Geek Answers Handbook

AJAX security risks from verification?

I want to check the form without reloading the whole page. I am using JavaScript at the moment, however it is not safe. To get around this, I want to use AJAX and a PHP script to validate the form. Does anyone know of any security risks that might have this?

I also suggest that the AJAX method is much safer than vanilla JS, but could I be wrong?

+6
html ajax php validation
source share
4 answers

They are exactly the same as the risks of validation using pure client-side JavaScript. The only difference is that you are asking the server for some data as part of the process.

The user can override JavaScript to submit the form regardless of the validation result.

The only reason to use JavaScript in general when checking the data to send is to save user time. If as part of this you want to do something like a server request, if the username is accepted when the user fills out the rest of the form, then fine - this is a pretty nice use of Ajax. Otherwise, using Ajax is pretty useless.

If you want to perform client-side validation, then put all the logic you can for it on the client and do not make HTTP requests. If you have things that can only be checked on the server side (because they are based on data, for example, an example with usernames that are already accepted), consider using Ajax for this. A client-side check is a convenience check. Always run the security check server and the final data submitted.

Please note that checking the data that is actually sent using Ajax is another matter - as this is the final data submitted. It performs Ajax validation as a precursor to the final view, which does not add trust to the data.

+5
source share

All AJAX actions are uploading part of the process to the server, "hidden" from the client (in the sense that the functional processing of your data / variables is hidden). However, you must be careful with information sent to the server, which may be captured or worse, deceived. The difference with pure JS is that your functional processing is accessible to everyone so that it can be seen and potentially used.

Validation should not be performed on the server side if you do not check the contents of the database (i.e. uniqueness of the username, etc.). If you just check if the message is an email, you can do it in JS, for example using RegEx.

If you are checking database data, make sure that all database database queries that come from sent (POST / GET) variables are escaped using mysql_real_escape_string to prevent SQL injection

+2
source share

You can verify the data in AJAX, and you can also do it in pure JavaScript, but you will have to re-verify it in the script after receiving the data. Each client-side validation method can be avoided by sending a POST request to your form target.

+1
source share

The main thing to keep in mind is that when using AJAX, you essentially provide an interface to your database. For example, if you check for duplicate usernames (which you CANNOT do in javascript) or duplicate emails to provide a message such as "this username is already in use ... try another", you provide an interface for a potential hacker to check immediately, what usernames and / or emails are available. Security issues are not the same as for javascript. My advice to you on this topic is: (1) Use parameterized queries to access the database, as already mentioned. (2) Implement a delay on the ajax.php page - the length depends on the scenario - I go for about 1 second (3) Perform ajax when blurring or losing focus, and not on every click, (4) Implement a check in your ajax handler that guarantees that the request comes from the expected page (i.e. not some random script hacker wrote). (5) ONLY make an AJAX call when some other basic form element check has occurred [i.e. Basic JavaScript Validation]

Hope this helps. Validating a form with ajax is absolutely no different from the fact that it even remotely resembles javascript validation. This is the interface in your database, and you need to be careful with it.

This helps to imagine how you could hack your own site — knowing which email addresses are registered on your site — is a great place to start. So I could write a script to generate random email addresses using common words and / or names and hack an ajax handler to get a list of registered email addresses on your site. I could do it quickly if you did not follow the advice (1) - (5) that I mentioned above. As soon as I get letters, I will just kill them ... most likely, it gives me a name. I can guess the username from there. So now I have a username and email address. Passwords will take too long to explain, but if I can easily get usernames or emails ... it marks you as a target and you get more attention that you really need.

I am currently working on a registration verification system. Go share it with you with pleasure, if you want. I guess I'm missing something important!

World.

0
source share

More articles:


All Articles