I am developing a Web Application in which various modules and scripts has been developed. Now with the usage of various PHP scripts and javascript the application is working as per expectation.
I am willing to prevent the un-authorized execution of PHP Script. I mean the application has javascript whereby the Post parameters are posted as variable are written in javascript whereby anybody can view the details of passing values to php scripts. Also I cannot bypass such action as it does some necessary data manipulation, addition, modification and deletion to the records of the database.
If someone with bad intention read the javascript and sends the similiar type of parameters to the PHP script via the POST Parameters the web application would not be able to identify if the request is from authorized user or from the un-authorized user.
Suppose if some operation in web application does deletion of customers with ajax via jquery, it would be written somewhere in javascript like
var request = $.ajax({
url: "phpscript.php",
type: "POST",
data: {DataInp: 'CustomerNo', Action: 'delete'}
});
request.done(function( msg ) {
SRes = msg;
});
request.fail(function( jqXHR, textStatus ) {
SRes = false;
alert( "Request failed: " + textStatus );
});
return SRes;
I am using session variables which contains some logged in information and authentic validation, I am worried about such dangers that could happen.
Also if some body uses following
<img src="http://www.dummy-application.com/delete_record.php?id=123" />
And now ask the user to open this webpage. Now since the user is logged into the application the url will be triggered and whatever action necessary would be taken by the script.
So basically a hacker has made the request which is technically valid but it is un-authorized. So technically speaking the problem here is that the server will not be able to identify if the user willingly called the url or not. Hence there needs to be a mechanism to this from happening.
I want is a simple way to verify or identify if is authentic or from a fraud when doing such important tasks. So i want to prevent a hacker who could send fraud request in a valid manner to PHP Script
If anybody has solution and such action could be prevent, i seek help and suggestion as how to implement it.
I am sorry for my poor English as English is not our primary language. But i request all to please guide me in the matter.
I guess you have to work with tokens. In a nutshell, when an authorized user is requesting a page, you also send a newly generated token (that has an expiration time set) with the page. When a request is received you check if a token is posted and if it is (still) a valid token and, if so, execute the script.
You might add an authentication and authorization layer to your script or application.
Authentication: user is known to the system. Who is the user?
Authorization: user is allowed to do a certain action. Is user X authorized to perform action Y?
You can improve this by adding "tokens" or "time-windows".
For instance, the authentication times out, after 15 minutes. Feature is called: auto-log out.
Another strategy would be to spice up your forms with "tokens" or "time-windows".
For instance, the authorization to perform an action is only valid for 2 minutes, after a form was requested. You might add a time signature to the session and form.
Or, the authorization to perform an action is only valid, if the correct auth token is send. This auth token is only inserted, if a authenticated user requests the form. The form is only processed, if a user is (a) authenticated and (b) the form token is correct.
Token-Auth is quite common, but you have lot's of options to add security features.
When it comes to AJAX requests: it's common do pass the token via headers. Like, X-Requested-With: XMLHttpRequest + X-MyApplication-AuthToken: <token>.
There are a lot of PHP libraries around. Do not reinvent the wheel. Especially not, in regard to security stuff, where little logic mistakes might punch big holes into your app. Use a library with lots of users or a commonly used framework, which provides solid authentication and authorization helpers.
Additionally, you can also try to protect your server from random URL accesses by checking your logs and blocking bad bots and crawlers.