Programming Code that Block Unauthorized Users to Pass Data to My PHP File
-
Hello. I made a WordPress plugin with a JQuery-AJAX/JSON code in a php file like this:
$(document).ready(function(){ $.post(“/wp-content/plugins/SLMS/UserRecord.php”, { saveUserBtn: “Save”, FName: fname, LName: lname, UNumber: unumber, address: address, contact: contact, email: email }, function(data, status){ document.getElementById(‘userr-page-notice’).innerHTML = data; if(data.includes(“New record saved.”)) { document.getElementById(“userRecord”).reset(); } }); });/** end of code */
I also notice that any user can view my javascript code with their own browser. I also noticed that any user/unauthorized user can copy these JQuery-AJAX/JSON code and pass/save/modify data to MySQL database using the link to my php file. I will also write the code for my php file:
if(isset($_POST[‘saveUserBtn’]) and $_SERVER[‘REQUEST_METHOD’] == “POST”) { insertRecord(); } elseif(isset($_POST[‘searchUNBtn’]) and $_SERVER[‘REQUEST_METHOD’] == “POST”) { searchUNRecord(); } elseif(isset($_POST[‘updateUserBtn’]) and $_SERVER[‘REQUEST_METHOD’] == “POST”) { updateRecord(); } /** some php code with MYSQL connection and MYSQL Login Credential */ /** end of code */I notice that many developers also used these kind of JQuery-AJAX/JSON codes. I want to know what is the code to block unauthorized users to access/pass data to my php file when unauthorized users use JQuery/JSON code. I will also mention “web host cpanel File Permission” to see if this web server configuration can help.
-
Hi Zagreus. Thanks for reply. Yes, a user will see my javascript code. That is why I am asking if there is a way to block unauthorized access to php file. I will also mention web host CPANEL File Permission if this can help.
I also read the article for nonce. I am not fully understand the article and I do not how to use nonce. Can you give me an example code base on the JQuery AJAX/ PHP code I gave in the post.
Hi to all. Sorry for late reply. It took me 4 days to choose how block unauthorized access to my WordPress php plugin file using JQUERY AJAX.
I tried to to use wordpress is_user_logged_in() function but you can only use this function if the php file is included on WordPress plugin main php file.
I decided to choose PHP SUPERGLOBALS $_SERVER[‘HTTP_REFERER’]; over PHP Session code $_SESSION[“session_name”];
I will add sample code:
/** javascript JQuery AJAX code of my php file which can copy/get through a browser by any user */ $(document).ready(function(){ $.post("/wp-content/plugins/SLMS/UserRecord.php", { saveUserBtn: "Save", FName: fname, LName: lname, UNumber: unumber, address: address, contact: contact, email: email }, function(data, status){ document.getElementById('userr-page-notice').innerHTML = data; if(data.includes("New record saved.")) { document.getElementById("userRecord").reset(); } }); });/** Here is the code to my other php file that contains database access and saving data to databse */ <?php if($_SERVER['HTTP_REFERER'] == "https://iammarviin26.000webhostapp.com/user-record/") { if(isset($_POST['saveUserBtn']) and $_SERVER['REQUEST_METHOD'] == "POST") { insertRecord(); /** insertRecord(); echo "working" ; */ } elseif(isset($_POST['searchUNBtn']) and $_SERVER['REQUEST_METHOD'] == "POST") { searchUNRecord(); /** searchUNRecord(); echo $_POST['searchUN']; echo "Success";*/ } elseif(isset($_POST['updateUserBtn']) and $_SERVER['REQUEST_METHOD'] == "POST") { updateRecord(); /** updateRecord(); echo $_POST['ID']; echo "Update Status";*/ } } /** Other php code/script that contains database credentials/sql script */ ?>While using PHP SUPERGLOBALS $_SERVER[‘HTTP_REFERER’]; any users cannot access my php file without the correct http referrer and actively login to my web application.
In case you cannot use wordpress is_user_logged_in() you can use SUPERGLOBALS $_SERVER[‘HTTP_REFERER’]; or PHP Session code $_SESSION[“session_name”];
Any suggestion or comment
Thanks
The topic ‘Programming Code that Block Unauthorized Users to Pass Data to My PHP File’ is closed to new replies.