Home/ Questions/Q 6929047
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T11:16:04+00:00

I’m trying to figure a method of securing a web service call with AJAX.

  • 0

I’m trying to figure a method of securing a web service call with AJAX. The web service processes a contact form and calls the PHP which uses the mail function to send an email without a HTTP request.

I’ve posted some of my code below so you get a better idea of what I’m asking. I’m attempting to block a direct call to the service through a HTTP request causing my mail server to work everytime the page is requested.

// Data is compiled into datastr...
var datastr = 
'input_name=' + encodeURI(input_name) + 
'&input_email=' + encodeURI(input_email) +
'&input_organization=' + encodeURI(input_organization) +
'&input_title=' + encodeURI(input_title) +
'&input_phone=' + encodeURI(input_phone) +
'&input_comments=' + encodeURI(input_comments);

 // AJAX is called with datastr param...
 $.ajax({
     type: "POST",
     url: "../common/contact-form-logic.php",
     data: datastr,
     cache: false,
     success: function(resp) {.... etc

Here’s the PHP file service.

$input_name = urldecode($_REQUEST['input_name']);
$input_email = urldecode($_REQUEST['input_email']);
$input_organization = urldecode($_REQUEST['input_organization']);
$input_title = urldecode($_REQUEST['input_title']);
$input_phone = urldecode($_REQUEST['input_phone']);
$input_comments = urldecode($_REQUEST['input_comments']);

$to = "xxxxxxxxxxxxxxxxx";

$subject = "Contact form entry from xxxxxxxxxx.com";
$message = $input_name."\n".$input_email."\n".$input_organization."\n".$input_title."\n".$input_phone."\n".$input_comments;

if(mail($to, $subject,$message)){
    echo "1";
}
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I’m teaching myself security and found myself in a similar situation, here’s what I did:

    *Disclaimer I’m no security pro but I felt this was better than nothing..

    1. Make sure there’s a post
    2. Check for the xmlhttprequest header
    3. I then validated the HTTP_REFERER

    4. I then checked the token I generated a part of their session (example below)

      session_start();
$token = md5(uniqid(rand(), TRUE));
$_SESSION['token'] = $token;

if (isset($_SESSION['token']) && $_POST['token'] == $_SESSION['token'])
{
    /* Valid Token */
}

    5. I checked the $_POST keys against a whitelist to make sure I had everything I needed

    Here’s an example

    // No post no dice!
if( empty($_POST) )
    die('error no post');

// Check for xmlhttprequest header
// I want to make sure this post came from an ajax call.
if( empty($_SERVER['HTTP_X_REQUESTED_WITH']) || strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) != 'xmlhttprequest')
    die('error invalid ajax request');

// Check to make sure the ajax request came from yourdomainhere.com
if( strpos($_SERVER['HTTP_REFERER'], 'yourdomainhere') === FALSE )
    die('error invalid http ref');

// DIE, if no token is present or token isn't equal to $_SESSION token.
if (!isset($_POST['token']) || $_POST['token'] != $_SESSION['token'])
    die('error invalid token');

// Check to make sure all POST array keys I need exist for my script
$vars_needed = array("input_name", "input_email", "input_organization", "input_title", "input_phone", "input_comments");
foreach($vars_needed as $need) {
    if(!array_key_exists($need, $_POST))
        die('error invalid post');
}
    • 0