how to secure json browser rendering data ?

how to secure json browser rendering data ?

garbocomgarbocom Posts: 13Questions: 1Answers: 0

I tried to move php folder in my /application folder, not visible from web. It not works because ajax direct url for php file.
Horrible, all data are visible. Just test this url :
https://editor.datatables.net/examples/php/staff.php

Is it possible to call staff.php outside the front view?
ajax: "../php/staff.php",

I have a /public folder for js css and others things for front
and a /application folder for config, model, controler, core etc....
I want to put /php configuration files from editor in /application. and call ajax: "/application/php/staff.php", <-- something like that

but there is no front access for /application folder.

in my root folder, my htaccess
RewriteEngine on
RewriteRule ^(.*) public/$1 [L]

and htaccess in /public folder

RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-l
RewriteRule ^(.+)$ index.php?url=$1 [QSA,L]

My Tree
root (htacces redirect to /public)
root > /application [models controler view config ...]
rott > /public [js css skin (and inside plugins/datatables/extensions/Editor/... ]

Thanks

Answers

  • garbocomgarbocom Posts: 13Questions: 1Answers: 0

    next...
    I want to render a datable in my /application/view/customer.php file.
    Datatable Js is inside.
    I'm in doublt, but is it possible to render staff.php directly in this file and in js
    not calling
    ajax: "../php/staff.php",
    but
    ajax: "<?php echo $myjson ?>", ($myjson define by content of staff.php copied in my customer.php file
    That's the idea...

  • garbocomgarbocom Posts: 13Questions: 1Answers: 0

    for now, i add this in staff.php
    define('AJAX_REQUEST', isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest');
    if(!AJAX_REQUEST) {die();}

    it works. load json data with ajax but not directly brower. But i think it is a poor security.

  • garbocomgarbocom Posts: 13Questions: 1Answers: 0

    put too all my php file in a folder /editor with an hataccess
    RewriteEngine On
    RewriteCond %{HTTP:X-Requested-With} !=XMLHttpRequest
    RewriteCond %{HTTP:X-REQUESTED-WITH} !^(XMLHttpRequest)$
    RewriteRule .php$ - [L,F]

    if not from ajax, access denied

  • garbocomgarbocom Posts: 13Questions: 1Answers: 0

    always in htaccess

    SetEnvIf Referer example.com localreferer
    <FilesMatch .(php)$>
    Order deny,allow
    Deny from all
    Allow from env=localreferer
    </FilesMatch>

    restrict referer domains to mine because everybody can call my "staff.php" from an external dataTable and XMLHttpRequest verification would be null in this case.

  • allanallan Posts: 63,353Questions: 1Answers: 10,444 Site admin

    Horrible, all data are visible. Just test this url :
    Is it possible to call staff.php outside the front view?

    No - it has to be accessible by a web-browser. Otherwise how else will it be loaded? :-).

    What you would normally do is use some kind of session management to restrict the data, so it can only be accessed by someone who has suitable access rights. Session management is not something that Editor attempts to provide - that it up to whatever framework or session management you are using.

    The workarounds you suggest above sort of work, but they are security through obscurity. If anyone knew they could add those tokens to their HTTP request, they would still be able to access the data. Hence the need for session management and access rights.

    Allan

  • garbocomgarbocom Posts: 13Questions: 1Answers: 0

    Allan, Thanks for your answer.

    I use a small framework but with a good security .
    I add some controlers to do what i nead. (load customer, crud...)
    https://github.com/panique/huge
    Cookies, sessions, customer group, everyting is present in Huge.
    yes but i'm not sure what to do with Editor to include it in the framework controls.

    "Otherwise how else will it be loaded?"

    I read docs and understood that "ajax : " can only call an url.
    But i thougth it was possible to call data by another way.
    i tried "data : " but nothing.

    my tests :

    in myview.php, i tried this :
    <?php include( "/editor/staff.php"); ?>

    I modified staff.php like that :

    $mydata=Editor::inst( $db, 'datatables_demo' )
    ->fields(
    Field::inst( 'first_name' )->validator( 'Validate::notEmpty' ),
    Field::inst( 'last_name' )->validator( 'Validate::notEmpty' ),
    Field::inst( 'position' ),
    Field::inst( 'email' ),
    Field::inst( 'office' ),
    Field::inst( 'extn' ),
    Field::inst( 'age' )
    ->validator( 'Validate::numeric' )
    ->setFormatter( 'Format::ifEmpty', null ),
    Field::inst( 'salary' )
    ->validator( 'Validate::numeric' )
    ->setFormatter( 'Format::ifEmpty', null ),
    Field::inst( 'start_date' )
    ->validator( 'Validate::dateFormat', array(
    "format" => Format::DATE_ISO_8601,
    "message" => "Please enter a date in the format yyyy-mm-dd"
    ) )
    ->getFormatter( 'Format::date_sql_to_format', Format::DATE_ISO_8601 )
    ->setFormatter( 'Format::date_format_to_sql', Format::DATE_ISO_8601 )
    );
    $mydata->process( $_POST );

    and call "$mydata->json()" in datatables editor javascript

    editor = new $.fn.dataTable.Editor( {
    ajax: '<?php echo $mydata->json(); ?>', //not good, only url
    .....
    or data: '<?php echo $mydata->json(); ?>', // i think i not understand possiblities
    something like that.

    By this way, staff.php is not browser accessible. >in /application/view/myview.php
    not in /public folder.
    Php file never render json by itself , only the js by <?php echo $mydata->json(); ?>.

    So i'm a little newbie with datatables (+ editor) and ajax crud.
    Perharps, the better way is to only use DataTables without Editor and use the classic way (controler, model, view) to load my data ?

  • allanallan Posts: 63,353Questions: 1Answers: 10,444 Site admin

    You can use the data option to populate the DataTables table, but you still would need to get the data from somewhere. That would most likely be a server-side script that responds to an Ajax request - thus you are back where we started - you need good session management in order to prevent unauthorised access.

    You can lock the data down as much as you want, but it needs to be visible to the web if you want to be able to access it on the web!

    Allan

  • garbocomgarbocom Posts: 13Questions: 1Answers: 0

    base on my last post, if I use <?php $mydata->json(); ?>
    I think it almost good with data:
    but generated ->json is not formated for data:
    first bracket { before "data" and last

    2 ways :

    1/ editor = new $.fn.dataTable.Editor( {
    <?php $data->json(); ?>,
    table: "#example",

    2/ editor = new $.fn.dataTable.Editor( {
    data: '<?php $data->json(); ?>',
    table: "#example",

    What i can see in browser source code :
    1/
    editor = new $.fn.dataTable.Editor( {
    {"data":[
    {
    "DT_RowId":"row_1",
    "first_name":"Tiger",
    "last_name":"Nixon",
    "position":"System Architect",
    "email":"t.nixon@datatables.net",
    "office":"Edinburgh",
    "extn":"5421",
    "age":"61",
    "salary":"320800",
    "start_date":"2011-04-25"
    },
    {
    "DT_RowId":"row_2",".......

    2/ nead to remove {"data":

    Is it possible to adjust ->json in staff.php in order to render what exactly "data:" neads ?
    "data": [
    {

    instead of:

    {"data":[
    {

    something as a function to choose in each php :
    render_method:'data', / render_method:'ajax',
    and then, json rendering will be formated for "ajax: " or "data: " in js

    Thanks

  • allanallan Posts: 63,353Questions: 1Answers: 10,444 Site admin

    "data": [
    {

    That isn't valid JSON though. So no, I'm afraid it wouldn't be able to provide that since it will only create valid JSON.

    I won't understand why you would want to remove the leading brace and make it invalid JSON?

    Allan

  • garbocomgarbocom Posts: 13Questions: 1Answers: 0

    https://editor.datatables.net/examples/php/staff.php
    because i get data like in this link.
    it starts with {"data":[{
    and it is not well formated for js "data":

  • garbocomgarbocom Posts: 13Questions: 1Answers: 0

    just for my tests, and to better comprehension of what i try to do :
    a quick and terrible hack :-(
    in editor.php :
    //////////////////////////

        public function json ( $print=true )
        {
            if ( $print ) {
                
    $datarenderbad=array('{"data','"files":[]}');
    $datarendergood=array('"data','"files":[]');
    echo str_replace($datarenderbad,$datarendergood,json_encode( $this->_out ));  
                return $this;
            }
            return json_encode( $this->_out );
        }
    

    /////////////////////////////////

    it works !

    in js :
    ////////////////////////////////////

    editor = new $.fn.dataTable.Editor( {
      <?php $data->json(); ?>,
        "deferRender": true,
      table: "#example",
    
    

    //////////////////////////////////////

    rendering in browser:

    editor = new $.fn.dataTable.Editor( {
      "data":[{"DT_RowId":"row_1","first_name":"Tiger","last_name":"Nixon","position":"System Architect","email":"t.nixon@datatables.net","office":"Edinburgh","extn":"5421","age":"61","salary":"320800","start_date":"2011-04-25"},{"DT_RowId":"....
    
    <?php $data->json(); ?> returns json from staff.php (with my horrible str_replace)
    "data":[{"

    staff.php is in /application/view/, not visible from web.
    I include it in my view and call $data->json() directly in js.
    then, I can use all php code from Editor.

    I don't know if "data": [json here] eats more resources than ajax : url, ?

  • garbocomgarbocom Posts: 13Questions: 1Answers: 0

    I can display but i canot edit / add
    TypeError: d.url is undefined
    dataTables.editor.min.js:65:269
    ajaxurl is waiting

    is "data : " not ok for crud operations?

    thanks

  • allanallan Posts: 63,353Questions: 1Answers: 10,444 Site admin

    Sounds like you haven't defined the ajax option. Is that correct? Editor requires the ajax option to be defined so it knows where to send updates.

    Allan

  • garbocomgarbocom Posts: 13Questions: 1Answers: 0

    thanks,
    I tried things with

    var editor = new $.fn.Editor( {
        table: "#myTable",
        ajax: function ( method, url, data, success, error ) {
            $.ajax( {
                type: method,
                url:  url,
                data: data,
                dataType: "json",
                success: function (json) {
                    success( json );
                },
                error: function (xhr, error, thrown) {
                    error( xhr, error, thrown );
                }
            } );
        }
    } );
    

    But nothing works. No error, just nothing happens. infinite loading when update data.
    i don't understand url + data. I just have data

  • allanallan Posts: 63,353Questions: 1Answers: 10,444 Site admin

    I'm not entirely clear why you would use ajax to provide a function that makes an Ajax call - why wouldn't you just use the following?:

    var editor = new $.fn.Editor( {
        table: "#myTable",
        ajax: url
    } );
    

    Can you link to the page so I can take a look and debug it please?

    Allan

  • garbocomgarbocom Posts: 13Questions: 1Answers: 0

    hello. Thanks for your anwer.
    I only use since this morning : "ajax: url" and stay lke that.
    It works fine with data: for displaying but not with crud actions.
    I have to secure more links visibles in the JS.
    i have verification in php files, htaccess . I nead to find with session I think.
    Pages are only visible for 2 customers group : customers and admin.
    Never in front without login. This is why ajax:url and php folder let me in doubt.
    So i think i nead to join framework security functions with datatable editor functions

  • allanallan Posts: 63,353Questions: 1Answers: 10,444 Site admin

    If you need to use session management in the PHP files that Editor sends data to via Ajax, then you simply need to add whatever session management logic you require into those scripts. Session management is not something that Editor attempts to provide at all - that is the job of whatever session management software you are using.

    Allan

  • garbocomgarbocom Posts: 13Questions: 1Answers: 0

    Thanks, yes,indeed, i'll work on it.
    Question : is Datatable + Editor exists as a module for laravel or other framework?

This discussion has been closed.