| Re: php includes and ajax [message #173091 is a reply to message #173087] |
Sun, 20 March 2011 23:54   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 3/20/2011 6:16 PM, John D'Orazio wrote:
> I've been experimenting with ajax functionality in the past few months, but I'm having different results on different web hosts...
>
> My biggest difficulty has to do with the path for php file includes. Here's my situation:
>
> My CMS defines some functions for checking user permissions in a file called "functions.php" in this path: "/include".
>
> Before enabling certain functionalities on the javascript side (such as administrative buttons in a jquery-ui dialog) I want to check if the user has administrative privileges. So I create a php file for this check, for example I want to check if the user is a news administrator so I name the file "newsadmin.php" and put it in the "/themes/glorioso/ajax" folder.
> "/themes/glorioso/ajax/newsadmin.php" does an include of "/include/functions.php", then calls the function that checks whether the current user has news administration privileges; if this returns true I echo out "isnewsadmin", otherwise "isnotnewsadmin".
>
> From my javascript I make an ajax call to "newsadmin.php", if the returned value is "isnewsadmin" I add administrative buttons, otherwise I don't.
>
> My javascript file is in "/themes/glorioso/javascripts/glorioso.js".
> When I'm working on a website on the aruba shared hosting (http://www.aruba.it/) I can only get my include to work like this:
> <?php
> require_once($_SERVER["DOCUMENT_ROOT"]."/include/functions.php");
> if (is_news_admin()) { echo "isnewsadmin"; }
> else { echo "isnotnewsadmin"; }
> ?>
>
> This doesn't work on an altervista shared hosting (http://it.altervista.org/). The only way I can get it to work an altervista shared hosting is by changing directories:
>
> <?php
> chdir("..");
> chdir("..");
> chdir("..");
> require_once("include/flatnux.php");
> if (is_news_admin()) { echo "isnewsadmin"; }
> else { echo "isnotnewsadmin"; }
> ?>
>
> Since I'm trying to write a theme for the Flatnux CMS that anyone else can use, I'd like a "universal solution" that can work for anyone on any webserver.
> I suppose I could do a check for file existence before the include:
> <?php
> if(file_exists($_SERVER["DOCUMENT_ROOT"]."/include/functions.php")){
> require_once($_SERVER["DOCUMENT_ROOT"]."/include/flatnux.php");
> }
> else {
> chdir("..");
> chdir("..");
> chdir("..");
> require_once("include/functions.php");
> }
> if(is_news_admin()){
> echo "isnewsadmin";
> }
> else{
> echo "isnotnewsadmin";
> }
> ?>
>
> I'd like to understand better the principles behind this stuff though, if there is a standard way of doing the file includes that'll work on every server in ajax calls...
First of all, NEVER trust something client side. It would be very easy,
for me to change your code to always believe the user is an administrator.
Next, javascript is client-side. PHP is server-side (almost always,
anyway). But javascript on the client cannot include the source code of
a PHP file on the server side. All it can do is get the output of the
PHP script.
The way to do it is to always do any security checks (and input
validation) on the server. Client-side (javascript) can perform some
checks, but they must ALWAYS be backed up by server-side
verification/validation.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]