Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 2 of 2
  1. #1
    Regular Coder
    Join Date
    Feb 2010
    Posts
    208
    Thanks
    15
    Thanked 2 Times in 2 Posts

    Ajax security issues

    Hi,

    I have a few Ajax engines working on my website, but I am quite new in security risks it might bring...

    Lets say I have page1.php from which my ajaxEngine.php is called...

    in page1.php I have:
    Code:
    function myFirstAction(value)
    {
        if (window.XMLHttpRequest)
        {// code for IE7+, Firefox, Chrome, Opera, Safari
            xmlhttp=new XMLHttpRequest();
        }
        else
        {// code for IE6, IE5
            xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
        }
        xmlhttp.open("GET","/content/ajaxEngine.php?value="+value,false);
        xmlhttp.send(null);
        document.getElementById('myResponse').innerHTML=xmlhttp.responseText;
    
    }
    and in my ajaxEngine.php I am checking if variable value isset() and if it is something I am looking for to work with.

    BUT.

    If you enter browser dev tools, you can see what I am sending to my ajaxEngine.php

    In this case I assume that this request can be made by hacker with some other harmful script included.

    How secure is to use this way??

    All opinions are welcome.

    Kind regards,
    Auriaks

  • #2
    Senior Coder rnd me's Avatar
    Join Date
    Jun 2007
    Location
    Urbana
    Posts
    4,298
    Thanks
    10
    Thanked 584 Times in 565 Posts
    Quote Originally Posted by auriaks View Post
    If you enter browser dev tools, you can see what I am sending to my ajaxEngine.php

    In this case I assume that this request can be made by hacker with some other harmful script included.

    How secure is to use this way??
    the php should only do what you allow it to, no matter what the input.

    ajax alone doesn't really provide any more or any less security than using forms alone

    anytime you accept input in a back-end, you much validate the data and perhaps the requester to maintain legitimacy.
    my site (updated 13/9/26)
    BROWSER STATS [% share] (2014/5/28) IE7:0.1, IE8:5.3, IE11:8.4, IE9:3.2, IE10:3.2, FF:18.2, CH:46, SF:7.9, NON-MOUSE:32%


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •