Securing Action Pages

[kirkphillip]

Hi All,

I have a PHP script that handles all actions for the JTable JSON component. The problem is that there is no security and anyone who has the permissions to view the table can navigate to the action page and view all data in the table.

For Example (PersonList.php):

require('../../includes/conf.inc.php');

//Get records from database
$result = mysqli_query($conn,"SELECT first_name,last_name, bol_user, bol_web_user, status_id, permission_group_id FROM users;");

//Add all records to an array
$rows = array();
while($row = mysqli_fetch_assoc($result))
{

    if ($row['status_id'] == 0) {       
        $row['status_id'] = 'Inactive';
    } else if ($row['status_id'] == 1) {
        $row['status_id'] = 'Active';       
    }

    $rows[] = $row;
}

//Return result to jTable
$jTableResult = array();
$jTableResult['Result'] = "OK";
$jTableResult['Records'] = $rows;
print json_encode($jTableResult);

If a user navigates to PersonList.php, they can view the raw json data without having to go through the the JTable. Once I add delete and change logic, this becomes even less secure. Any thoughts?

[michaelc0302]

Put it in a subdirectory and control access to the subdirectory using .htaccess allow/deny if you're using Apache

[kirkphillip]

Thanks a lot. I was thinking of doing this but wasn't sure if it would still be available for the AJAX call.