0

Since many web hosting websites (such as infinityfree and 000webhost) block HTTP DELETE requests I found a way how to send DELETE query to MySQL by adding a password to HTTP POST body which triggers PHP to send DELETE query to MySQL.

But is this safe since the password is visible in Front End and so visible to any site visitor? Can someone do harm to my database by using this password like making SQL injection?

In React JS:

async function sendDeleteRequest(i) {
const bodyWithPassword = {
  ...props.updatedProducts[i],
  password: "kfI2KiIMOibKn0X98ufe$#!G^z78FNbbvI!fng0p*vk",
};
await fetch(Links["products"], {
  method: "POST",
  body: JSON.stringify(bodyWithPassword),
  headers: {
    "Content-Type": "application/json",
  },
});
await props.refreshProductListContent();

}

In PHP:

//If HTTP body has password send DELETE query.
                if ($json["password"] = "kfI2KiIMOibKn0X98ufe$#!G^z78FNbbvI!fng0p*vk") {
                    $deleteProduct = new $json["productType"]($json);
                    $deleteProduct->deleteProduct($json);
                    return;
                }
                //If password isn't added in the body add product to database
                $newProduct = new $json["productType"]($json);
                $newProduct->addProduct($json, $newProduct);
Improve this question
17
  • 2
    Any DELETE query is definitely not safe at ALL lol. Commented Jul 29, 2022 at 8:36
  • Well it's true the password doesn't add any security because any user (or bot!) could take it and re-use it, and the password isn't unique per user. Whether you're vulnerable to SQL injection we don't know, because you didn't show us the code which runs the SQL. The solution to avoiding SQL injection is to use prepared statements and parameters. But that has absolutely nothing to do with whether you use HTTP DELETE or POST, or whether you use passwords or whatever else in your application. Commented Jul 29, 2022 at 8:36
  • SQL injection is a separate issue as well to, for instance, whether a user is authorised to make such a deletion request. It's the job of your PHP code to look at the incoming request and decide whether the user is both authenticated and authorised to perform the request as per your business logic. I don't know whether you have any such authentication in your application, but you didn't mention it so I guess maybe not. What exactly are you trying to prevent with this idea? If it's just SQL injection then I mentioned the solution already. What other "harm" are you thinking of? Commented Jul 29, 2022 at 8:39
  • My delete query in PHP is made as follows: public function deleteProduct($json) { $query = "DELETE FROM products WHERE sku = ?"; $sku = $json["sku"]; $database = new Database(); $database->deleteProduct($query, $sku); return; } public function deleteProduct($query, $sku) { $getConnection = new GetConnection; $conn = $getConnection->connect(); $stmt = $conn->prepare($query); $stmt->execute([$sku]); //Close connection $this->conn = null; return; } Commented Jul 29, 2022 at 8:47
  • 2
    "Since many web hosting websites (such as infinityfree and 000webhost) block HTTP DELETE requests I found a way how to send DELETE query to MySQL by adding a password to HTTP POST" - this entire sentence makes ABSOLUTELY no sense. first of all, one can always use POST method to call a delete procedure. But either way, having password stored on the client just makes no sense, whatever method is used. Commented Jul 29, 2022 at 8:48

1 Answer 1

Reset to default
1

The short answer is - This is not safe

Having a hard-coded password in ReactJS, which is a client-based Javascript code, means that it's accessible to anyone who visits and loads the Javascript file. Anyone can read it, use it and abuse it.

There is not enough code provided to see if there is a SQL injection vulnerability as such. You should review deleteProduct and addProduct functions and see if you have parameterized all the parameters passed to a SQL query.

In a scenario where your code was vulnerable to a SQL injection, anyone can grab the client-side encoded password and abuse the SQL injection vulnerability.

Regarding the request type, there is no actual difference between a POST and a DELETE request (technically speaking), apart from how your server side code processes it, which is what you write and decide. Obviously the development world has agreed to common sense on which each of the methods does here https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods, which you should oblige by when doing development.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.