CODEWITHSUNDEEP
phpajaxforms
theflowersoftime
theflowersoftime

Reputation: 2615

Security of AJAX submitted forms?

I've been using jQuery's $.ajax/$.post to submit some form data. I'm considering using this method in my login form for an e-commerce site. My question is how secure is the data sent via AJAX post? To me it at least seems that someone could possibly see some details to help them do nasty things via the jQuery scripts themselves. Do I need to hide this stuff away or am I wrong and this method of sending data is as secure as its page-loading counterpart (keeping in mind both ways would be over a 256-bit secure connection)?

Upvotes: 1

Views: 523

Answers (4)

Warren Stevens
Warren Stevens

Reputation: 301

Regardless of where the data comes from, you have to sanitize it and then .. still make sure it looks reasonable before you toss it into some query.

For id's I use ctype_digit() and strlen() after they are filtered.

Upvotes: 0

regilero
regilero

Reputation: 30496

Whatever way of submiting form data you'll have to check the security of the form on the server side as inaré stated. If you want a proff of concept use 'Live HTTP Headers' on firefox, capture your POST query and replay it, you can change every posted data (and add ones). On the server side you shoudl apply 2 pass of security on the submited datas:

  • filtering
  • validation

Filtering will ensure data passed to validation could be reused (as already set values on your form elements or as sentences in error messages. So for integers a simple (int) cast will do the job, but for text things you'll have to filter XSS, HTML injection, js injection, etc. It could be a good thing to reduce to max siez the text elements in this pass. Then validation will ensure posted form elements contains valid values (right date, an int in the right range, a valid select element, etc). And you can reuse the POSTED value which is now filtered to echo a nice message like '-15 is not a valid quantity".

On nice piece of work for such form handling is done in Zend Framework Zend_Form, nice reading with concepts you could reuse.

Upvotes: 0

ianaré
ianaré

Reputation: 3298

There is no difference in submission, both ways are potentially insecure. It is up to the server side to catch any problems.

Upvotes: 1

Quentin
Quentin

Reputation: 943571

It is no more or less secure then any other method of sending data from the browser to the server.

someone could possibly see some details to help them do nasty things via the jQuery scripts themselves

Given a regular form, someone could add whatever scripts they like to the page.

Just remember to build on things that work, you don't want a sale to fail because a piece of JS failed to load.

Upvotes: 1

Related Questions