Kohana And AJAX (Sitting In A Tree)

/ Kohana / by Paul Robinson / 10 Comments

This is my first in a line of tutorials based on Kohana PHP Framework. This first tutorial is based on how to use Kohana in conjunction with AJAX. Some people have had some trouble with it, as did I when I first used it, so here are the basics.

I’m assuming you know how to set up kohana & have a project set up with a new controller. All you need to do is create a new method in your controller. The trick is to disallow unauthorised access, that is access for anyone or anything, but AJAX requests. Here is a basic Kohana controller:

That is a basic Kohana controller (in this case an extention of the Template Controller). I’ve also added the method that will be used for the AJAX functionality. To use it all you would have to do is tell your AJAX request to visit example.com/test/ajax. Here is the structure for that request domain.name/controller/method or you could use Kohana’s built in url builder by writing echo url::site('controller/method');. You or anyone else can also access it via URL at the minute & you probably don’t want that, so let’s see how to prevent that.

There is an exceptionally simple way to do this, as mentioned by Thomas in his comment. Just use Kohana’s built in request helper:

This runs a check for the HTTP header HTTP_X_REQUESTED_WITH and makes sure it equals xmlhttprequest. That is how it determines if the call came via AJAX. It is compatible with all modern browsers.

There is one problem with any HTTP header check & that is that HTTP headers can be faked. My best advice for protecting again misuse of AJAX requests is to make sure any AJAX requests that directly access a database have their queries checked, double checked, and triple checked for possible attacks and are also sanitised properly.

10 Comments

Author’s gravatar

I haven’t added Ajax to my Kohana site yet but these are my thoughts. I was going to look into support for checking the AJAX header in the HTTP response, make sure it really was an AJAX request but I don’t know if this is well-supported by the browsers. I was also going to see if my sessions would track across the AJAX request or if I needed to add some additional token to every request just to actually prove it came from a legitimate user and not something that was just crafted to bypass the authentication in the normal HTML.

Reply
Author’s gravatar author

Well as far as I’ve been able to tell, I think any AJAX request coming from you also includes your session information. I could be wrong, but I use an AJAX autocomplete in an admin area which requires you to login. Since the AJAX function it access’ is just another controller method & all methods are locked out unless you are logged in, I would assume it needs to check if you are still logged in, since it seems to pass this fine, I assume that the session for my login has been carried along too.

I haven’t checked this out so I can’t really tell if all that’s correct, but It’s my best guess as to what is going on. I guess the best security against attacks on your AJAX functions is to always escape any MySQL, which Kohana seems to do well in conjuction with it’s query builder.

Again though I’m still learning Kohana myself, so thank you for the input. It really gave me some things to think about. 🙂

P.S. I’ve added a little bit to the end of the post about checking HTTP headers for AJAX requests.

Reply
Author’s gravatar author

Now that I didn’t know. Thanks. 🙂

I guess though, that again you come across the problem I’ve seen alot of people mention about checking HTTP_X_REQUESTED_WITH which is that you can easily alter the HTTP request headers. I don’t know if it’s true, but I’ve read it referenced alot on different websites.

That seems to be the best thing for now though & request::is_ajax() is a lot shorter than my alternative. So thanks. 😀

Reply
Author’s gravatar

Is there any body who knows how to use KoolPHP’s KoolTree or KoolGrid in CakePHP……
Please Help………………

Reply
Author’s gravatar author

I’m afraid not. I don’t use CakePHP only Kohana & Codeigniter. Sorry.

Author’s gravatar

Hi, i will started with the kohana framework, so can you please give me an example for the ajax calls in kohana?

note : sorry for my english, thanks and grettings from México.

Reply
Author’s gravatar author

Well I don’t often use Kohana anymore. I tend to use CodeIgniter now. However I would think that it would be similar.

You would create a function inside your controller and then call the URL via AJAX using your preferred Javascript Framework.

For example you might have this in Kohana:

Then in jQuery you might use:

That should echo out howdy. Obviously that is a very basic example, but will hopefully give you the general idea behind using AJAX with Kohana.

Author’s gravatar

Hi, i read your blog occasionally and i own a similar
one and i was just curious if you get a lot of spam responses?

If so how do you protect against it, any plugin or anything you can recommend?
I get so much lately it’s driving me mad so any help is very much appreciated.

Reply
Older Comments
Newer Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

I'll keep your WordPress site up-to-date and working to its best.

Find out more