0

I'm using PHP and Jquery for my website. Sometimes i should make a ajax request with jquery. for example i have products list and a button to delete a single product. that's mean i want product ID to delete it with ajax. So to get product ID i'll store it into html tag attribute. But i think "add data into html tag attribute is not secured . What you think and there is a good method to do that ?

Improve this question
4
  • Are you talking about using data attribute to store the product ID? e.g. <input type="button" value="Delete" data-productid="123">. Security would only apply to ensuring that the product ID that you pass to the ajax call is sanitised/validated. Commented Feb 19, 2013 at 9:38
  • Magento has a great way to deal with it. Dont push id in ajax. Use some slug which can uniquely define your product in your application. Having slug is little more secured Commented Feb 19, 2013 at 9:39
  • @BhavikShah it is not by any chance. Security is a matter of authorisation, if you don't put your resources behind a firewall it doesn't matter at all if you rely on querystring or on route slugs: e.g. Rails is agnostic to the form you pass parameters to any route. Commented Feb 19, 2013 at 9:44
  • @gunnx Yes, i agree with you the better way is to validate received data on server side Commented Feb 19, 2013 at 9:47

2 Answers 2

Reset to default
1

There's no reason why you can't just use an html attribute tag such as id or data-id (or whichever data tag name you choose). The security comes in how you submit and handle the ajax request. Just make sure that you sanitize your sql queries or whatever commands to whatever sort of database you're using, and you should avoid any security problems.

Users won't be able to make a successful ajax call from their browser because the ajax call must come from your server in order to be successful. In other words, using an html tag attribute is not at all insecure, and is probably a great way of handling this problem.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

There is no reason of woory . You can use html id attribute . While sending a ajax request it is already encrypted with your site url . Also how to manage your ajax request .

I would suggest use of jquery ajax

that is the simplest way to do a clean ajax call . And at the back end you can santize your variable . example :-

$firstName = $_POST['fname'];
$new_string = filter_var($firstName,FILTER_SANITIZE_STRING);

hope this will solve your issue .

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.