Help me with Using JQuery AJAX code

[IamMarvin1a]

Hello. I made a WordPress plugin with a JQuery-AJAX/JSON code in a php file like this:

$(document).ready(function(){
$.post(“/wp-content/plugins/SLMS/UserRecord.php”,
{
saveUserBtn: “Save”, FName: fname, LName: lname, UNumber: unumber, address: address, contact: contact, email: email
},
function(data, status){
document.getElementById(‘userr-page-notice’).innerHTML = data;
if(data.includes(“New record saved.”)) {
document.getElementById(“userRecord”).reset();
}
});
});
/** end of code */

I also notice that any user can view my javascript code with their own browser. I also noticed that any user/unauthorized user can copy these JQuery-AJAX/JSON code and pass/save/modify data to MySQL database using the link to my php file. I will also write the code for my php file:

if(isset($_POST[‘saveUserBtn’]) and $_SERVER[‘REQUEST_METHOD’] == “POST”) {
insertRecord();
}
elseif(isset($_POST[‘searchUNBtn’]) and $_SERVER[‘REQUEST_METHOD’] == “POST”) {
searchUNRecord();
}
elseif(isset($_POST[‘updateUserBtn’]) and $_SERVER[‘REQUEST_METHOD’] == “POST”) {
updateRecord();
}
/** codes to access MYSQL Database */
/** end of code */

I notice that many developers also used these kind of JQuery-AJAX/JSON codes. I want to know what is the code to block unauthorized users to access/pass data to my php file when unauthorized users use JQuery/JSON code. I will also mention “web host cpanel File Permission” to see if this web server configuration can help.
 

[justsomeguy]

You can't really block that, because there's not really a way to tell who is running your code normally and who isn't.  From the perspective of the server, everything is just a get or post request, with a bunch of values passed in.  The server can't determine how that get or post request got created.  The security for things like this should go on the server though, as long as you're validating all of the data and making sure that everything is correct that's about all you need to do.  If you're trying to protect against a certain kind of attack, there might be specific things you can do also, like keeping track of and limiting the number of times a certain form can be submitted with a certain time frame.

[IamMarvin1a]

Hi to all. Sorry for late reply. It took me 4 days to choose how block unauthorized access to my WordPress php plugin file using JQUERY AJAX.

I tried to to use wordpress is_user_logged_in() function but you can only use this function if the php file is included on WordPress plugin main php file.

I decided to choose PHP SUPERGLOBALS $_SERVER[‘HTTP_REFERER’]; over PHP Session code $_SESSION[“session_name”];

I will add sample code:

/** javascript JQuery AJAX code of my php file which can copy/get through a browser by any user */

$(document).ready(function(){
        		$.post("/wp-content/plugins/SLMS/UserRecord.php", 
			{
			saveUserBtn: "Save", FName: fname, LName: lname, UNumber: unumber, address: address, contact: contact, email: email
   			},
			function(data, status){
 			document.getElementById('userr-page-notice').innerHTML = data;
				if(data.includes("New record saved.")) {
					document.getElementById("userRecord").reset();
				}
        		});
		});

/** Here is the code to my other php file that contains database access and saving data to database */
<?php
if($_SERVER['HTTP_REFERER'] == "https://iammarviin26.000webhostapp.com/user-record/") {
    if(isset($_POST['saveUserBtn']) and $_SERVER['REQUEST_METHOD'] == "POST") { 
        insertRecord();
	/**
	insertRecord();
	echo "working" ;
	*/
	
	}

	elseif(isset($_POST['searchUNBtn']) and $_SERVER['REQUEST_METHOD'] == "POST") {
	    searchUNRecord();
	
	/**
	searchUNRecord();
	echo $_POST['searchUN'];
	echo "Success";*/
	}

	elseif(isset($_POST['updateUserBtn']) and $_SERVER['REQUEST_METHOD'] == "POST") {
    	updateRecord();
	/**
	updateRecord();
	echo $_POST['ID'];
	echo "Update Status";*/
    }
}
/** Other php code/script that contains database credentials/sql script */

/** While using PHP SUPERGLOBALS $_SERVER['HTTP_REFERER']; any users cannot access my php file without the correct http referrer and actively login to my web application. */
?>

In case you cannot use wordpress is_user_logged_in() you can use SUPERGLOBALS $_SERVER[‘HTTP_REFERER’]; or PHP Session code $_SESSION[“session_name”];

Any suggestion or comment
Thanks

[justsomeguy]

Note that the referer header is optional and not considered reliable.  There are tools you can use to send your own requests to any server, when you do you'll see that you can write whatever you want in the referer.  That header is also sometimes removed by various internet security software, and in some cases the browser will not send it at all to avoid information leakage (e.g., when going from HTTPS to HTTP).  I was also checking for a referer header in our application on one file, but enough people reported that they were not able to access that and we replaced it with checking the session.  A user can create their own referer header (or any other header, for that matter), but they cannot create their own session.

[IamMarvin1a]

Thanks justsomeguy  A good information about using  PHP SUPERGLOBALS $_SERVER[‘HTTP_REFERER’]; and PHP Session code $_SESSION[“session_name”]; 

I will now use PHP Session code $_SESSION[“session_name”];