Is it possible to pass with PHP via GET / POST a token with AJAX and json without doing an echo?

Navigation
0

I have a file called token.php that generates a token:

token.php 

echo json_encode(Braintree_ClientToken::generate());

And I have a file that takes that token with AJAX and executes later codes: 

$.ajax ({
    url: "token",
    type: "get",
    dataType: "json",
    success: function (data) {

        $(".inputDisabled").show();
        ...

Everything works fine, but if a visitor to my page goes to mipagina.com/token you will see the token. I need to hide it in some way, but without affecting the GET.

Is this possible and how should I do it? If it is not possible, could you give me an alternative solution?

    
asked by Lukas 27.10.2017 в 20:06
source

2 answers

2

The idea is to know what was the form of entry to the file, if it was by means of ajax or by copying the url in the browser, what I can think of to do is send a variable with which you can identify that income, as well : 

$.ajax ({
    url: "token",
    type: "GET",
    data: {check: true},
    dataType: "json",
    success: function (data) {

        $(".inputDisabled").show();
        ...

And in check.php 

if(isset($_GET['check']) && $_GET['check'] == true){
    echo json_encode(Braintree_ClientToken::generate());
}

So you would be limiting the token to printing only when the origin is ajax.

For security I would change the request from GET to POST

    
answered by 27.10.2017 / 20:15
source
2

My recommendation is this:

1) in your php file creates a SESSION variable, as follows:   1.a) type session_start(); at the start of your php code. (example: click here )

1.b) Create a variable of type session and give it some value to validate it, so that only when you enter that page, it is responsible for creating the variable and assigning value to it. Example: $_SESSION["accesotoken"] = "si";

2) in your token.php file you always add session_start(); and valid: 

if(isset($_SESSION["accesotoken"]) && $_SESSION["accesotoken"] == si){
echo json_encode(Braintree_ClientToken::generate());

}

and with that you would have something secure that file. Now, I am a bit opposed to putting the access variable and the value that allows access within the JavaScript code, since it is somewhat vulnerable and you could access your file easily. But the way I expose you, everything is handled from the PHP itself and therefore, the server side.

    
answered by 27.10.2017 в 20:25
Variable within FOR - Java Layered Architecture and Class Management (no framework)