CSRF protection when making web apps using AJAX and no inline php - javascript

Just starting to get my head around rebuilding an app so all php is
accessed via AJAX ie no inline php, in preparation for making it a
native app using Phonegap.
One thing I'm wondering - currently (as the site is now with inline php)
I use random string generation to determine if the call is coming from
my site (this is to help avoid CSRF, right)?
ie...
create rand str
chuck it in session
send it with any AJAX calls, and check it matches the one in session
How is this possible when you're not using inline php? Do I have to...
from the first AJAX call, create a rand str in php during the call,
and return it
store the str in a js var
send it back in the next AJAX
check it matches the one in session, and if so all is good
create a fresh rand str, and send it back to AJAX, ready for the next
AJAX call
?
if the above is correct, how do you know the very first AJAX call hasn't been hacked?
Thanks for your help.

Related

How to pass a value to MySQL from an infinitely looping Javascript function?

I'm trying to write a simple web app that will read from a 1D barcode and insert the value to a MySQL database.
Ideally this website will access to a camera and just scan the barcodes, that are shown to it. There will be no further user interaction.
I have achieved scanning the barcodes and extracting the information in Javascript using ZXing. Now my research has shown me that you can't just insert a php inside javascript. So I must stop the infinite loop of the function and pass data to php, where it can be inserted to MySQL. However after I return from the function and update the database, I need to refresh the webpage to scan a new barcode.
The problem is here I don't want to refresh the webpage because the browser, that runs the webpage won't have any mouse/keyboard(user interaction). How can I call a javascript function infinite times without refreshing my browser?
After scaning, send data to php by ajax (try some javascript framework like jQuery or others...)
By javascript, you can refresh page in oncomplete state of ajax request without any keybord or mouse action.
I think your best chance is to take a look to javascript Ajax calls.
In client side
- The infinite loop call to a function that handles de ajax call. That ajax call should sent a GET o POST to a php page.
- You don't need to refresh the page. If you need to return some data, do it in the ajax response function.
In the server side
The .php handle the insertion of data to MySQL.
Recomendation:
Use jQuery, a javascript library: https://jquery.com/
Take a look:
Using Jquery Ajax to retrieve data from Mysql

PHP/AJAX Requests: session_start(): Cannot send sesssion cache limiter - headers already sent

I have a problem which I can not find a solution to:
After a mouse keypress (onclick="") in my web application, I call a PHP function via AJAX request. This is nothing unusual. However, the PHP function needs to access some session variables. As I call the PHP function via HTML5 onclick and AJAX request, the webpage is already rendered, which probably means the headers have already been sent.
Probably, as a result of that, I get the following error:
session_start(): Cannot send session cache limiter - headers already sent
The key information here is that my PHP function called through AJAX Request does not output anything to the browser before calling session_start().
Is there any solution to this, please? Originally, I thought, AJAX function calls are independent from rendering the webpage and I could basically call session_start() at any time via AJAX. But now, it looks to me, that I can not call session_start() from my PHP function if called with AJAX request, just because all the AJAX calls are performed after rendering the webpage and thus after sending the headers?
Client Side: HTML5, JavaScript (no jquery)
Server Side: PHP, MySQL
If you have any idea for a workaround, that would help. Because of security reasons, I do not want to pass needed parameters as POST arguments. Because of speed reasons, I do not want to access them from my MySQL database. I would really like to know, if there is a way to access session variables through AJAX calls.
What I would like to know, if it is possible to replace AJAX calls with local PHP function calls. Then, I could take advantage of PHP global variables.
Thank you.

Prevent fake looping ajax requests to PHP

On my website, I have created a comment section for blog posts. Users can write comments, click a button, and an AJAX request will be sent to PHP containing the data in JSON. The PHP will process & validate the data and then insert it into the database. On success, all comments are retrieved from the database and, using JQuery, all of the page's comments are reloaded.
The problem is that anyone can come along and, using their browser's console, forge an AJAX request, fill in their own JSON, and send the request to PHP. If done like this, all that happens is my client-side validation is useless. The server-side validation would still work. However, there's a bigger problem.
for(var i = 0; i < 10000; i++) {
//ajax request
}
The user can very easily insert thousands and thousands of records into my database instantly.
Does anybody have any suggestions on how I can prevent something like this from happening? It must involve creating something on the server side that can't be guessed by a user, and somehow checking against that during an AJAX request. I'm just not sure how exactly to go about this.
Thanks for the help.
The only way for you to be safe in this respect is to add a CAPTCHA.
This will prevent mass / automated posts. One possible library to use is Securimage . It is simple to use and integrate. You can have it running in 10 minutes with your AJAX stuff.
Relying on other means such as cookies or client side validation of some sort is risky, if possible at all. For instnace KA_lin 's solution can be compromised in 5 minutes: a malicious user can be sending forged cookies that will always have a page count of 0 and thus will always be allowed to post. Or even worse, he could create a small program that will post to your page without sending any cookie at all. The above code will create a new cookie and accept his post, every time ...
I would add a session variable containing the number of posts a user makes, given many pages you can form something like $SESSION['page_id_total_nr_comments'] and track this number, add a config variable that let`s the use to add a maximum of X comments per article for example:
function canUserAddComment($pageId){
$maxAllowed =......;
if(!isset($SESSION[$pageId+'_nr_comments'])){
$SESSION[$pageId+'_nr_comments'] = 0;
}
if($SESSION[$pageId+'_nr_comments']< $maxAllowed){
$SESSION[$pageId+'_nr_comments']++;
return true;
}
return false;
}
OR
On save get the number of comments a use already made on the article and decide if ha can make another(still with a config variable)

Do javascript has function where it send an alert/notification email to recipient within a given period?

I am new here and I have a question on javascript. Do javascript has function where it can automatic send an alert/notification email to recipient within a given period? For example, in the database, there is a "date" attribute. I want a javascript function to send an email automatically after 3 days starting from the "date" in the database..Thanks in advanced
Unfortunately, JavaScript (the way you are experiencing it) is a client-side language and cannot do what you want by itself. You will have to "ask" a server-side language to do that for you (note that JavaScript has a framework built on top of it that runs server-side, thanks #Cuberto)
Basically, you can do the scheduling in two ways:
1) Perform a countdown in the client browser, and when the timer hits 0 initiate a mail-sending request towards the server (very impractical, and sometimes outright impossible, as in your 3-day example).
2) Initiate a request immediately, and use cron or equivalent Windows service to do the scheduling for you (the "right", and much preferred, way).
You can't send an email directly with javascript.
You can use php or asp or something else that have server functionality.
For sending emails JavaScript is not the right language. JavaScript is executed on the client side from where you cannot send emails (unless you use node.js). It also doesn't have access to the database which is on the server side.
What you are looking for is probably a PHP script to send emails. From php it is quite simple, just use the mail-function (http://www.php.net/manual/de/function.mail.php).
For sending automatically after a period, you need to implement some logic. I'd implement a script that is executed regularily that checks whether it is time to send the email and after it has been sent, it will be marked as sent in the database, such that is it not send again.

Appending my jsession ID at every ajax call by Jquery

I am running my web application on Weblogic
application server.I am making several ajax calls in my application via Jquery UI $ajax and other Jquery Plugins (i.e. Jquery Datatables and JSTree)
Now i need to maintain same session in all these calls.Any user in the same session should only be allowed to do this.For this i am trying to append the JSESSIONID to every ajax call.
The problem with this approach is that i don't know how to get this value in my javascript file.If i write my code in JSP ,i can do that but in javascript i do not know of a way to do this.
Please help me with a way to set it into Jquery so that it gets passed with every request.
Thanks
The best solution is to put it in a session cookie, which will be passed with the AJAX requests and can be interpreted by the server. No changes needed to any JavaScript AJAX requests.
The next would be more complicated. You could write a jQuery.ajaxSend() function that checks the request url (to make sure it's one you need to add the session ID to) and add the sessionID to the data object before the AJAX request is made.

Categories

Resources