Level 56
What is the question ? There is nothing particular to do.
Aug 10, 2015
4
Level 1
CSRF, Ajax and security
I made a basic ajax post request and echo the posted data, nothing fancy.
Is it okay to use like that or is there anything I need to add to make it more secure? I added csrf_token() with double curly braces to meta name but it's not being displayed here (content isn't empty).
1-) I added meta CSRF.
2-) I added $.ajaxSetup to jQuery
3-) I echo the $variable.
My question is, are the steps above provide enough security for this particular Ajax/Laravel process or do I still need to add <input type="hidden" name="_token" value="<?php echo csrf_token(); ?>"> inside my forms? I read a tutorial that states you can add it globally : http://tutsnare.com/post-data-using-ajax-in-laravel-5/
But I don't see any hidden field in my form when I view it in chrome dev tools.
HTML
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="csrf-token" content="{{ csrf_token() }}">
</head>
<body>
<form action="" method="post">
<input id="name" type="text" placeholder="Enter your name">
<input type="submit" id="sub">
</form>
<div id="result"></div>
<script src="/js/jquery-2.1.4.js"></script>
<script type="text/javascript">
$(document).ready(function () {
// set up jQuery with the CSRF token, or else post routes will fail
$.ajaxSetup({
headers: {
'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
}
}); // handlers
$("#sub").click(function (y) {
y.preventDefault();
var user_name = $('#name').val();
$.post(
"/settings/generalsettings/changedata",
{
name99: user_name
},
function (data) {
$('#result').hide().html(data).fadeIn(2000);
});
});
});
</script>
</body>
</html>
UserSettingsController.php
public function changeData()
{
$variable = Input::get('name99');
echo $variable;
}
Level 1
I forgot to add the real question, sorry. I'm using Laravel 5.1
1-) I added meta CSRF.
2-) I added $.ajaxSetup to jQuery
3-) I echo the $variable.
My questions are: 1-) Do I need to sanitize $variable before echo or did Laravel do it automatically?
2-) Are the steps above provide enough security for this particular Ajax/Laravel process or do I still need to add <input type="hidden" name="_token" value="<?php echo csrf_token(); ?>"> inside my forms?
Level 56
You should validate if the received name is valid. It is up to you to choose what a valid name is, but i guess you want to keep only alphanumeric characters.
Once the name is validated you can display it without anything else.
Level 1
I edited my question to explain what I want to learn it more clear.
Please or to participate in this conversation.