Will it be PHP safe to output directory contents and read them using JQuery?
My question is about PHP security for this specific operation:
I want to use javascript to pull all json files from a specific directory on my web server. I did this: I am pulling out all the correct filenames with this PHP script ("get-data.php"):
<?php
echo json_encode(glob('*.json'));
?>
Then I move this array to javascript with
var oReq = new XMLHttpRequest();
oReq.onload = function() {
fileNames = JSON.parse(this.responseText);
};
oReq.open("get", "get-data.php", true);
oReq.send();
Then I use the following to read the files into an array:
function getMapInfo(fileName){
$.get(fileName, function(result) {
var map = JSON.parse(result);
mapData.push(map);
});
}
I got some of this code from here: How to pass variables and data from PHP to JavaScript? and i read the xss a bit here and here and i understand that "untrusted data" is the data that the user enters, which will then be executed in the script? I believe my above solution contains no unsafe data as it only pulls files that are already on my server, right?
Overall, my question is, is this a safe way to allow my code to fetch multiple unknown files from my server? In the end, I want to use to "save" the map data to a server, which will then be read by the above script for others to view.
Many thanks,
Jordan
source to share
Yes, it's completely safe. You just need to make sure the security is part of the php code when needed, by restricting or filtering what it can pick (already great there) and how .json files are checked and saved, once that is fixed you you will be fine and your existing solution is perfectly safe. You can also modify the .htaccess file to hide the contents of the folder if you have problem with others browsing directories on your website.
source to share