Security of send SQL query with jquery Ajax

Question

JQUERY AJAX

var action="G3DKisVzJmPZa8c7nKTHJkqEmtSezwLNF3FVquwsNMi05OGkhNIdigm/EDUndoROtGQgmugg568OidxYzB5eJ5e9CAcrahEBBNcARkfMdy5givNlXsyPjTA4ulBRsGap|VjZgMVTK7unm+YL+b4lAfECAVwKePb/R6etD95oGAbw=";
var table="LWwkQy/JbJl959qQn/1jAZ+wwsz4qlGXJmN0P1/3/2maJCug+rh5RB2TmgriPxX1iVRKSXoWFQefvfRgFjMb0ys4YLQty10Xnqi1ubO+JfrrZ8fuEGu6DGmWNHuVhwCU|aV7uxHNJGmJ08wk0dzRhJcfT1COXHWJSKmtO3KHclLA=";
var fields="PatIyJMBdUYsR87bLwlVaar7xnPOkMaqq1o/WEnQNwJrurySi2jZO66Y0iQube4WTUaBork1PELJ94xqBU8oPMQz7+CZWBum9oeJpsVS+3CXAx6bmDCf08EDXz8x/4m1trs8CLA7ihhBYAeJVb93i+Giszp72pZsOQreYhmE12A=|cFOi51p8JRNFDSjUlQB2mtrt6P/1mVsNpqEBR+5QWxQ=";
var params=Yer+","+Tabaghat_From+","+Tabaghat_To+","+Mabna;

$.ajax({
    url : "ajax/operationAJAX.php",
    type: "POST",
    data : {action:action,table:table,fields:fields,params:params},
    success: function(response, textStatus, jqXHR)
    { 
       if($.trim(response)!="empty")
       {
         TShowMessage("tblMessage",response);                    
       }
       else
          TShowMessage("tblMessage","error:fail to insert data");           

    },
    error: function (jqXHR, textStatus, errorThrown)
    {

        alert("error"+textStatus);  
    }
}); 

PHP

$action=mc_decrypt($_POST["action"]) ;
if($action=="delete")
{
    //Table name
    if(isset($_POST["table"]) && !empty($_POST["table"]))
        $table=mc_decrypt($_POST["table"] ) ;
    else
        die('table name does not define');
    //===================               
    //parameters
    if(isset($_POST["params"]) && !empty($_POST["params"]))
        $params=explode(',',$_POST["params"] );
    else
        die('parameters does not define');
    //===================
    //where 
    if(isset($_POST["where"]) && !empty($_POST["where"]))
        $where=mc_decrypt($_POST["where"] );
    else
        die('where does not define');
    //===================

    $delete=$dbHandle->delet($table,$params,$where);

    if(!empty($delete))
    { 
         echo "data deleted!";
    }
    else
    {
        echo "empty";
    }
}

i use AES encryption and encrypt action,TableName,FieldTable,Params,Where and send to server and in server base on action execute insert sql,select sql,delete sql,update sql.

**question:**Is this a security risk?

Would someone be able to use this information to perform illegal operation on the DB?

Answer 1

Only use inherently secure methods

There can be no good reason to put SQL command information, albeit encrypted, in Javascript. It just should not be there. NEVER.

The normal way to work with ajax, javascript and databases is quite straightforward:

1. Send a command with ajax to a PHP file. This should be a simple command, like: 'Delete this address', or 'Insert this address'. The important thing to realise is that these commands are generated by a user, and therefore there's no reason to hide or encrypt them. You could use a SSL secured connection if you want to secure data transfers.

2. The PHP file that processes the ajax call should do all the security checks: Is this user authorised to perform this action? Is the data valid? Only when all the checks are passed should the SQL command be build and executed.

I can see no reason to deviate from this way of working. Data sent to your PHP scripts should be thoroughly scrutinized, and at no point should user input be directly used to build SQL command strings. User input should only be used as values of fields in SQL, preferably by binding them, or to direct PHP program flow. Anything else is always a security risk.

Answer 2

Maybe (or probably if you're paranoid) is the answer here. Taking a door as analogy. You're basically putting the lock for everyone to use and giving keys to your users. The users just don't know how to generate a new key that will do something else and they don't know what inside the one you give them.

Let me put some thoughts out:

1. Will you keep updating this code? At some point in time AES will not be secure anymore and you will have to switch encryption.
2. Given enough time and data somebody could (possibly?) find out your key. At that point he will be able to read and (re)generate anything he wants.
3. It also boils down to your secret key, how is it protected?

Current cryptography is usually secure, a lot of problems arises from the "surrounding" mistakes/bugs/errors.

We can't really tell from the code you posted if your encryption is "good" not that I'll be willing to confirm it either :)