ykc
ykc

Reputation: 271

Javascript storing variable

I want to store some variable to the client side, currently, I have few selection (javascript variable, cookie, session), because I want to reduce the workload from the server, so the incoming parameter will not check on the server side.

For example,

Client side

<div id="showmoney"></div>

<script>
var money=10000;

$('#showmoney').html(money);

function changemoney()
{

{ pass the variable 'money' by ajax to php...}

}
</script>

PHP side

<?

$money = $_POST['money'];

$sql = "UPDATE user_details SET money = ".$money." WHERE uid = 123";
{ do query...}

?>

Are there any method make it more secure, because I afraid someone can modify the javascript variable by tools(firebug? if yes, how?)

thanks a lot~:)

Upvotes: 0

Views: 545

Answers (6)

Peter Olson
Peter Olson

Reputation: 143037

People can do just about anything to the page they want.

In the Google Chrome debugger (accessed with Ctrl+Shif+J) they could do the following in the console:

money = 10000000000000; //Or whatever arbitrary value they choose
changemoney();

As other people have said, never trust anything that people pass into the server from the client. The server needs to do a sanity check.

Upvotes: 2

user605334
user605334

Reputation:

are you know about client side database storage the brand new API in HTML5. trying to find sollution with them. maybe helpful for you to save some data on client side.

Upvotes: 1

tpow
tpow

Reputation: 7894

Anything you store in the client (browser) can be manipulated. The fix for your issue, is to verify that the information sent back to the server hasn't been tampered.

Upvotes: 2

hvgotcodes
hvgotcodes

Reputation: 120318

you have to align your desire to store something on the client for performance with the need for security. Sensitive info should only be on the server. Any savvy web user can tweak the javascript. Save bandwidth by putting other, less sensitive info on the client.

Upvotes: 1

Pekka
Pekka

Reputation: 449843

Are there any method make it more secure, because I afraid someone can modify the javascript variable by tools(firebug? if yes, how?)

You can never, ever trust incoming data from the client. It can always be manipulated. Essential checks like prices you need to do on server side - a client side check is merely for the user's convenience.

Also, the code you show has a SQL injection vulnerability that you should sort out.

Upvotes: 2

Andrea
Andrea

Reputation: 20503

Every variable that you do not want the user to change (such as a price tag) HAS to be stored on the server and not on the client. There are A LOT of ways to change what the client sends to you, and FireBug is just the simplest tool. More sophisticated tools will allow to intercept and edit every HTTP request..

Upvotes: 2

Related Questions