Geek Answers Handbook

Are you using Ajax safe?

So, I have my form embedded in html and validated in JS, and it does and looks the way I want. Now, obviously, I will check the input using PHP on the server side, but I wonder if it will be safe enough to send the form using Ajax, and then check on the server side instead of sending the form using the type "send" and the attribute " act". Basically, is it safe to perform server side validation based on JS submission?

Here is my form:

<form name="contactForm" id="contactForm"><!-- The form has no action attribute because its submitted via Ajax --> <div id="inputsWrapper"> <div> <label for="fullName">Your Name: <span class="required">(required)</span></label> <input type="text" name="fullName" id="fullName" title="First &amp; last name" value="First &amp; last name" maxlength="50" /> </div> <div> <label for="email">Your E-mail: <span class="required">(required)</span></label> <input type="text" name="email" id="email" title="E-mail address" value="E-mail address" maxlength="500" /> </div> <div> <label for="subject">In Regards To: <span class="required">(required)</span></label> <input type="text" name="subject" id="subject" title="Subject" value="Subject" maxlength="50"/> </div> <div> <label for="message">Your Message: <span class="required">(required)</span></label> <textarea name="message" id="message" title="Enter your message here" cols="40" rows="10">Enter your message here</textarea> </div> </div> <!-- End inputsWrapper --> <input type="button" name="sendBtn" id="sendBtn" value="Send Message" /><!-- This button has a listener assigned to it in JS and submits the form on click -->

After clicking the button, Ajax will submit the form via POST to my PHP script and will either come back or come back. Would this be a safe way to do this or not? Thanks for any advice.

+4
source share
2 answers

I am wondering if it would be enough to submit the form using Ajax, and then check on the server side, instead of submitting the form using a button like "send" and the attribute "action".

Yes. Input from outside the system comes from outside the system.

Basically, is it safe to perform server side validation based on JS submission?

Your JavaScript should be unobtrusive and implement progressive improvement .

The script entry should be the same regardless of whether it comes from the regular submission of the form using Ajax (which is trivially easy if you use something like serialize jQuery ), so you don't need to depend on the server for JS to respond.

The only difference in how to process the form and process the Ajax request should be the formatting of the response.

In any case, the data entering the system is ultimately under the control of the submitter, so you need to perform an appropriate health check and avoid this anyway.

+5
source

Posting through Ajax or through the default posting behavior in browsers will not make any difference from a security point of view. The requests will be regular HTTP POST / GET requests at the same time.

+5
source

More articles:


All Articles