MrFish Posted September 18, 2009 Share Posted September 18, 2009 How are people able to hack ajax scripts with GET instead of POST? I used POST for my login/registration scripts but should I also use it from getting admin cms information? All the ajax scripts will be able to be seen if you view source so how hackable is a GET connection? And how can they do it?Edit:Or is there a way to hide the ajax? Link to comment Share on other sites More sharing options...
justsomeguy Posted September 18, 2009 Share Posted September 18, 2009 I'm not sure what you're asking, but any security measures need to go on the server, so that it doesn't matter how they access it. You should be checking on the server whether or not a particular user is allowed to perform a particular action. Link to comment Share on other sites More sharing options...
chibineku Posted September 18, 2009 Share Posted September 18, 2009 How, exactly? I send data to a PHP script using AJAX, and connect on many pages to my MySQL database. Do I need to do anything special to make the server safe? Link to comment Share on other sites More sharing options...
justsomeguy Posted September 18, 2009 Share Posted September 18, 2009 Not necessarily, other than the usual SQL injection protection and things like that. I'm talking about roles in the application, if you have things that only an admin can do you shouldn't rely on only the admin getting the Javascript that lets them do that, you should be checking on the server to make sure that the user who sent the request has admin rights for the application. It's no easier to hack a PHP script through ajax than it is to hack it any other way. Link to comment Share on other sites More sharing options...
chibineku Posted September 18, 2009 Share Posted September 18, 2009 Ah, ok. Since I only interact with the server via FileZilla, there's no problems with that sort of security. I won't be developing any sort of interface that runs from my site. Link to comment Share on other sites More sharing options...
MrFish Posted September 18, 2009 Author Share Posted September 18, 2009 Ah, ok. Since I only interact with the server via FileZilla, there's no problems with that sort of security. I won't be developing any sort of interface that runs from my site.Wait what? ><Were you talking for me? I'm creating a website for a guy I know (not for pay or anything). I'm making him a CMS where it uses ajax to get all of the information. The admin CP can be accessed by any page as a div that becomes visible on top of the entire page. That means there is a lot of ajax on every page that deal exclusively with admin affairs. I was asking if I could just use-ajaxRequest.open("GET", "page", true);instead of POST and having to include all the SetRequestHeader's. Will this be unsafe? Link to comment Share on other sites More sharing options...
chibineku Posted September 18, 2009 Share Posted September 18, 2009 Ha, I'm not trying to usurp your topic, sorry - just thought my question fit in the context of this one. JSG knows a lot about my site, since he's helped me with dozens of other queries. Link to comment Share on other sites More sharing options...
justsomeguy Posted September 18, 2009 Share Posted September 18, 2009 Neither get nor post is any more secure than the other, both are vulnerable to the same types of attacks. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.