I have a specific case in which I would like to receive some safety recommendations. Basically my question is: "If I control what is in the database (without user data), is there a security problem for returning the database query results in HTML (via AJAX) ??
Here is the process:
- daily build generates an XML document
- My server extracts this XML document, parses it (using PHP) and injects it into the database.
- The user goes to the site, an AJAX request is sent (parameters include the number of returned results, sort order and search query if necessary)
- PHP script querying database returning results in AJAX callback
- AJAX callback enters result to page to view
Pretty standard stuff ...
A few more prerequisites: I use prepared SQL statements, so I restrict the user query and any URL triangulations to create an arbitrary query. An XML file is only alphanumeric, without code. The reason I want to return HTML is to limit the work on the client side as much as possible, with HTML, there is no need to fuss with JS to create a page (except for using jQuery to insert an html block).
Any suggestions for me?
Thanks in advance.
PS is still at the planning stage, so there is no real code to display.
source share