Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

AJAX and PHP includes

  • 09-03-2008 3:50pm
    #1
    Registered Users, Registered Users 2 Posts: 314 ✭✭


    Hi guys, I've done some googling but can't find a satisfactory answer to this. I have a website written in PHP which uses AJAX. Basically I have some JavaScript functions which access my sites database via PHP scripts.

    To achieve this I take user input from forms using JavaScript and use POST to send it to my scripts. For security I have all scripts which use the database in an includes folder which is not directly accessible from the root of the website. The only way I have been able to achieve this is as follows:
    /
        includes/
        site-directory/
            cgi-bin
            images/
            scripts/
    
    Using the directory structure above, I keep all PHP scripts for database access in the directory includes/, this is so that in the event of the PHP parser on the server being down the SQL queries would not be exposed. When I send POST data from the JavaScript function I can't seem to be able to send it to these includes directly. The only way I've been able to do it is by sending the POST data to a file in the site-directory/ and using a PHP include to include the PHP functions contained in the includes/ directory

    So for example, my JavaScript function might be
    function post() {
     request.open("POST", 'www.mysite.com/logon.php',true);
     var userid = document.getElementById("userid").value;
     var password = document.getElementById("password").value;
    
     //Send the proper header infomation along with the request
     request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
    
     request.onreadystatechange = output;
     request.send('userid='+userid+'&password='+password);
    }
    
    

    and then the file www.mysite.com/logon.php might look like

    [PHP]<?php
    include '../includes/logon.php';
    ?>[/PHP]

    and the file /includes/logon.php then contains the actual code to access the database.


    So my question is, is there some way to tell the JavaScript function to access the included file directly without using the www.mysite.com/logon.php file?


Comments

  • Closed Accounts Posts: 1,200 ✭✭✭louie


    yes you can by setting up a variable like this:
    var home_path = "http://www.mysite.com/includes/";
    
    // and in you javascript code you can use
    
    function post(url) {
     request.open("POST", home_path+url,true); //where url = page to be accessed like logon.php
    


  • Closed Accounts Posts: 382 ✭✭misterq


    No

    You are saying that you are storing the includes directory outside of the web root and yet you want to access it directly. You can't have it both ways mate!

    You don't need to store all the php files outside of the web root, just the sensitive stuff like database username, password etc. You can have a file that stores all this in an includes directory outside of root and your php files in the web root, including this file whenever the code needs to.


  • Registered Users, Registered Users 2 Posts: 314 ✭✭conorgriff


    misterq wrote: »
    No

    You are saying that you are storing the includes directory outside of the web root and yet you want to access it directly. You can't have it both ways mate!

    You don't need to store all the php files outside of the web root, just the sensitive stuff like database username, password etc. You can have a file that stores all this in an includes directory outside of root and your php files in the web root, including this file whenever the code needs to.
    Yeah I was thinking about it this afternoon and that makes total sense. If the files are outside the web root so nobody can view them then that includes the JavaScript functions too Doh! Dunno why it didn't dawn on me before now. Cheers for the replies


  • Subscribers Posts: 9,716 ✭✭✭CuLT


    conorgriff wrote: »
    Yeah I was thinking about it this afternoon and that makes total sense. If the files are outside the web root so nobody can view them then that includes the JavaScript functions too Doh! Dunno why it didn't dawn on me before now. Cheers for the replies
    Yes, not to beat a dead horse here but for anyone else reading it's important to note that Javascript is client-side, while anything in PHP/ASP/Perl is server-side.

    Any client-side scripting will have the same access as the client themselves do. This is vitally important from a security POV, let alone a functionality one :)


Advertisement