how to stop accessing javascript function from the location?

[sugan]

Hi, I am having a site and in that site a page contains AJAX code. A javascript function has a HTTP request to another page with some arguments in the url, the server page gets the values from the url and insert them to the database.Someone had looked at my code and then hacked that to enter wrong values into the database.he directly called the javascript function from the location bar itself.How should i prevent this??Regards,Suganya

[aspnetguy]

you could send the data through hidden fields in a form via POST.Without seeing the code it would be hard to guess how to improve it.

[iyeru42]

you could send the data through hidden fields in a form via POST.Without seeing the code it would be hard to guess how to improve it.

Yeah, but the users could be smart enough to view the source code.

[aspnetguy]

Yeah, but the users could be smart enough to view the source code.

I wouldn't matter if you checked the referrer before processing the data. If it did not come from the correct referrer then don't process it.

[Andrew K.]

Why not just sanitize the input from the server side before putting it in the database?

[aspnetguy]

Why not just sanitize the input from the server side before putting it in the database?

That is a given no matter what other measures you take, you should always validate data to make sure it is safe and what is expected before executing it or entering it in the database.

[Andrew K.]

That is a given no matter what other measures you take, you should always validate data to make sure it is safe and what is expected before executing it or entering it in the database.

I completely mis-understood what he wrote, I've been doing that quite alot lately...

[midnite]

i prefer checking the referrer. But can ajax retrieve the referrer? i bet not. So you should do the validation again in the server side. It add loads to your server, but it seems to be the only choice