CODEWITHSUNDEEP
phpjqueryajax
inControl
inControl

Reputation: 2324

Using SQL queries in ajax

Is there anything wrong with just using a SQL query in an ajax call? For example something like:

$.ajax({
     type: "POST",
     url: "queryhandler.php",
     data: { query: "INSERT INTO users VALUES(incontrol, drowssap)" },
     dataType: "json",
     success: function (data) {
         if (typeof callback == 'function')
             callback(data);
     }
);

Is this unadviced? If it is, why?

Upvotes: 0

Views: 382

Answers (3)

dipmala
dipmala

Reputation: 2011

Yes this is wrong because you are inviting hackers to come at your site and hack your website.

Upvotes: 0

Daniel M
Daniel M

Reputation: 3379

Yes, for several reasons.

a. You provide a direct interface to any "hacker" to read and manipulate your data.

b. Even if you add a whitelist on the server-side that filters out manipulated queries, you'd expose your database structure (or parts of it) which can help attackers to be more targeted.

Upvotes: 1

Lusitanian
Lusitanian

Reputation: 11122

This is a very bad idea. If you can make a direct SQL query from AJAX, which is a client-side technology than anyone who uses your website can. If you return results, this means that not only can everyone on your site add/remove/modify data and potentially manipulate table structure, but they can also extract private or confidential data from your database.

Upvotes: 3

Related Questions