Security risks of AJAX from validation?
I want to validate a form without having to reload the entire page. I am using JavaScript 开发者_Python百科at the moment, however this is massively insecure. To get round this, I want to use AJAX and a PHP script to validate the form. Does anyone know of any security risks this might have?
I also assume the AJAX method is far safer than vanilla JS, but I could be wrong?
They are exactly the same as the risks of validating with pure client side JavaScript. The only difference is that you are asking the server for some data as part of the process.
The user can override the JavaScript to submit the form no matter what the validation outcome is.
The only reason to use JavaScript at all when checking data for submission is to save the user time. If as part of that you want to do something such as asking the server if a username is taken while the user fills out the rest of the form, then great — that is quite a nice use of Ajax. Otherwise, using Ajax is pretty worthless.
If you want to do client side checking, then put all the logic you can for it on the client and avoid making HTTP requests. If you have things that can only be checked server side (because they are based on data, like the example with usernames that are already taken) then consider using Ajax for that. The client side check is the convenience check. Always do the security check server side and on the final submitted data.
Note that validating data that is actually submitted using Ajax is a different matter — since that is the final submitted data. It is doing Ajax validation as a precursor to the final submission that doesn't add any trust to the data.
All AJAX does is offload part of the process to the server, 'hidden' from the client (in the sense the functional handling of your data/variables is hidden). That said, you should be wary of the information being sent to the server, which can be captured or worse, duped. The difference with pure JS is that your functional handling is there for all to see, and potentially exploit.
Validation shouldnt need to be done server side unless you are validating DB content (i.e. uniqueness of a username etc). If you are simply validating whether something is an email, you can do this in JS, eg with a RegEx.
If you are validating DB data, make sure all DB queries variables which originate from sent (POST/GET) variables are escaped using mysql_real_escape_string
to prevent SQL injection
You can validate data in AJAX as well as you can do it in pure JavaScript, but you have to re-validate it in your script after it receives the data. Every client-side validation method can be avoided by sending POST request to your form target.
The main thing to bear in mind here is that when using AJAX you are essentially providing an interface to your database. For example, if you are checking for duplicate usernames (which you CANNOT do in javascript) or duplicate emails, so as to provide a message such as "this username is already in use ... please try another", you are providing an interface for a potential hacker to immediately check which usernames and/or emails are available. The security considerations are NOT the same as for javascript. My advice to you on this topic is (1) Use parameterised queries to access database as someone has already suggested. (2) Implement a delay on the ajax .php page - the length depends on the scenario - I go for about 1 second (3) Execute ajax on blur, or on loosing focus, not on every keypress, (4) Implement a check in your ajax handler that ensures the request comes from the expected page (ie: not some random script a hacker wrote). (5) ONLY make the AJAX call when some other basic validation of the form element has taken place [ie: the basic javascript validation]
I hope this helps. Form validation using ajax is absolutely nothing like being even remotely similar to javascript validation. It is an interface into your database, and you need to be carefull with it.
It helps to imagine how you would hack into your own site - knowing which email addresses are registered with your site is a great place to start. So I could write a script to generate random email addresses using common words and/or names and hammer your ajax handler to obtain a list of registered email addresses to your site. I could do this quickly IF you didn't follow the advice (1)-(5) I stated above. Once I have the emails, I just google them ... chances are that gives me a name. I can guess the username from there. So now I have username and emails. Passwords would take too long to explain, but if I can get the usernames or emails that easily ... it marks you out as a target and you will get more attention that you really want.
Im working on a registration validation system at the moment - Id be happy to share it with you if you'd like. Probably I'm missing something important !
Peace out.
精彩评论