securely passing sensitive data from PHP to javascript

Question

My scenario looks like this, I'm showing database paginated grid on the screen. I want add a button to download CSV spreadsheet . so I coded something like this:

 $(function(){ var file_complete = false; var final_sql = $('.initiate_download').val(); var orderby = $('#search_submit').data('orderby'); var $posturl = $url + "index.php/Spawner/launch_spawner"; $('#downloadModal').modal('hide'); $('.initiate_download').on("click", function(e) { e.preventDefault(); $('#pleaseWait').html($html); setTimeout(function() { $.ajax({ // initiate download url: $posturl, type: "POST", data: { final_sql: final_sql, orderby: orderby, report: $report }, success: function(data) { var download_id = data; // console.log(download_id); check_download_status(download_id); } }) }, 2000); }) }); 

  <div class="row top-buffer"> <button id="search_submit" class="btn btn-primary initiate_download" type="submit" value="<?php echo $sql; ?>" data-orderby="<?php echo $orderby;?>" name="final_sql_lic" >Download List</button> <span id="pleaseWait"> </span> </div> 

it works fine, but the problem is that you can view SQL with view page option, is there a way around it ?

Answer 1

What most people do is they don't embed the SQL on page, but instead expose URLs that handle the SQL stuff behind the scenes.

In your example, you might create a page like this: http://website.com/api/csv?select=col1,col2,col3&orderBy=someColumn&where=someCondition

Then your php will take those parameters and generate the sql based off of those and run the query. Make sure you securely handle the input to avoid SQL injection (See http://bobby-tables.com/php.html ).

The problem with your current scenario is that someone viewing your source will plainly see that you're passing SQL directly to your server, meaning they can generate their own SQL like: DROP TABLE table1, table2; or worse.