );
echo json_encode(
SSP::simple( $_GET, $sql_details, $table, $primaryKey, $columns )
);
How can I make a hash/token request?
First of all, I can't see any check that the user is logged, or some other check. You can create user with levels. Admin user, normal user and give him access code. You can use this pseudo code.
$access = false;
$user == isAdmin() {
$access = true;
}
if($access == false) return redirect;
Second, you can make some check that is AJAX requirest.
if(!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {
/* special ajax here */
}
And in this scopes you can make additional check ( for login, access level, etc. ) , BUT there's no 100% way to detect if the request was made via ajax. Even if someone sends header with
"X-Requested-With: XMLHttpRequest"
You could simply check HTTP_REFERER. HTTP_REFERER is overwritten by the browser and cannot be altered meaning you cannot fake a request as it was called from within your script. So if name of the page (referer) that legally may access your script is
(check what your script is called by echoing out $_SERVER['HTTP_REFERER']) then add
<?
if ($_SERVER['HTTP_REFERER'] != 'http://example.com/page42') {
header('HTTP/1.0 403 Forbidden');
die('You are not allowed to access this script.');
}
...
as the very first lines to your /adm/includes/netflow_processing.php script.