Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Security of ajax vs regular form data

Just wondering on the difference in security of

<input type="hidden" name="id" value="<?php echo $id; ?>">

vs.

jQuery(this).ajaxSubmit({
data: { id: '<?php echo $id; ?> }
});

when sending form data. Is one method more vulnerable to hacking than the other? What is the best way to securely send form data so outsiders can't tamper with or change the id number?

like image 235
Marlboro Goodluck Avatar asked Dec 25 '22 23:12

Marlboro Goodluck


1 Answers

There is no difference in the security. In both cases, an HTTP POST request is sent to the server and a response is received from the server. Aside from perhaps some headers in the request, the server doesn't even really know or care what the difference is between the two.

To illustrate, take a look at the Network requests in your browser debugging tools (Firebug or Chrome tools) when submitting a regular form POST and an AJAX POST. The two are very close to identical, save for the browser maybe adding another header or two for the AJAX one.

What is the best way to securely send form data so outsiders can't tamper with or change the id number?

There isn't. Any savvy user can manually craft an HTTP POST request to include any data they want. Browsers these days even have handy tools to help with this for development and debugging purposes. The general rule is for the server-side code to never implicitly trust requests sent from a client. Always validate that the user has access to do what they're trying to do, that the data isn't malicious or is otherwise properly sanitized before using it (particularly in database queries as a common example), and so on.

like image 86
David Avatar answered Jan 04 '23 07:01

David