load() function security issues

I'm using load() jquery function on my site, passing variable such as user, id, name ...

$('#DIV').load(page.php?id=' + id + '&user=' + user);

Us开发者_如何学编程ing this on the page.php which is loaded..

  if(isset($_SERVER['HTTP_X_REQUESTED_WITH']) 
    && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') 
       { ...whatever...} else { ...the_other... }

Seems to be ok, my problem is that if you inspect the page with firebug... and modify the variables in the jquery load function, you can act on other users behalf.

Can I stop this for happening?

You need to check that the user is logged in on the server side.

Example: Login.php

session_start();
$_SESSION['user'] = 'User ID goes here';

Wherever you need to check if the user is who he says he is

secure(ish).php

session_start();
if($_SESSION['user'] == 'User ID goes here')
{
    //code
}

See the PHP documentation for more information regarding sessions

You shouldn't be able to preform an action for another user simply by modifying the information sent to the server. What you will need to do is somehow authenticate the use with each request. Possibly have a token or a cookie that needs to be sent to the server with each request?

What defines a user? How are you authenticating these users? Are you using cookies or sessions? Somewhere in your code you need to make sure that the requested information is allowed to be accessed by the authenticated user. Depending on how you authenticate your users, your code might end up something like this:

if(isset($_SERVER['HTTP_X_REQUESTED_WITH']) 
    && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') 
       { ...whatever...} else { ...the_other... }

Or better yet, why bother actually sending which use it is to the server? Instead of using the GET variables, why not go for the following approach:

if(isset($_SERVER['HTTP_X_REQUESTED_WITH']) 
    && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') 
       { //instead of getting user info with $_GET, get it with $_COOKIE or $_SESSION }

You're going to need to do some form of check server-side (maybe use cookies, session variables, or both). Something so that when the server sees the request it can say "that user id matches", or "no it doesn't".

And once you accomplish that, the user argument will be moot, so you don't have to worry about spoofing as you'll already be able to confirm it's them before-hand.