0

i want to send information from JS on my domain to .php file in another domain securely and i want the .php to only accpet things coming from the specified domains .

This is Domain A 

  $.ajax({
  POST: "https://domain-b.com/ant.php",
  data: mystring
})

This is Domain B 

 <?php 
for ($i=0;$i<count($_POST);$i++){
       #send to DB code 
    }
    ?>

BTW both domain A and domain B are individual servers . my understanding is because i am using HTTPS the data sent securely and encrypted , however i see that anyone can send information from anywhere to the .php domain . i want to prevent that . i thought of inserting a code acts like a password between the two but as i insert it in the JS it will be visible to anyone , so no use for it .

Sameh
  • 436
  • 4
  • 13

2 Answers2

1

Yes, using https will encrypt the data.

To check where the request claims to have originated from, you can check $_SERVER['HTTP_REFERER'] This can be spoofed however, and isn't reliable.

I would use a PHP session. Server A sets the session ID. Server B can then read the session ID from the request to verify that the user came from server A. It's possible for multiple servers to share the session data. See How to manage a single PHP5 session on multiple apache servers?

Community
  • 1
  • 1
Boundless
  • 2,444
  • 2
  • 25
  • 40
0

As you are sending the post request from your server. Try sending a secret key in your data. and run the DB code only if the secret key matches. 

<?php $_SESSION['key'] = md5(uniqid());
<input type="hidden" value="<?php echo $_SESSION['key']; ?>" name="key">

A new secret key is generated everytime a user refreshes the page. and it will be different from user to user.

$.ajax({
POST: "https://domain-b.com/ant.php",
 Data: mystring // contains secret key
})

php server

<?php 
$Key //your secret key
if($_SESSION['key'] == key in form data){
  for ($i=0;$i<count($_POST);$i++){
   #send to DB code 
  }
}
?>

If I understood the question correctly. this should be helpful :)

Sahith Vibudhi
  • 4,935
  • 2
  • 32
  • 34
  • the secret key is shown to every one since it's in JS . i mean i could do `var Scrtkey='12312312313'; mystring = mystring+'scrt'+Scrtkey ;` and then everyone sees it – Sameh Mar 27 '16 at 13:48
  • Are you posting form data? – Sahith Vibudhi Mar 28 '16 at 12:07
  • Yes , but it doesn't contain passwords . – Sameh Mar 28 '16 at 20:34
  • then what you are looking for is solution for CSRF. – Sahith Vibudhi Apr 01 '16 at 03:46
  • Will , I think there's a chance here . But if I attached the secret key generated by php to JS again it would be visible for it to work it must be sent from php to php only , if you have and idea please explain – Sameh Apr 03 '16 at 11:25
  • It doesn't matter even if the user is able to see it. cause it changes everytime the page loads and different for each user browsing your webpage. – Sahith Vibudhi Apr 05 '16 at 13:24
  • so i need to be sharing sessions between the two servers. because as you might have noticed in my question the JS on a server and the PHP on another . The PHP should act as an API . This is helpful in case they were all on the same server . – Sameh Apr 05 '16 at 14:20