Reputation: 647
javascript and php security
I am wondering about "injection", including javascript injection (I don't understand its rules).
If I have javascript function that makes an AJAX request to find out the permission level of a user, and I then check that level with an if statement to assign power, is that vulnerable?
Javascript
function checkPermission(){
$.post('user.php', userId, function(data){
return data.permission;
});
}
var = permission = checkPermission();
if (permission === 2){
// User has admin powers
}
Can someone read this in the code and simply change the variable "permission" to 2 and thus have admin access?
Thanks.
Upvotes: 0
Views: 55
Answers (1)
Reputation: 3217
Yes, it's vulnerable because the user could change the userID value through their browser since javascript is run client-side.
You shouldn't rely on client side data for something like this. You'll at lease want to authenticate the user server side when they log in, and then create a session to save their userID and such. This way you can you can rely on the server-side session data, which the user won't be able to manipulate.
Edit:
Also, in your example, the user could change the value of the permission variable too. Again, no validation checks should be left up to client side code.
Upvotes: 3
Related Questions
- AJAX with PHP on Web - Security
- Security of adding php information into javascript
- PHP/JavaScript Security - Is JS security worthless?
- securing php code from ajax / javascript misuse
- JS/jQuery security
- Implement Security to this application?
- How to secure the php code?
- Possible security concerns with PHP
- PHP/Javascript security
- AJAX Security Help