0

I have a simple component on a website that is performing a query of all the prod ids from a cluster of products on the page and storing them into an array in jquery. I then send that array to PHP via AJAX as a POST which will ultimately perform a db query on all the ids.

My question is, how can I protect the array coming from the AJAX/JS file into the PHP file in the POST, against user manipulation... meaning I can find the ids in the source code and change them to some random value or even something malicious.

Normally in a user input scenario, you could do a real escape string or similar functionality in the PHP to cover the incoming data. Since I'm sending over an array of numeric values, what would be the best to way to secure that POST request?

Thank you,

-S

Sergio
  • 792
  • 3
  • 10
  • 35
  • https://stackoverflow.com/questions/37912937/how-to-send-secure-ajax-requests-with-php-and-jquery – clearshot66 Jun 07 '17 at 19:12
  • If you consider the premise that anything that's in user machine can be tampered, there isn't much to be done, really. Malicious users can be nasty. – FirstOne Jun 07 '17 at 19:14
  • You can't prevent user manipulation, so you write your code to be resilient to it. If your data store is SQL, then you generally accomplish that with prepared statements and bound parameters. – Alex Howansky Jun 07 '17 at 19:14
  • Everything has to be validated... everything! Use `filter_input` to validate submit, use some extra-logic cases to validate the proper request credentials. – FieryCat Jun 07 '17 at 19:15
  • use SSL to stop man-in-the-middle attacks. But you can't stop the client from messing with the data, either on purpose, accidentally, or via some malicious 3rd party. All you can do is validate what arrives on the server to ensure it doesn't break your business logic or corrupt your data. – ADyson Jun 07 '17 at 19:15
  • I understand that client side pages/code are prone to manipulation if the user is so inclined to do so. I guess a more honed in question is, how should I handle that object once it reaches the PHP file? At the moment all i have in place is if POST isset && not empty do something otherwise do nothing. – Sergio Jun 07 '17 at 19:24
  • @ADyson that is exactly what I was trying to do. If I'm expecting the PHP file to receive "123, 456, 789" but instead receives "1a2b3c, 456, ?id=xyz" what does PHP have available to check the validity of the data in an array or object? – Sergio Jun 07 '17 at 19:34
  • do the have to be integers, or any numeric value? the is_numeric function will check for numbers generally. ctype_digit will test specifically for ints. you an google them easily – ADyson Jun 07 '17 at 20:11
  • @ADyson yes they will always be a numeric value. Thanks I will give those functions a look up and try. Thanks. – Sergio Jun 07 '17 at 20:18

1 Answers1

1

Let's assume, that you want to receive array of integer values from a client.

If you write on a raw PHP, then your code can look like this:

if (isset($_POST['ids']) && is_array($_POST['ids'])) {
    $ids = array_map('intval', $_POST['ids']);
    $ids = array_unique($ids); // Optional.
    print(implode(', ', $ids)); // Print values.
}

Sample of user input:

ids[]=1&ids[]=2&ids[]=3&ids[]=malicious_input&ids[]=1

Output:

1, 2, 3, 0

intval takes argument and returns it's integer representation. malicious_input becomes 0 and it's safe for using it in SQL queries.

Some related links:

  1. PHP Prepared Statements.
  2. I have an array of integers, how do I use each one in a mysql query (in php)?
berserkk
  • 987
  • 6
  • 11