0

I have table which read all the database from phpMyAdmin and dysplay it by php code. - I am also can update each cell on the table, example by using the the row of the table which equal to ID in my database and colume which equal to (first name,last name,password)everting work ok. so if the user click on the one of cell inside the table the jquery send by ajax the parameter ID and the colume one of the field(first name,last name,password). what is my problem? my problem is how can I prevent from haker or smart user which can see the jquery code and he will understanding that he can change the value of any ID or password parmeters and ajax can update database not the correct ID? supose I display to user table with 10 lines which have ID from 11-20 the user will change the ID parameter ID equal to 500 it can hapend.

$(document).ready(function()
{
    var COLUME, VAL,ROW,STATUS,DATASTRING;

    $('td').click(function() {
        COLUME = $(this).attr('class');   
      });
//****************
    $('tr').click(function() {
        ROW = $(this).attr('id');
        $('#display_Colume_Raw').html(COLUME+ROW);
        //$('#display').html(COLUME+ROW);
        $('#span' + COLUME + ROW).hide();
        $('#input'+ COLUME + ROW ).show();
      STATUS = $("#input" + COLUME + ROW).val();
    });
  //******************** 
    $(".edittd").mouseup(function() {
        return false;
    });
  //*************
    $(document).mouseup(function() {
        $('#span' + COLUME + ROW).show();
        $('#input'+ COLUME + ROW ).hide();
        VAL = $("#input" + COLUME + ROW).val();
        $("#span" + COLUME + ROW).html(VAL);
          if(STATUS != VAL){
          $('#statuS').removeClass('statuSnoChange')
            .addClass('statuSChange');
             $('#statuS').html('THERE IS CHANGE');
             DATASTRING=$('#display_Colume_Raw').html()+','+VAL;
            //******ajax code
                 //dataString = $.trim(this.value);
                      $.ajax({
                        type: "POST",
                         dataType: 'html',
                         url: "./public/php/ajax.php",
                         data: 'DATASTRING=' + DATASTRING, //{"dataString": dataString}
                             cache: false,
                             success: function(data)
                             {
                                //alert(data);
                                $("#statuS").html(data);
                                }
                             });
                      //******end ajax
                 }
                 else
                 {
                 //alert(DATASTRING+'status not true');
                 }

        });       
    });

enter image description here

yossi
  • 296
  • 10
  • 24

2 Answers2

0

There is no point showing front-end code as this is something you implement on the back end.

In the method that gets called via AJAX, simply check whether the user has permissions to perform the requested action or not. You can either have a separate check at the top of the method and return if the user it not allowed, or you can build it in to the delete query itself, e.g., by adding a WHERE clause making sure those IDs are ones that user is allowed to delete.

D'Arcy Rittich
  • 167,292
  • 40
  • 290
  • 283
0

You cannot assign per-row permissions in MySQL so that row A can be viewed/edited by a user but row B cannot.

There is one workaround that's a bit of a pain if you absolutely have to have a solution, and that is that instead of using direct queries against a table (SELECT, INSERT, etc.), write store procedures that do some sort of authentication and/or validation. The procedure can do any kind of complex validation you want--check user ids, check column values, etc.--and return only what that user is authorized to see and/or edit.

King Skippus
  • 3,801
  • 1
  • 24
  • 24