0

First of all sorry if the name of the topic isn't the most correct.

Imagine the following code which connects to a PHP file by AJAX.

function get_locales(){
    var the_locale = $('#page-add-text').val();
    var url = "classes/load_info.php?type=locale&value=" + the_locale;
    var all = "";

    $.getJSON(url, function(data){
        $.each(data, function(index, item){
            all += "<li data-name='" + item.value + "'></li>";
        });
        $("#page-add-listview").html(all); 
        $("#page-add-listview").trigger("change");
        $("#page-add-listview").listview("refresh");
    });
}

If people download the page, they will see classes/load_info.php?type=locale&value= + the_locale; With this they automatically assume that the url is: www.stackoverflow.com/classes/load_info.php?type=locale&value=TESTING;

So, they can view/retrieve what the function prints, plus, they might try to get some bugs. I'm asking for help in know-how of best ways (if there is any..) to avoid this.

Thank you.

Improve this question
4
  • 2
    You can't avoid it. No matter what you do, if you perform the ajax request using the browser and javascript, the client will be able to see it. Commented Dec 5, 2013 at 18:38
  • Keeping something secret never compensates for keeping something secure. This is why modern encryption algorithms are open source. Consider all users eval and take countermeasures. Commented Dec 5, 2013 at 18:43
  • 1
    If they are smart enough to read that URL and visit it after saving the web page then they are smart enough to do the same without saving the web page. This is a truly fruit-less endeavor. Commented Dec 5, 2013 at 18:46
  • Imagine this: www.stackoverflow.com/classes/load_info.php?type=locale&value=TESTING; -- all people see is a echo retrieving this content..nothing special since it's shown in the listview. Something like: [{"locale":"br","month":"april"}]. People could use this on their applications/benefits..etc, but they won't see anything in special. Commented Dec 6, 2013 at 11:46

3 Answers 3

Reset to default
4

No matter how much you obfuscate your code, the Network panel of Developer Tools will always show the exact request clear as day.

Why not try just fixing bugs and not leaving security holes in your code?

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Well said. To provide some context: When using chrome, the OP can press ctrl+shift+i to see what you mean. For firefox he can use the addon firebug.
@ZsoltSzilagy Or you could just press F12 in IE, Chrome or Firefox. Possibly others by now.
I do use the tools of Chrome. But my question to you guys, is the same to @MattDiamant: "But what do you suggest? Not to use AJAX? Or you don't see any problem using?"
My answer to that is to not care. All data sent to the server is validated before anything is done with it, so it really doesn't matter if someone tries to send stuff they're not supposed to.
0

The person will only be able to see client side code and not the code that is executed on your sever (PHP, etc). There is no way to hide what the server sends to the browser.

Improve this answer

Comments

0

Security of your application should never rest on the client-side, for reasons just like this one. If you are passing anything to the client that they shouldn't see, then the way you fix that is to just not pass sensitive data to the client. The data that you pass to the client is data that you want them to see. Errors and bugs happen, but the fact that they are taking the time to inspect your AJAX returns probably means that they won't mind much.

Improve this answer

1 Comment

But what do you suggest? Not to use AJAX? Or you don't see any problem using?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.