0

I'm working on a project which requires integration of Google Maps with my website. Now, my data (latitude/longitude, etc) are in a MySQL table. A PHP query runs on the MySQL to dynamically generate an XML file. This XML file is then used by the requesting HTML page which then plots these points on the Google Map using JavaScript.

The HTML code snippet which requests this XML file is :

    downloadUrl("generatexml.php", function(data) {
            var xml = data.responseXML;
            var markers = xml.documentElement.getElementsByTagName("marker");
            for (var i = 0; i < markers.length; i++) {
              var name = markers[i].getAttribute("name");
              var address = markers[i].getAttribute("address");
              var type = markers[i].getAttribute("type");
              var point = new google.maps.LatLng(
                  parseFloat(markers[i].getAttribute("lat")),
                  parseFloat(markers[i].getAttribute("lng")));
              var html = "<b>" + name + "</b> <br/>" + address;
              var icon = customIcons[type] || {};
              var marker = new google.maps.Marker({
                map: map,
                position: point,
                icon: icon.icon
              });
              bindInfoWindow(marker, map, infoWindow, html);
            }
          });

The above mentioned function downloadUrl is defined as:

function downloadUrl(url, callback) {
      var request = window.ActiveXObject ?
          new ActiveXObject('Microsoft.XMLHTTP') :
          new XMLHttpRequest;

      request.onreadystatechange = function() {
        if (request.readyState == 4) {
          request.onreadystatechange = doNothing;
          callback(request, request.status);
        }
      };

      request.open('GET', url, true);
      request.send(null);
    }

Now, the problem is, suppose if someone directory types www.mydomain.com/generatexml.php, then they will be able to see the XML file generated from MySQL data in his browser. This is something which can kill my website! Somebody can easily use my data and all my efforts of data collection will go waste. I'll be using this website for non-profit purposes, but somebody can steal this data via XML and sell it which I do not want to happen.

So, is there as way to hide this file and still the requesting HTML page is able to use it when anyone opens the HTML page?

halfer
  • 19,824
  • 17
  • 99
  • 186
user2981941
  • 1
  • 1

1 Answers1

0

There is no way to secure this file as it will be needed by your client-side JavaScript to render the map.

If you want your data secure then you would have to render this server side and not expose the details in an XML file.

Also I notice your code snippet may be vulnerable to XSS as you are building up the XML manually without encoding the values.

e.g. var html = "<b>" + name + "</b> <br/>" + address;

If "name" or "address" contain tag characters (e.g. "<") the XML can be broken out of and anything inserted into your document (depends on where the data is from, but it is best to treat all data as untrusted.

SilverlightFox
  • 32,436
  • 11
  • 76
  • 145
  • @SilverFox: Thanks for your response! How can I render this server side and not expose the details in an XML file? – user2981941 Nov 14 '13 at 18:41
  • @user2981941 You could generate a map using a server side API and then serve it as an image file. – SilverlightFox Nov 15 '13 at 09:22
  • That sounds good. But, i think it will make my map non-interactive as it will just be a static image? Actually, i'll be allowing the user to interact with the map using overlays and all. Any suggestions how how to prepare map on server side & still render it as interactive to the user? – user2981941 Nov 15 '13 at 19:14