DataTables
Advanced interaction
features for your tables.
Editor
Comprehensive editing
library for DataTables.
Manual
Download
Show site navigation

Protect Server-side php from direct access.

Protect Server-side php from direct access.

Gareth_spiersGareth_spiers Posts: 2Questions: 0Answers: 0
in Free community support

Hi,

I'm using the datatables editor and have the following structure:
/includes
---->Varous Auth PHP files
/Tables
---->page.php
---->/js
--------->table.page.js
---->/php
--------->table.page.php

Basically straight out of the generator, except I've converted the HTML file it generates to PHP and included a login check. That all works fine.

However, I want to stop people going directly to the /tables/php/table.page.php file and getting the json data.

I've tried simply including a check for in the session username variable (see lines 2-5 below)

<?php
include_once '../../includes/functions.php';
sec_session_start();
//$username = $_SESSION['username'];
if ($_SESSION['username'] == '') {exit;};

/*
 * Editor server script for DB table customers
 * Created by http://editor.datatables.net/generator
 */

// DataTables PHP library and database connection
include( "lib/DataTables.php" );


// Alias Editor classes so they are easy to use
use
    DataTables\Editor,
    DataTables\Editor\Field,
    DataTables\Editor\Format,
    DataTables\Editor\Mjoin,
    DataTables\Editor\Options,
    DataTables\Editor\Upload,
    DataTables\Editor\Validate,
    DataTables\Editor\ValidateOptions;


// Build our Editor instance and process the data coming from _POST
Editor::inst( $db, 'stats_totalDownloads', 'x' )
    //->readTable('stats_totalDownloads')
    ->fields(
        Field::inst( 'x' )
            ->set( false )
            /*->getFormatter( Format::datetime( 'Y-m-d', 'Y-m-d' ) )
            ->setFormatter( Format::datetime( 'Y-m-d', 'Y-m-d' ) )*/,
        Field::inst( 'y' )
            ->set( false )
    )
    ->process( $_POST )
    ->json();

And the works fine for viewing the page directly: If you are not logged in you get nothing and if you are logged in you get what looks like the same json you'd normally get without the check in place.

However, the actual page that displays the table now gives an invalid json error.

If I just remove the exit; command on line 5

if ($_SESSION['username'] == '') {/*exit;*/};

It then displays the table fine but you can then access the serverside page again.

Can some point me to the best practice for projecting the server-side PHP file?

Cheers,
Gareth

Replies

  • compuconcompucon Posts: 5Questions: 2Answers: 0

    I would suggest you to use the browser's developer tools and check the AJAX response when you have that check enabled.

    The most likely reason is there are some output pushed out in that functions.php or sec_session_start(), which pollutes the json output.

  • allanallan Posts: 61,650Questions: 1Answers: 10,094 Site admin

    Let me just check my understanding of the issue - when you are not logged in, it is showing a console error, and that is what you want to resolve?

    If so, there are two options:

    1. Don't allow access to the page in the first place when not logged in (i.e. put a session check in it as well).
    2. Use:
    if ($_SESSION['username'] == '') {
  echo json_encode([
    "error" => "You must login",
    "data" => []
  ]);
  exit();
}

    So it will return JSON that DataTables is expecting and show an error.

    Allan

  • Gareth_spiersGareth_spiers Posts: 2Questions: 0Answers: 0

    Hi Allan,

    Not quite, the concern is that you could put the server side PHP URL into the address bar and get the data without logging in (e.g. https://server/adminPanel/tables/php/table.page.php) and I wanted to secure it.
    But after adding a login check I was getting console error when logged in.

    Turns out I was getting logged out upon accessing the page I'd secured.

    I did some more testing with the code you supplied and found that I can get it to work on MOST pages.

    The problem has turned out to be that I had started my attempt to secure the data with a stats page where I had included a chart from apex charts! (doh, really should have started with a page that only has datatables on).

    Basically, on my stats pages after the table code I have some inline script that makes an ajax call to the same PHP datasource (seemed logical to get the json from the same place). But that seems to break the session and log it out.

    If I duplicate the table.page.php file and remove the session check from that copy and repoint the charts ajax call to that address instead it works fine.

    Sorry, that's probably hard to follow! :)

    So this doesn't work

    table -> table js -> table PHP (with session check)
    chart (inline js) -> table PHP (with session check)

    and neither does

    table -> table js -> table PHP (with session check)
    chart (inline js) -> copy of table PHP (with session check)

    but this does

    table -> table js -> table PHP (with session check)
    chart (inline js) -> copy of table PHP (no session check)

    Not quite sure why making 2 ajax calls to pages with session checks break things.
    I even created a page with only the chart on that calls the table.page.php file with the session check and it works fine. It's only a problem if I have both elements on one page.

  • allanallan Posts: 61,650Questions: 1Answers: 10,094 Site admin

    Not quite sure why making 2 ajax calls to pages with session checks break things.

    I can't see why it would I'm afraid. Without being able to see the source, I'm not sure I can even guess as to why that would happen.

    Can you show me the code for a working page and for a not working page please?

    Allan

This discussion has been closed.

DataTables

DataTables designed and created by SpryMedia Ltd.
© 2007-2023 MIT licensed. Privacy policy. Supporters.
SpryMedia Ltd is registered in Scotland, company no. SC456502.