I've been receiving unexpected data from my web app. Can a hacker change values in a javascript function?
If my code is:
my_function('new_item',10,20,30,40);
is it possible that the 'new_item' parameter has been tampered with? What can I do to prevent this?
Yes, any user can change any JavaScript that you send to their browser - the word "hacker" is overstated, because even a moderately savvy user is fully capable of pulling apart using Firefox's Firebug, or Chrome/Safari's stock document inspector. This is the reason web developers repeat the axiom:
Never trust user input!
Under no circumstances should you trust anything the user sends. Don't insert anything into the database without escaping it, don't trust the login credential unless the session is verifiable. Anything you trust is a vulnerability, and every vulnerability will one day be exploited.
Don't try to protect your JavaScript, that's impossible. Instead, verify everything the user tries to do: if they request a page they aren't allowed to see, don't serve it to the client even if the JavaScript requests it.
There is NOTHING you can do to make sure all your client-side code is secure, there are some methods that you can do to help make it harder, but they don't really help at all as a more-advanced hacker could easily get passed.
For example if you used
<script></script>
Tags to link in your code via other documents. For example, you could, say have 4 scripts. scripts 1,2& 3 link to each other until they get to 4, where the main functions are. This is not going to prevent anything, it is just going to make it harder for beginner "hackers"/tamper-people. - But it's only mostly effective on chrome's javascript console. Firebug does not care about where the scripts are placed on the DOM. Therefore it just proves that instead of spending time trying to HIDE your javascript code or trying to fully protect it (which is impossible), you should spend time on validating things in the back end.
Just remember there's no way to fully prevent the hacker from tampering with your client side-code. It is never wise to trust anything on the client side. PHP can come in really handy for any back-end checks. Also make sure you prevent against SQL injection in PHP. But don't just think your safe because you used mysql_real_escape_string() ether. Read more about that here: SQL injection that gets around mysql_real_escape_string(), I personally recommend PDO for your db code.
Just think of your sever-side code (like PHP) as the main castle's moat. Now think of the client-side code as the wooden fence around that moat. Any soldier can knock that wooden fence down easily, but they'd have to dig into the moat to get to your keep -(they'd have to get passed PHP validation), if the moat was unguarded (no PHP-validation with the variables) then the soldier could dig away with-out no-one looking.
^ Now think of that as how your website is. Are the moat's vulnerable for digging? If so get some guards there (-make sure you've ensured php validation.)
You SHOULD NEVER EVER TRUST ANYTHING when it comes to client-side. There's NEVER a protection available for that wooden fence. Even javascript guards can't protect it.
[I've edited this answer a lot, because at first I was very unclear of what I actually meant.]
