Jump to content
sugan

how to stop accessing javascript function from the location?

Recommended Posts

Hi, I am having a site and in that site a page contains AJAX code. A javascript function has a HTTP request to another page with some arguments in the url, the server page gets the values from the url and insert them to the database.Someone had looked at my code and then hacked that to enter wrong values into the database.he directly called the javascript function from the location bar itself.How should i prevent this??Regards,Suganya

Share this post


Link to post
Share on other sites

you could send the data through hidden fields in a form via POST.Without seeing the code it would be hard to guess how to improve it.

Share this post


Link to post
Share on other sites
you could send the data through hidden fields in a form via POST.Without seeing the code it would be hard to guess how to improve it.
Yeah, but the users could be smart enough to view the source code.

Share this post


Link to post
Share on other sites
Yeah, but the users could be smart enough to view the source code.
I wouldn't matter if you checked the referrer before processing the data. If it did not come from the correct referrer then don't process it.

Share this post


Link to post
Share on other sites
Why not just sanitize the input from the server side before putting it in the database?
That is a given no matter what other measures you take, you should always validate data to make sure it is safe and what is expected before executing it or entering it in the database.

Share this post


Link to post
Share on other sites
That is a given no matter what other measures you take, you should always validate data to make sure it is safe and what is expected before executing it or entering it in the database.
:) I completely mis-understood what he wrote, I've been doing that quite alot lately...

Share this post


Link to post
Share on other sites

i prefer checking the referrer. But can ajax retrieve the referrer? i bet not. So you should do the validation again in the server side. It add loads to your server, but it seems to be the only choice :)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...