I have a website search coded with PHP. It is essentially a PHP-AJAX search which gets triggered on onkeyup
event of the search input field. The onkeyup
triggers an AJAX call to a PHP file which reads indexes-file.txt
file containing the indexes, by using PHP's file()
function.
Although, here I am not dealing with Database, so I think that there is no chance for SQL-Injection or an XSS attack (correct me if I am wrong).
Also, I know about mysqli_real_escape_string()
and htmlentities()
function, their importance, and use case. What I am trying to know is whether this particular PHP-AJAX method is vulnerable or not.
Further, is there any other type of vulnerability exists in this type of case apart from server-side vulnerabilities?
The onkeyup
function is:
function results(str) {
var search_term = $("#search")
.val()
.trim();
if (search_term == "") {
// ...
} else {
$.ajax({
url: "websearch.php",
type: "post",
data: {
string: search_term
},
dataType: "json",
success: function(returnData) {
for(var i in returnData) {
for(var j in returnData[i]) {
$('#results').append('<div><a target="_blank" href="'+returnData[i][j]+'">'+Object.keys(returnData[i])+'</a></div>');
}
}
}
});
}
}
the indexes-file.txt
contains:
books*books.php
newspaper*newspaper.php
download manual*manual.php
...
and my websearch.php
file contains:
<?php
error_reporting(0);
$indexes = 'indexes-file.txt';
$index_array = file($indexes, FILE_IGNORE_NEW_LINES);
foreach($index_array as $st) {
$section = explode('*', $st);
$k = $section[0];
$kklink = $section[1];
$l_arr[] = array($k => $kklink);
}
//Get the search term from "string" POST variable.
$var1 = isset($_POST['string']) ? trim($_POST['string']) : '';
$webresults = array();
//Loop through our lookup array.
foreach($l_arr as $kk){
//If the search term is present.
if(stristr(key($kk), $var1)){
//Add it to the results array.
foreach($kk as $value) {
$webresults[] = array(key($kk) => $value);
}
}
}
//Display the results in JSON format so to parse it with JavaScript.
echo json_encode($webresults);
?>
If you are not dealling with database it may be not vulnerable to sql injection but it's probably vulnerable to xss to prevent xss and script execution you should use:
Prevent XSS
PHP htmlentities()
Function
basic example of filter the inputs
<?php
echo '<script>alert("vulnerable");</script>'; //vulnerable to xss
?>
filtering the inputs with htmlentities()
<?php
$input = '<script>alert("vulnerable");</script>';
echo htmlentities($input); //not vulnerable to external input code injection scripts
?>
so it prevent script and html tags injection from execute on site read more here
for database you should use pdo with prepared statements
Prevent SQL injection
Use PDO
Correctly setting up the connection
Note that when using PDO to access a MySQL database real prepared statements are not used by default. To fix this you have to disable the emulation of prepared statements. An example of creating a connection using PDO is:
$dbConnection = new PDO('mysql:dbname=dbtest;host=127.0.0.1;charset=utf8', 'user', 'password');
$dbConnection->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$dbConnection->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
Fixing your code
<?php
error_reporting(0);
$indexes = 'indexes-file.txt';
$index_array = file($indexes, FILE_IGNORE_NEW_LINES);
foreach($index_array as $st) {
$section = explode('*', $st);
$k = $section[0];
$kklink = $section[1];
$l_arr[] = array($k => $kklink);
}
//Get the search term from "string" POST variable.
$var1 = isset($_POST['string']) ? trim($_POST['string']) : '';
$webresults = array();
//Loop through our lookup array.
foreach($l_arr as $kk){
//If the search term is present.
if(stristr(key($kk), $var1)){
//Add it to the results array.
foreach($kk as $value) {
$webresults[] = array(key($kk) => $value);
}
}
}
//Display the results in JSON format so to parse it with JavaScript.
echo htmlentities(json_encode($webresults));
//fixed
?>
Everytime you echo something from the outside use htmlentities
echo htmlentities(json_encode($webresults));
Your array problem I tested with a demo json string it's working fine
<?php
$webresults =
'
{ "aliceblue": "#f0f8ff",
"antiquewhite": "#faebd7",
"aqua": "#00ffff",
"aquamarine": "#7fffd4",
"azure": "#f0ffff",
"beige": "#f5f5dc",
"bisque": "#ffe4c4",
"black": "#000000",
}';
echo htmlentities(json_encode($webresults));
?>