I am building a type of crm using ajax, php and mysql. I am building the solution with GET and POST requests using ajax xhr requests. My question is, what is the best way to make sure these requests are secure from any type of hack or attack. I want to make sure my clients data and this crm is secure.
Right now i am just using long hand ajax/javascript. I don't use much jquery: My request looks something like this:
function getContacts()
{
if (window.XMLHttpRequest)
{// code for IE7+, Firefox, Chrome, Opera, Safari
xmlhttp=new XMLHttpRequest();
}
else
{// code for IE6, IE5
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
}
xmlhttp.onreadystatechange=function()
{
if (xmlhttp.readyState==4 && xmlhttp.status==200)
{
document.getElementById("div").innerHTML=xmlhttp.responseText;
}
}
xmlhttp.open("POST","xhr_php/getContacts.php",true);
xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded");
var contact = document.getElementById('contact_id').value;
xmlhttp.send("contact="+contact);
}
my php file looks like this
$contact=$_POST['contact'];
$sql="SELECT *
FROM contacts
WHERE contacts.contact_id = $contact";
So this is the basic method i have used to not only retrieve data but also to insert records and run all other queries. My question is what is the best way to secure these requests and sql queries so that all the data is secure. I want to make sure this is a secure crm solution so that data can't be corrupted, stolen, injected, hacked, etc. Thank you for your help.
This is not secure; it is vulnerable to an SQL injection attack, which has nothing to do with Ajax, POST or GET. You should not be building SQL statements in that way. Your question isn't well suited to Stack Overflow - "How do I make my code secure" is a vast topic that can't be answered in a simple way. If you are building this in a professional capacity, please seek out a more senior developer to help you with this - if you are making basic SQL injection mistakes, then it is very unlikely you will be able to build an entire CRM package on your own while making it secure.
This should be immune to sql injection:
$contact=intval($_POST['contact']);
$sql="SELECT *
FROM contacts
WHERE contacts.contact_id = $contact";
mysql_query($sql);
You should use PDO. Following is example code. you can modify it as required.
$host = 'localhost';
$dbname = 'contacts';
$username = 'anyuser';
$password = 'your password';
$conn = new PDO("mysql:host=$host;dbname=$dbname", $username, $password);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
//If contact is int value then pass it through intval function
$contact=intval($_POST['contact']);
$sql = 'SELECT * FROM contacts WHERE contacts.contact_id = :contact_id';
$statement = $conn->prepare($sql);
$statement->bindParam(':contact_id', $contact, PDO::PARAM_INT);
$statement->execute();
//Use $result is your page
$result = $statement->fetch(PDO::FETCH_ASSOC);
You can do insert / update with PDO as well
$stmt = $conn->prepare("INSERT INTO Table (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);
$stmt->execute();
Hope this helps.