how to secure json browser rendering data ?
how to secure json browser rendering data ?
garbocom
Posts: 13Questions: 1Answers: 0
I tried to move php folder in my /application folder, not visible from web. It not works because ajax direct url for php file.
Horrible, all data are visible. Just test this url :
https://editor.datatables.net/examples/php/staff.php
Is it possible to call staff.php outside the front view?
ajax: "../php/staff.php",
I have a /public folder for js css and others things for front
and a /application folder for config, model, controler, core etc....
I want to put /php configuration files from editor in /application. and call ajax: "/application/php/staff.php", <-- something like that
but there is no front access for /application folder.
in my root folder, my htaccess
RewriteEngine on
RewriteRule ^(.*) public/$1 [L]
and htaccess in /public folder
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-l
RewriteRule ^(.+)$ index.php?url=$1 [QSA,L]
My Tree
root (htacces redirect to /public)
root > /application [models controler view config ...]
rott > /public [js css skin (and inside plugins/datatables/extensions/Editor/... ]
Thanks
Answers
next...
I want to render a datable in my /application/view/customer.php file.
Datatable Js is inside.
I'm in doublt, but is it possible to render staff.php directly in this file and in js
not calling
ajax: "../php/staff.php",
but
ajax: "<?php echo $myjson ?>", ($myjson define by content of staff.php copied in my customer.php file
That's the idea...
for now, i add this in staff.php
define('AJAX_REQUEST', isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest');
if(!AJAX_REQUEST) {die();}
it works. load json data with ajax but not directly brower. But i think it is a poor security.
put too all my php file in a folder /editor with an hataccess
RewriteEngine On
RewriteCond %{HTTP:X-Requested-With} !=XMLHttpRequest
RewriteCond %{HTTP:X-REQUESTED-WITH} !^(XMLHttpRequest)$
RewriteRule .php$ - [L,F]
if not from ajax, access denied
always in htaccess
SetEnvIf Referer example.com localreferer
<FilesMatch .(php)$>
Order deny,allow
Deny from all
Allow from env=localreferer
</FilesMatch>
restrict referer domains to mine because everybody can call my "staff.php" from an external dataTable and XMLHttpRequest verification would be null in this case.
No - it has to be accessible by a web-browser. Otherwise how else will it be loaded? :-).
What you would normally do is use some kind of session management to restrict the data, so it can only be accessed by someone who has suitable access rights. Session management is not something that Editor attempts to provide - that it up to whatever framework or session management you are using.
The workarounds you suggest above sort of work, but they are security through obscurity. If anyone knew they could add those tokens to their HTTP request, they would still be able to access the data. Hence the need for session management and access rights.
Allan
Allan, Thanks for your answer.
I use a small framework but with a good security .
I add some controlers to do what i nead. (load customer, crud...)
https://github.com/panique/huge
Cookies, sessions, customer group, everyting is present in Huge.
yes but i'm not sure what to do with Editor to include it in the framework controls.
"Otherwise how else will it be loaded?"
I read docs and understood that "ajax : " can only call an url.
But i thougth it was possible to call data by another way.
i tried "data : " but nothing.
my tests :
in myview.php, i tried this :
<?php include( "/editor/staff.php"); ?>
I modified staff.php like that :
$mydata=Editor::inst( $db, 'datatables_demo' )
->fields(
Field::inst( 'first_name' )->validator( 'Validate::notEmpty' ),
Field::inst( 'last_name' )->validator( 'Validate::notEmpty' ),
Field::inst( 'position' ),
Field::inst( 'email' ),
Field::inst( 'office' ),
Field::inst( 'extn' ),
Field::inst( 'age' )
->validator( 'Validate::numeric' )
->setFormatter( 'Format::ifEmpty', null ),
Field::inst( 'salary' )
->validator( 'Validate::numeric' )
->setFormatter( 'Format::ifEmpty', null ),
Field::inst( 'start_date' )
->validator( 'Validate::dateFormat', array(
"format" => Format::DATE_ISO_8601,
"message" => "Please enter a date in the format yyyy-mm-dd"
) )
->getFormatter( 'Format::date_sql_to_format', Format::DATE_ISO_8601 )
->setFormatter( 'Format::date_format_to_sql', Format::DATE_ISO_8601 )
);
$mydata->process( $_POST );
and call "$mydata->json()" in datatables editor javascript
editor = new $.fn.dataTable.Editor( {
ajax: '<?php echo $mydata->json(); ?>', //not good, only url
.....
or data: '<?php echo $mydata->json(); ?>', // i think i not understand possiblities
something like that.
By this way, staff.php is not browser accessible. >in /application/view/myview.php
not in /public folder.
Php file never render json by itself , only the js by <?php echo $mydata->json(); ?>.
So i'm a little newbie with datatables (+ editor) and ajax crud.
Perharps, the better way is to only use DataTables without Editor and use the classic way (controler, model, view) to load my data ?
You can use the
dataoption to populate the DataTables table, but you still would need to get the data from somewhere. That would most likely be a server-side script that responds to an Ajax request - thus you are back where we started - you need good session management in order to prevent unauthorised access.You can lock the data down as much as you want, but it needs to be visible to the web if you want to be able to access it on the web!
Allan
base on my last post, if I use <?php $mydata->json(); ?>
I think it almost good with data:
but generated ->json is not formated for data:
first bracket { before "data" and last
2 ways :
1/ editor = new $.fn.dataTable.Editor( {
<?php $data->json(); ?>,
table: "#example",
2/ editor = new $.fn.dataTable.Editor( {
data: '<?php $data->json(); ?>',
table: "#example",
What i can see in browser source code :
1/
editor = new $.fn.dataTable.Editor( {
{"data":[
{
"DT_RowId":"row_1",
"first_name":"Tiger",
"last_name":"Nixon",
"position":"System Architect",
"email":"t.nixon@datatables.net",
"office":"Edinburgh",
"extn":"5421",
"age":"61",
"salary":"320800",
"start_date":"2011-04-25"
},
{
"DT_RowId":"row_2",".......
2/ nead to remove {"data":
Is it possible to adjust ->json in staff.php in order to render what exactly "data:" neads ?
"data": [
{
instead of:
{"data":[
{
something as a function to choose in each php :
render_method:'data', / render_method:'ajax',
and then, json rendering will be formated for "ajax: " or "data: " in js
Thanks
That isn't valid JSON though. So no, I'm afraid it wouldn't be able to provide that since it will only create valid JSON.
I won't understand why you would want to remove the leading brace and make it invalid JSON?
Allan
https://editor.datatables.net/examples/php/staff.php
because i get data like in this link.
it starts with {"data":[{
and it is not well formated for js "data":
just for my tests, and to better comprehension of what i try to do :
a quick and terrible hack :-(
in editor.php :
//////////////////////////
/////////////////////////////////
it works !
in js :
////////////////////////////////////
//////////////////////////////////////
rendering in browser:
<?php $data->json(); ?> returns json from staff.php (with my horrible str_replace)"data":[{"
staff.php is in /application/view/, not visible from web.
I include it in my view and call $data->json() directly in js.
then, I can use all php code from Editor.
I don't know if "data": [json here] eats more resources than ajax : url, ?
I can display but i canot edit / add
TypeError: d.url is undefined
dataTables.editor.min.js:65:269
ajaxurl is waiting
is "data : " not ok for crud operations?
thanks
Sounds like you haven't defined the
ajaxoption. Is that correct? Editor requires theajaxoption to be defined so it knows where to send updates.Allan
thanks,
I tried things with
But nothing works. No error, just nothing happens. infinite loading when update data.
i don't understand url + data. I just have data
I'm not entirely clear why you would use
ajaxto provide a function that makes an Ajax call - why wouldn't you just use the following?:Can you link to the page so I can take a look and debug it please?
Allan
hello. Thanks for your anwer.
I only use since this morning : "ajax: url" and stay lke that.
It works fine with data: for displaying but not with crud actions.
I have to secure more links visibles in the JS.
i have verification in php files, htaccess . I nead to find with session I think.
Pages are only visible for 2 customers group : customers and admin.
Never in front without login. This is why ajax:url and php folder let me in doubt.
So i think i nead to join framework security functions with datatable editor functions
If you need to use session management in the PHP files that Editor sends data to via Ajax, then you simply need to add whatever session management logic you require into those scripts. Session management is not something that Editor attempts to provide at all - that is the job of whatever session management software you are using.
Allan
Thanks, yes,indeed, i'll work on it.
Question : is Datatable + Editor exists as a module for laravel or other framework?