1

I know this question must've been asked various times here but I have not found a solution from all links I could search for. I don't understand how to do this.

I have a form, with 2 textboxes and 1 submit button. The form name is 'form1'

here is what I was using till now:

<script type="text/javascript">

    $("#form1").submit(function() {

        $.ajax({
            type: 'GET',
            url: 'response.php',
            data: {1: $("#txt1").val(), 2: $("#txt2").val()},
            success: function (data) {
                $("#update").prepend(data);
            },
            error: function (xhr, ajaxOptions, thrownError) {
                alert(thrownError);
            }
        });

    });

        </script>

'update' is a table.

I am adding a new row to it after the data is parsed in response.php.

Now, the problem is, using AJAX for this is not at all secure. Users can use plugins such as 'Tamper Data' for firefox to mess with these and send any data they want regardless of what they entered. Thus, making me vulnerable to XSS and CSRF attacks.

So I tried a different approach, I set the form's action to response.php.

Now, there are 2 problems in doing that:

  1. The page refreshes.

  2. How can I make the table row prepend via PHP that too in another document? Earlier I was just echoing it and then AJAX prepended the data for me.

Improve this question
5
  • Your type should be "POST" Commented Jun 13, 2014 at 8:51
  • Im not sure, but wouldnt it be wiser to submit a form with POST ? And also, why wouldnt you filter the data as best as possible in `response.php ? Commented Jun 13, 2014 at 8:52
  • try either $("#form1").submit(function(e) {e.preventDefault(); [AJAX REQUEST]}) or $("#form1").submit(function() { [AJAX REQUEST] return false;}); Commented Jun 13, 2014 at 8:52
  • I think GET would be more viable because in the end, the response.php is echoing 3 lines, which the AJAX is then printing out. But nevertheless, I need the data to be secure, can this whole thing be done in PHP Commented Jun 13, 2014 at 8:59
  • You can send data using POST method and filter the data as best as possible in response.php file to be secured.e.g token or many step form submit Commented Jun 13, 2014 at 9:40

3 Answers 3

Reset to default
3

To make things clear: There is no other way than "refreshing" or AJAX.

You should stick to AJAX. To amend your security concerns, you can add a token to the form, which is only valid for this user (saved in his session on login). Therefore noone else can send data in his name and thus eliminiating the risk for XSS and CSRF.

You need to transmit that token in your AJAX request and check it in response.php.

Validation in response.php:

Escape everything which goes into your database. mysql_real_escape_string or PDO will help you with that.

When you output userdata somewhere in your page use htmlspecialchars().

You might also consider strip_tags() before saving or printing any values.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

'no one can send the data in his name'. But he can modify it himself lol
If a malicious user wants to modify his data sent to the server he can still just use this token he was provided from visiting the page. And he can still modify the data. A token would do nothing against an XSS attack.
The user himself can always send anything to the server, nothing can prevent this. Obviously you always need to do data validation in response.php, but that has nothing to do with the request method.
How do you suggest I can validate it?
You just copied my answer and got a correct answer for that. -.- Great
|
0

Since you're submitting a form request, you should be using POST instead.

Secondly, ajax post is no less secure than a regular post so you should not be worried.

Third, if you're worrying about someone sniffing your network. Have your website use HTTPs instead.

To prevent XSS attacks, you should be modifying your data before printing it to the end user using something like htmlentities.

To prevent sql injections, I would suggest using PDO or atleast escape your userinput before.

Improve this answer

Comments

0

Removing AJAX isn't the solution to solve XSRF and XSS vulnerabilities. Instead you should use form tokens, two step forms, etc to prevent this.

Using session tokens isn't very hard - you just have to generate a token for each form, save them on the server and compare the send token with them on the server. To be really secure, you should generate a token for each form, but you could also use a token for each session.

Btw. XSS isn't a problem of ajax or some form posts - it's a problem of not escaping malificious output. htmlentities and stuff like this, should help you.

Improve this answer

6 Comments

Hey. Thanks for the answer. I guess I was a bit confused. Anyway, I have tried tokens. But user can use Tamper Data to modify the other values and let the token remain the same :/
YOu must have heard 'Never trust the client'. I need some sort of validation. Any ideas?
validation of what? bot generated spam and sort of this?
No. The data entered in the text boxes. You can say, it's for something that NEEDS to be secure
Everytime you output your form, you create also an random tuple(randomName, token), and store this with an timestamp on your server(database, file, ..) if the form is send, you can simply check, if this tuple exists on your server and isn't too old. afterwards delete the tuple. If you want still improve the security, you can show an second form step(again with that random tuple) to confirm, everything is fine
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.