My question is about PHP security for this particular operation:
I want to use javascript to pull all json files from a particular directory on my web server. I have done like so: I pull all the correct file names with this PHP script ("get-data.php"):
<?php
echo json_encode(glob('*.json'));
?>
Then I move that array into javascript with
var oReq = new XMLHttpRequest();
oReq.onload = function() {
fileNames = JSON.parse(this.responseText);
};
oReq.open("get", "get-data.php", true);
oReq.send();
Then I use the following to read the files into an array:
function getMapInfo(fileName){
$.get(fileName, function(result) {
var map = JSON.parse(result);
mapData.push(map);
});
}
I got some of this code from here: How to pass variables and data from PHP to JavaScript? and I have read up on xss a little here and here and it is my understanding that "untrusted data" is data that the user would enter which would then be run in a script? I believe that my above solution doesn't contain unsafe data since it only pulls files that are already on my server, is that correct?
Overall, my question is: is this a safe way to allow my code to retrieve multiple unknown files from my server? Eventually, I want uses to "save" map data to the server which will then be read by the above script for others to see.
Thanks very much,
Jordan
Yes, this is perfectly safe. You will just need to ensure the security is part of the php code when needed, by limiting or filtering what it can select (already fine there) and how .json files are validated and stored, once that is addressed you will be fine and your existing solution is perfectly safe. You can also modify .htaccess file to hide folder content if you have a concern about others viewing directories on your website.