0

I can't seem to find an almost exact question so I might as well ask away.

Is it really a standard practice to send variables from Javascript to PHP? I'm planning to send array to PHP after some several assessment within Javascript - passing variables here and there...only to be combined again as an array, and as I've said, will be passed to PHP. Am I missing something? I hardly see any tutorials to do this, mostly the other way around - that is, PHP array to Javascript. Makes me think, maybe it just isn't being advised to do Javascript to PHP due to security reasons.

Simply put, will sending Javascript array to PHP that will later on be saved to database be dangerous? I haven't really FULLY read how to do it, just scanned the very few that I could find...json stringify, $_POST, json encode, json decode. If it is fine to do JS to PHP passing, and since it is related to my question anyway, can someone point me which of those mentioned is best for better security? Thanks!

Fred
  • 595
  • 2
  • 5
  • 12
  • 1
    Unless the communication is (properly) encrypted, you cannot trust the client, no matter in what language the communication happens. – John Dvorak Oct 20 '12 at 17:03
  • 1
    @Blender impersonating the client. I can't really see how JSON prevents that. – John Dvorak Oct 20 '12 at 17:05
  • @JanDvorak: AFAICT, nothing can prevent it. The data is being generated client-side and sent directly to the server. JSON is just a good container format. – Blender Oct 20 '12 at 17:07
  • @JanDvorak: Two ideas ran through my head at the same time and mangled what I tried to say. Disregard my comment. – Blender Oct 20 '12 at 17:09

1 Answers1

7

Security isn't really an issue at this point: JavaScript runs on client side, so anything that could go wrong here could be easily faked by an attacker. You can't trust the client anyway, as @Jan puts it in the comments above. Also, everything you do on the JavaScript end can be eavesdropped and manipulated by the client - that's why you can't do a password check in JavaScript, for example. So, the environment JavaScript operates in is fundamentally insecure, anyway.

Security comes into play when the server accepts and uses the data. You need to have all necessary protections in place so the data can't harm your server - for example, remove any SQL injections by using escaping or prepared statements, deal properly with invalid input characters, etc.

Two exceptions to the rule come to mind:

  • If you are on a SSL (https://) connection, make sure your JavaScript sends the data that way too

  • Sending the browser to a new location with sensitive GET parameters:

    http://www.domain.com/newpage?username=pekka&password=superman85069

    is less secure than POSTing a form, because the URL may be cached.

Pekka
  • 442,112
  • 142
  • 972
  • 1,088
  • 4
    I hope this is not your real password – John Dvorak Oct 20 '12 at 17:10
  • 4
    @Jan what? No, of course not. That would be *unprofessional*. Now excuse me while I need to urgently go visit gmail, Facebook and 54 other web sites – Pekka Oct 20 '12 at 17:12
  • @Pekka can you provide a link about the `GET` or `POST`(as you suggested in answer) method and security risk b/w them.? – StaticVariable Oct 20 '12 at 17:17
  • @jhonraymos [Is either GET or POST more secure than the other?](http://stackoverflow.com/q/198462) in the answer, that applies *only* to actually sending the browser to a new address though (`location.href=....`). When using Ajax, there is no difference between GET and POST security wise – Pekka Oct 20 '12 at 17:18
  • @Pekka in the case of ajax is there any difference b/w them? Because no url is shown? – StaticVariable Oct 20 '12 at 17:20
  • @jhonraymos no, no difference security wise. There is a design difference though that is good to follow: [GET vs POST in Ajax](http://stackoverflow.com/q/715335) – Pekka Oct 20 '12 at 17:23
  • Thanks a lot. But how about JSON - would it be any safer? Or just as Blender said, it is just a good container format? – Fred Oct 22 '12 at 04:43
  • @Fred nope, JSON would not be any safer. – Pekka Oct 22 '12 at 07:13