My question is about PHP security for this particular operation:
I want to use javascript to pull all json files from a particular directory on my web server. I have done like so: I pull all the correct file names with this PHP script ("get-data.php"):
<?php
echo json_encode(glob('*.json'));
?>
Then I move that array into javascript with
var oReq = new XMLHttpRequest();
oReq.onload = function() {
fileNames = JSON.parse(this.responseText);
};
oReq.open("get", "get-data.php", true);
oReq.send();
Then I use the following to read the files into an array:
function getMapInfo(fileName){
$.get(fileName, function(result) {
var map = JSON.parse(result);
mapData.push(map);
});
}
I got some of this code from here: How to pass variables and data from PHP to JavaScript? and I have read up on xss a little here and here and it is my understanding that "untrusted data" is data that the user would enter which would then be run in a script? I believe that my above solution doesn't contain unsafe data since it only pulls files that are already on my server, is that correct?
Overall, my question is: is this a safe way to allow my code to retrieve multiple unknown files from my server? Eventually, I want uses to "save" map data to the server which will then be read by the above script for others to see.
Thanks very much,
Jordan
