Can anybody hack my ajax request in jquery?

Many a times i do some weird things while using jquery ajax. I mean, i keep a hidden variable which contains id and then when somebody clicks button, i run a javascript function which passes ajax request along with the id that is contained in hidden field. Is this normal? What if somebody uses firebug or any such tool and changes the javascript function and passes some other ids? It will update and delete other records which may not belon开发者_如何转开发g to that user? How do you all handle this?

You need to secure this server-side, you can't protect it on the client-side, nor should you.

JavaScript is viewable, executable, dynamic, open...it's everything you would want when doing...well, whatever you want with it, which is a very bad thing for security. You need to check the passed id against what the user should have access to on the server when processing the request.

Anything, and I mean anything you do on the client is a deterrent, not a solution, and really there are no effective JavaScript deterrents I've ever seen. Even if you could secure it, I can just open Firebug, Fiddler, Wireshark, Chrome console or one of a dozen other tools to see what the request is ultimately sending anyway.

Never trust your users' input: validate the id on the server.

You should always be checking the input on the server side when the data is submitted. For example if a user was editing their profile on the site, you would not put the profile ID in a hidden variable, you would derive the profile ID based on the users cookie/session when the data was submitted. The key phrase is absolutely never trust the client.

You must do server-side validation to ensure that the current user is authorized to perform the action based on the current user and context. As you have noted, anyone with valid credentials could modify the values that are being passed back -- they need not even modify your code, they can simply craft a request containing any sort of values they want if they have the correct cookie information.