I am trying to build a robust, simple, safe, catch-all way to pass dynamic SQL queries via ajax to a php script. I don’t think I have come up with the winner yet, but what I have now seems to work for my applications. I wish to have just one php script on my web server that take input variables to build an SQL query, execute the query, and return the results to the website. Executing the query and returning the results are not the problem. The problem is the proper and secure way to pass these input variables to the script.
The biggest confusion I am having is how to produce produce the WHERE clause still being able to account for all the different WHERE clauses that are possible.
Let’s say that the PHP file on the server is called master.php.
From Javascirpt I have this:
$.ajax({
type: "POST",
url: "master.php",
dataType: "xml",
data: {
schema: "the_schema",
table: "the_table",
select: JSON.stringify(['col_name_1','col_name_2','...']),
where: JSON.stringify(["status","!=","Some Status","and","STR_TO_DATE(date,","%m/%d/%Y",")",">","(date(now())","-","INTERVAL","30","day)"])
},
success: function (data){
alert(data);
// of course here I will actually do something with the data, this is just for illustration of how the data is returned to the web page.
}
});
The data variable will either be XML data from the database, of a string: “failure: error msg”.
In the master.php script on the server I have this:
<?php
include '/config_file.php'; //checks user permissions and establishes mysqli connection
/*
* Table and schema are required
*/
$table = $mysqli->real_escape_string($_POST['table']);
$schema = $mysqli->real_escape_string($_POST['schema']);
/*
* Select section
* if there is no select then just use *
*/
if (isset($_POST['select'])){
$select_string = 'select ';
$select = json_decode($_POST['select']);
foreach($select as $key => $value){
$select_string .= '`'.$mysqli->real_escape_string($value).'`, ';
}
}else{
$select_string = 'select * ';
}
/*
* Where section
*/
if (isset($_POST['where'])){
$where = json_decode($_POST['where']);
}
if (isset($where)){
$where_string = ' where ';
foreach ($where as $key => $value){
if (strpos($value, ' ') !== false or strpos($value, '%') !== false){
// if there is a space or % in the value, it must be a string so enclose it in quotes
$where_string .= '"'.$mysqli->real_escape_string($value).'" ';
}else{
$where_string .= $mysqli->real_escape_string($value).' ';
}
}
$where_string = rtrim($where_string);
}
if(!isset($where_string)) $where_string = '';
/*
* End of Where Section
*/
/*
* Build SQL
*/
$SQL = $select_string.'from '.$schema.'.'.$table.$where_string;
//...continue to execute query and echo results
?>
So as you can see, every part of the where array gets escaped and added to the query, even the column names and the operators (=, !=, >, <, etc).
Also as you can see it seems little crazy they I am passing separate strings for every part of this part of the where clause -> and STR_TO_DATE(date, "%m/%d/%Y" ) > (date(now()) - INTERVAL 30 day)
If you all have
- experience with passing dynamic where clauses to the ajax script
- if you have a better idea
- see a security hole in the scripts
please let me know. hopefully we can get a nice, all purpose data basing script going.
Thanks!
Personally I do not recommend this kind of approach where you expose the Database column names in the javascript, which is completely dangerous.
Simple example is you can manipulate the ajax parameters in browser level and execute it against your database. You are simply enabling the hackers to get more information about your data.
For example I could stop the where close so that i can see all your data from your database by executing a call without where parameters. If you want to develop such dynamic queries, make sure you are using some mappings between the ajax passed parameters and the real table columns so that the columns are not exposed to the hackers directly.
Thats the basic security issue that I could see in this script.
Hope this helps.
Thanks.