0

I've looked at a lot of answers related to this question, as this question has been asked many times on stackoverflow. Most of the answers seem to involve sending the data through the ajaxvariable.send() portion of the ajax call. I'm thinking about using a different solution that I haven't seen posted (could be wrong, but I've looked at a lot of them). However, as it hasn't been posted or suggested somewhere else, I'm concerned I may be opening the door to security issues (or whatever else may be wrong with my method). Is there something wrong with sticking a JSON object inside of a URL variable, if the following hold true?

Assume the following:

(1) The amount of information being transferred in the object is not large.

(2) The variables put into the JSON object being passed are pulled from a database on the sending page and checked against the database on the receiving page (not checked directly in a query mind you, but rather against a range of possible values put inside of a PHP array) to confirm nothing has been altered before anything is done with the passed variable values.

Javascript, JSON (sending page):

...

var getplaninfo = {};
getplaninfo["initialfee"] = document.getElementById("initialfee").value;
getplaninfo["monthlyfee"] = document.getElementById("monthlyfee").value;
var planinfo = JSON.stringify(getplaninfo);
ajaxRequest.open("GET", "index.php?choice=" + planinfo, true);
ajaxRequest.send(null);

PHP (from within the include that is replacing the contents of a div on the sending page):

if (isset($_GET["choice"])) {

$returned = $_GET["choice"];
$decode = json_decode($returned,true);
$initialfee = $decode["initialfee"];
$monthlyfee = $decode["monthlyfee"];

}

The reason I ask is that I'm pretty new to AJAX. I'm pretty comfortable with security in PHP, but I'm not so much with AJAX yet. I appreciate your time.

Pete_1
  • 981
  • 3
  • 14
  • 23
  • Worth noting that `GET` requests are often cached by browsers - if the integrity of your data is dependent on the response being up-to-date then you need to address this. – Emissary Aug 05 '14 at 20:39
  • Sending data via `GET` is not a semantic use of the verb; URLs are stored in the browser history and server activity logs opening the possibility that the URL will be used again, or seen by someone unauthorised; and lastly, if `GET` is an appropriate method, why not just use querystring variables? –  Aug 05 '14 at 20:40
  • Thank you both for your comments. "initialfee" and "monthlyfee" are dynamically generated values (situation dependent PHP variables) and so will be updated upon each request. Hopefully that solves that issue. – Pete_1 Aug 05 '14 at 21:00

1 Answers1

1

What appears to be the difference between the examples that you've read about and your idea above, is that you would usually pass data to your server script through POST. Your idea runs a GET request and passes the data through there.

The different between GET and POST payload is that there is a limit to GET. Read more about that limitation here: What is the maximum length of a URL in different browsers?

Security issues with AJAX requests happens in the scripts that receive the data, when user input is not properly sanitized. E.g. SQL injection, XSS.

Community
  • 1
  • 1
Ronni Egeriis Persson
  • 2,209
  • 1
  • 21
  • 43