Geek asks and answers

Security in Ajax: how to prevent cURL for publishing data?

I went around and searched for this solution forever, here is my problem:

I have a function to call a .PHP file that will receive POST data and execute PHP according to the data, for example:

if ($_POST["data"] == "delete") //Do something to delete something
if ($_POST["data"] == "reset") //Do something here

So basically I can Ajax from the same domain so that the file works according to my data. Ajax absolutely cannot cross the domain here. My problem is in PHP, I found a call to the cURL () function that can send data to my PHP site, and I searched many methods on Google, but I can’t find a solution so that people cannot cURL on my site, I found out that they can use Session for something, but even if I use Session, there is always a way to pass it (I saw it while I was doing a search).

So my question is: is there a way to prevent the publication of data on my site? I'm sure they cannot use Ajax, but I'm really worried about cURL in PHP.

I appreciate any suggestion.

Thank you guys in an advanced state. [X]

+3
source share
4 answers

Before performing an action - check if this user has permissions to do this.

Thus, there is no special protection, just write your regular code (yes, in normal code you need to check permissions).

Actually (thanks to @alex) the browser does exactly the same thing as curl does, so it’s not even possible to determine if you are receiving a request from the browser or from the cheater.

+5
source

POST. POST . cURL - .

, , . , , POST, , , , (), (). , .

+3

AJAX //, . - , ( /IP).

+1

AJAX cannot prevent anything. It is assumed that the data sent to the server is generated by AJAX, which, in turn, is generated by JavaScript, which, in turn, is generated by the browser. Given enough time so that someone with JavaScript can interpret what you want the server to receive in the request and build that request using even the simplest tools like telnet or netcat. Any action that modifies or deletes data on your server should not be passed to unknown people and / or undefined parameters.

+1
source

More articles:


All Articles