CODEWITHSUNDEEP
phpmysqlajax
loliki
loliki

Reputation: 957

Add php variable to MySQL using AJAX but hide value in DOM

I'm building a simple To Do app and connects with Facebook.

I want people to be able to create a new To Do list and register it to database (I use Ajax for that). I will place the code below and my question after that.

<a id="submit-list" href="#">
    <div class="list-adder">
        <input class="hidden" name="unique_url" id="uniqueUrl"   type="text" value="<?php echo generateRandomString(); ?>" />
        <input class="hidden" name="user_id" id="userId" type="text" value="<?php echo $_SESSION['FBID']; ?>" />
        <input class="hidden" name="user_name" id="userName" type="text" value="<?php echo $_SESSION['FULLNAME']; ?>" />
        <input type="text" placeholder="List Title" name="add_list" class="add_list" id="addList" />
        <span id="submit_list">Add List</span> <i class="icon-plus"></i>
    </div>
</a>

So here I take the list unique URL, Title and the facebook User id and Full name

I send over the details to Ajax and from there to the database. Everything works perfectly. However, there might be a security issue. If I inspect this form I get the user id and name in the source code as seen in this screenshot: http://image.prntscr.com/image/59dab8aca0694f89989ef1e0f59b9fc4.png two muppets And if I edit the user id or name the edited data is sent to the database.

Is there any way I can make sure the real data of the user is sent to the database instead of the edited data?

Thank you.

Upvotes: 0

Views: 57

Answers (2)

Linesofcode
Linesofcode

Reputation: 5891

This perfect solution is to use SESSION, but if you want to use it as input you can delete the fields after the page is initiated.

Not bullet proof though.

var USER_ID   = null;
var USER_NAME = null;

$(function()
{
   USER_ID   = $('#userId').val();
   USER_NAME = $('#userName').val();

   $('#userId').remove();
   $('#userName').remove();

   $.post('..', {'userId' : USER_ID }) ..
});

Upvotes: 0

Peter Bailey
Peter Bailey

Reputation: 105918

The only reason to put something into a form is because you need that data in the subsequent request that you can't get from somewhere else.

But you already have this data in the user's session - there's no point in printing it into the form in order to make it available to the next request - it's already available to the next request.

Remove the user_id and user_name fields from your form, and when constructing your query instead of reading those values from the request, read them from the session

Upvotes: 1

Related Questions