CODEWITHSUNDEEP
javascriptphpjqueryajaxforms
user3733878
user3733878

Reputation: 13

Submit PHP form without reloading or AJAX

I know this question must've been asked various times here but I have not found a solution from all links I could search for. I don't understand how to do this.

I have a form, with 2 textboxes and 1 submit button. The form name is 'form1'

here is what I was using till now:

<script type="text/javascript">

    $("#form1").submit(function() {

        $.ajax({
            type: 'GET',
            url: 'response.php',
            data: {1: $("#txt1").val(), 2: $("#txt2").val()},
            success: function (data) {
                $("#update").prepend(data);
            },
            error: function (xhr, ajaxOptions, thrownError) {
                alert(thrownError);
            }
        });

    });

        </script>

'update' is a table.

I am adding a new row to it after the data is parsed in response.php.

Now, the problem is, using AJAX for this is not at all secure. Users can use plugins such as 'Tamper Data' for firefox to mess with these and send any data they want regardless of what they entered. Thus, making me vulnerable to XSS and CSRF attacks.

So I tried a different approach, I set the form's action to response.php.

Now, there are 2 problems in doing that:

  1. The page refreshes.

  2. How can I make the table row prepend via PHP that too in another document? Earlier I was just echoing it and then AJAX prepended the data for me.

Upvotes: 1

Views: 191

Answers (3)

colburton
colburton

Reputation: 4715

To make things clear: There is no other way than "refreshing" or AJAX.

You should stick to AJAX. To amend your security concerns, you can add a token to the form, which is only valid for this user (saved in his session on login). Therefore noone else can send data in his name and thus eliminiating the risk for XSS and CSRF.

You need to transmit that token in your AJAX request and check it in response.php.

Validation in response.php:

Escape everything which goes into your database. mysql_real_escape_string or PDO will help you with that.

When you output userdata somewhere in your page use htmlspecialchars().

You might also consider strip_tags() before saving or printing any values.

Upvotes: 3

Philipp
Philipp

Reputation: 15639

Removing AJAX isn't the solution to solve XSRF and XSS vulnerabilities. Instead you should use form tokens, two step forms, etc to prevent this.

Using session tokens isn't very hard - you just have to generate a token for each form, save them on the server and compare the send token with them on the server. To be really secure, you should generate a token for each form, but you could also use a token for each session.

Btw. XSS isn't a problem of ajax or some form posts - it's a problem of not escaping malificious output. htmlentities and stuff like this, should help you.

Upvotes: 0

Muqito
Muqito

Reputation: 1399

Since you're submitting a form request, you should be using POST instead.

Secondly, ajax post is no less secure than a regular post so you should not be worried.

Third, if you're worrying about someone sniffing your network. Have your website use HTTPs instead.

To prevent XSS attacks, you should be modifying your data before printing it to the end user using something like htmlentities.

To prevent sql injections, I would suggest using PDO or atleast escape your userinput before.

Upvotes: 0

Related Questions