DataTables
Advanced interaction
features for your tables.
Editor
Comprehensive editing
library for DataTables.
Manual
Download
Show site navigation

Datatables server processing outputs the full content of the database in the address bar

Datatables server processing outputs the full content of the database in the address bar

MRBRMRBR Posts: 3Questions: 1Answers: 0
in Free community support

Hi.

I’m not a programmer so I don’t know how to use the right terminology.

My issue is that I managed to build a functional website that connects to a mysql database and displays the content using Datatables.

I disabled pagination and limited the rows to 10 at a time.

The PHP script that I used was built with pieces gathered across the internet. Therefore, I wasn’t confident enough to trust the integrity of the database due to possible SQL injections and other vulnerabilities.

I had a look at Datatables server processing examples and since they use PDO I assumed Datatables’ scripts were more secure.

However, after plugging everything to my database, I noticed that if someone writes the path and name of the PHP file in the address bar, Datatables’ script outputs the full content of the database to a blank page.

The PHP file that I had used only outputs a single sentence: error to fetch data.

I would rather use Datatables’ example but I don’t want the content of my database to be so easily accessible.

Is there a simple way of making Datatables example to also refuse to output the full content of the database?

Thanks.

Answers

  • MRBRMRBR Posts: 3Questions: 1Answers: 0

    Your test case as an example: https://datatables.net/examples/server_side/scripts/server_processing.php

    My question is, how to make the server give an error to fetch data.

  • MRBRMRBR Posts: 3Questions: 1Answers: 0

    I found a solution by placing this on the top of the PHP script.

    $currentPage = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http") . "://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";

if ($_SERVER['REQUEST_METHOD'] == "GET" && strcmp(basename($currentPage), basename(__FILE__)) == 0)
{
    http_response_code(404);
    include('404.php');
    die();
}

    Is this code safe to use? After patching this, are there other easy ways of someone seeing the full content of a database?

    I know there is always a way, but I was surprised how easy it was to see the full content of the database.

    Thanks.

  • allanallan Posts: 61,665Questions: 1Answers: 10,096 Site admin

    Yes - that is the correct way to do it. You could also add a check to make sure that $_GET['draw'] is set since DataTables will always send that for server-side processing requests.

    After patching this, are there other easy ways of someone seeing the full content of a database?

    Yes - simply set the page size to be something really large.

    I know there is always a way, but I was surprised how easy it was to see the full content of the database.

    The server-side processing script isn't designed to restrict access at all. It's whole point is to give access to the data in the database table. Indeed, even if you restrict everything so there is no way for a request to get all data, all a person would have to do to get the full data from the db would be to request each page of data! That's way I've never considered putting any other access restriction. That said, if your page is behind a long in, then absolutely it should check the login credentials!!

    Allan

This discussion has been closed.

DataTables

DataTables designed and created by SpryMedia Ltd.
© 2007-2023 MIT licensed. Privacy policy. Supporters.
SpryMedia Ltd is registered in Scotland, company no. SC456502.