This is my first in a line of tutorials based on Kohana PHP Framework. This first tutorial is based on how to use Kohana in conjunction with AJAX. Some people have had some trouble with it, as did I when I first used it, so here are the basics. I’m assuming you know how to [...]
This is my first in a line of tutorials based on Kohana PHP Framework. This first tutorial is based on how to use Kohana in conjunction with AJAX. Some people have had some trouble with it, as did I when I first used it, so here are the basics.
I’m assuming you know how to set up kohana & have a project set up with a new controller. All you need to do is create a new method in your controller. The trick is to disallow unauthorised access, that is access for anyone or anything, but AJAX requests. Here is a basic Kohana controller:
class Test_Controller extends Template_Controller {
function index() {
//code for your front page
}
function ajax() {
//code that your AJAX request should execute
}
}
That is a basic Kohana controller (in this case an extention of the Template Controller). I’ve also added the method that will be used for the AJAX functionality. To use it all you would have to do is tell your AJAX request to visit example.com/test/ajax. Here is the structure for that request domain.name/controller/method or you could use Kohana’s built in url builder by writing echo url::site('controller/method');. You or anyone else can also access it via URL at the minute & you probably don’t want that, so let’s see how to prevent that.
There is an exceptionally simple way to do this, as mentioned by Thomas in his comment. Just use Kohana’s built in request helper:
if(request::is_ajax()) //do stuff
This runs a check for the HTTP header HTTP_X_REQUESTED_WITH and makes sure it equals xmlhttprequest. That is how it determines if the call came via AJAX. It is compatible with all modern browsers.
There is one problem with any HTTP header check & that is that HTTP headers can be faked. My best advice for protecting again misuse of AJAX requests is to make sure any AJAX requests that directly access a database have their queries checked, double checked, and triple checked for possible attacks and are also sanitised properly.
*We currently have £44 of the £90 needed to keep our server running.
@jenmorrisonlive posting usernames of users u think are worth following every friday. Like this. Follow Jen cos she rocks. #FollowFriday - 2 hours ago
@KTTunstall You know you're good when Google loves you more than a town. :) - 1 day ago
@nbcchuck is there any ETA on any season of chuck on blu-ray UK release? I can only find US imports. ;-) - 1 day ago
@TheSaturdays I'm still doing work. :( Thank god for DVRs :D - 1 day ago
RT @unahealy: Check out this cool Brides at work limited edition T-shirt in aid of Breakthrough Breast cancer x http://twitpic.com/2kajzd - 2 days ago
Discussion: 5 Comments
I haven’t added Ajax to my Kohana site yet but these are my thoughts. I was going to look into support for checking the AJAX header in the HTTP response, make sure it really was an AJAX request but I don’t know if this is well-supported by the browsers. I was also going to see if my sessions would track across the AJAX request or if I needed to add some additional token to every request just to actually prove it came from a legitimate user and not something that was just crafted to bypass the authentication in the normal HTML.
Well as far as I’ve been able to tell, I think any AJAX request coming from you also includes your session information. I could be wrong, but I use an AJAX autocomplete in an admin area which requires you to login. Since the AJAX function it access’ is just another controller method & all methods are locked out unless you are logged in, I would assume it needs to check if you are still logged in, since it seems to pass this fine, I assume that the session for my login has been carried along too.
I haven’t checked this out so I can’t really tell if all that’s correct, but It’s my best guess as to what is going on. I guess the best security against attacks on your AJAX functions is to always escape any MySQL, which Kohana seems to do well in conjuction with it’s query builder.
Again though I’m still learning Kohana myself, so thank you for the input. It really gave me some things to think about.
P.S. I’ve added a little bit to the end of the post about checking HTTP headers for AJAX requests.
You should use the request helper…
if (request::is_ajax()) {}See the docs : http://docs.kohanaphp.com/helpers/request#is_ajax
But you could do something even more useful, like building an Ajax Controller, or add a route in you main template controller to ajax methods…
Now that I didn’t know. Thanks.
I guess though, that again you come across the problem I’ve seen alot of people mention about checking
HTTP_X_REQUESTED_WITHwhich is that you can easily alter the HTTP request headers. I don’t know if it’s true, but I’ve read it referenced alot on different websites.That seems to be the best thing for now though &
request::is_ajax()is a lot shorter than my alternative. So thanks.